WordPress Compromise: What’s Beyond the URL?

One of the many tricks in the modern cybercriminal’s toolkit is to use compromised websites to evade spam filters and domain reputation systems. Whether it’s hiding a web-based exploit or just enjoying the reputation of otherwise legitimate domains for free, using an existing domain name has multiple benefits – and that doesn’t even take into account. that stealing someone else’s domain is cheaper than buying one. In this article, we’ll look beyond the URL of a compromised WordPress website to provide some insight into what happens after a website has been compromised.

Why WordPress?

Many compromised sites use WordPress. Does this mean that WordPress is a bad choice for a content management system (CMS)? No, WordPress itself has improved dramatically over the years and is in its default version, out of the box, a solid and secure choice for many websites. This is confirmed by the fact that figures today show that over 40% of all websites in the world use WordPress. This large market share means that there are many targets. As these targets behave in a uniform manner, it is interesting to develop tools to compromise them.

It’s important to note that it’s not just WordPress itself that is being targeted. Most of the problems are actually caused by plugins that are not kept up to date, or plugins that are already backdoored when they are installed. The latter mostly occurs with pirated versions of paid plugins. When investigating this particular subset of compromised websites, we found that over half of them were running the latest stable version of WordPress at the time of the investigation. Since they were still compromised, this almost certainly means that either the sites were compromised via a plugin or that the attackers were able to maintain persistence on the targeted websites: the actual exploit was done in the past, but the files placed by attackers survived all updates.

Top 10 WordPress Versions Seen On Compromised Websites

From the exploit to the platform

Ultimately, this toolchain is part of a larger system, commonly called by TDS disbelievers: Traffic Distribution System. This system manages compromised sites, receives visits from unsuspecting visitors, and then delivers content to them based on pre-established settings such as country of origin, browser type, and operating system. Most TDS systems are a good example of how cybercrime facilitation has become an ‘as a service’ model: the group that manages the TDS sells capacity on the platform to other cybercriminals, in order to to present their content to all demographic groups they wish to target. Some visitors may be redirected to a casino website while others may receive a malicious browser plug-in.

Spamhaus detects compromised websites used in spam directly or as part of a redirect chain, and adds hostnames to our datasets to protect our users. As a result, website owners find they have a problem, and this is often where the hard part begins, as many of these WordPress users lack the skills to find out what is wrong. and how to solve it.

Hide – and stay hidden

Unsurprisingly perhaps, the operators who compromise these websites do not make it easy to repair the compromise. One of the many groups we follow involved with compromising WordPress websites uses a few strategies to keep website owners in the dark:

Misleading file names

Initially, when the group operates a WordPress website, they drop 5-10 harmless-looking PHP files, with names like generic error.php, email_ami.php Where blog_rss.php. The files are named this way to avoid arousing suspicion in case the webmaster decides to dig into his filesystem.

Obfuscation of source code

If a curious admin decides to take a closer look at these files, they won’t find much readable code (which in itself is a cause for alarm!), As the files deleted by the exploit are hidden:


This is only the first layer: the str_ireplace The command will replace all t in the uabeg variable with nothing, let it be said base64_decode. This is another PHP command that will be used to decode other parts of the file. It is only after 3 levels of “decryption” that the first interesting information is revealed: it leads to a configurable remote location for the content. Although obfuscation is simple, it is effective in deflecting automated tools.

Reverse proxy behavior

One of the interesting approaches in this particular case is that the files inserted into the compromised WordPress instance are actually just reverse proxies: they will route the received traffic to the preconfigured (and obscured) remote location where the actual content resides. . This not only means that the visitor is not redirected, but it means that the attackers have full control over what content is served to which visitor! In combination with this proxy, a number of variables are also sent to the backend which can be used to segment visitor traffic, so that multiple campaigns can be run from the same files at the same time. Among these variables are:

ip (r) (x) (f) – The connection IP address in different flavors
dom – The domain and the full URL of the inserted file
ref – The HTTP referrer header
proximity – Does the connection IP act as a proxy?
agent – User agent string
tongue – Preferred browser language

Persistence on compromised website

Perhaps the most interesting feature of this particular TDS is that it can be updated remotely by operators. By calling the script in a specific way and providing a key in an HTTP variable, it can crash and update all of its code, including the remote location where the content is served. In practice, this means that even if the vulnerability of the original site or plugin is fixed, the dropped files can still be managed and used until they are deleted by the site owner. Also, with each update a slightly different obfuscation can be used to make it harder to automatically find files like these on a compromised website.

The scale of things

While the technical side of a TDS is interesting, another way to look at it is to know how much traffic it is receiving and where it is coming from. By investigating this one in particular, we collected some numbers on various aspects of this operation, covering a 48-hour window in early May 2021:

Country of visitors

Country of visitors

Compromised sites feeding the TDS

Unique hacked sites observed

Traffic seen

Clicks in 48 hours

Web servers seen

Web server platforms


  • The content served could be divided into two categories: dating scams and bitcoin promotion.
  • There does not appear to be any preference for which particular top level domains to target or where the attacked websites are hosted. If it can be automatically compromised, the operators of that TDS will try it: since the pages they inject are PHP based, if WordPress is running, the TDS will run.
  • Some visitors (around 200 separate IP addresses) stand out a bit in terms of volume: these are usually automatic URL scanners and other (web) security services.
  • Among the compromised websites, we found dozens of development or staging websites. Sites like these are often forgotten with updates or have weak login credentials.

Recommendations for website owners

While it is very difficult to defend against a well funded attacker with a lot of resources, this is a somewhat lower level of attack. Although the attacks are automated, they appear to exploit known issues with older versions and plugins of WordPress. Here is what you can do to avoid falling victim to these types of attacks:

  • Always keep WordPress itself up to date
  • Always keep plugins and themes up to date
  • Don’t use pirated versions of paid plugins and themes, as these can be hijacked (and if you find the plugin useful, the developers deserve your support!)
  • Use strong passwords, also on dev / dev websites
  • If your website is compromised, be sure to remove any files that are not part of the software you are actually using (this may require expert help).

While being compromised by a TDS like the one we describe in this article is certainly problematic, luckily prevention is relatively straightforward and uses best practices that every WordPress administrator should already be using. Stay safe and have a good blog!

Indicators of Compromise (IOC)

While files dropped in initial exploits may change both name and content, we have found that the list of file names in use at this time is limited and has a variety of distinct and unusual names. If you find files named like the ones in the list below in your WordPress installation and the content looks obscured, you can assume that your WordPress has been compromised. WordPress itself has a good page with some useful information and links on how to fix your instance.

File names seen in WordPress compromises

Comments are closed.