WordPress, a platform known for building sites, also recommended by our friends of Privacytools.io because it is a blogging platform that, for better or for worse, respects privacy, has found itself with 15000 sites compromises.
A new malicious hacker campaign has compromised over 15,000 of the platform’s websites in an attempt to redirect visitors to bogus question-and-response portals (to something like Reddit or Ask, or the old Yahoo! Answers, for the sake of it, but malicious ).
Through this link you can see the list of all hacked sites.
What does this mean to various WordPress sites?
“These malicious redirects appear to be [stati] designed to increase the authority of malicious sites for search engines [sostanzialmente essere più facilmente tracciabili tramite SEO, parole chiave, insomma]Sucuri researcher Ben Martin said in a report released last week, calling it a “clever SEO trick“.
The technique of “infecting” the search engine was designed to promote a “handful of low quality fake Q&A sites(a sort of Ask or Reddit tarot) that share similar website building patterns and are maintained by the same dodgy author.
A curious aspect of the campaign is the ability of hackers to modify over 100 files per website on average, an approach that contrasts markedly with other attacks of this type where only a small number of files are tampered with to reduce the footprint and escape detection .
Some of the most commonly infected pages consist of wp-signup.php, wp-cron.php, wp-links-opml.php, wp-settings.php, wp-comments-post.php, wp-mail.php, xmlrpc .php, wp-activate.php, wp-trackback.php and wp-blog-header.php, which in fact are all types of pages that are very present on sites made with WordPress.
This wide variety of compromised sites allows the malware to perform redirects to websites chosen by the hacker. It is worth noting that redirects do not occur if the wordpress_logged_in cookie is present or if the current page is wp-login.php (i.e. the login page) to prevent threat authors from arousing suspicion.
The ultimate goal of the campaign is “drive more traffic to their fake sites” And “increase authority [ovverosia privilegi da amministratori] of sites using fake clicks on search results to get Google to rank them better so they get more real organic search traffic“.
The code inserted by the algorithm achieves this by initiating a redirect to a PNG image hosted on a domain named “ois[.]is” which, instead of loading an image as it should, directs the website visitor to the URL of a Google search result of some other spam question and answer site.
It’s still unclear how the WordPress sites were hacked, and Sucuri said it didn’t notice any obvious flaws in the plugin used to run the campaign.
If you have a WordPress site, how should you behave?
Right now, it’s not at all clear how they managed to “peck” the WordPress platform, so it is suspected that it was a Brute Force attack, that attack that tries all the combinations so that it doesn’t catch the right one.
What precautions to take, then? To begin with, immediately change your password to one as complicated as possible, don’t put one that’s easy to find.
Secondly, it is absolutely essential that users enable two-factor authentication and ensure that all programs (and operating systems) are up to date and possibly back up their sites and blogs.
For the rest, you just have to wait for the upper floors of the platform that allows you to create sites and blogs to fix this “breach”.
#Wordpress #compromised #sites #SEO #campaign