A bizarre hack has come to notice on WordPress websites. A huge number of WordPress websites are showing “1800ForBail – One+Number” or this “1800ForBail” as its SEO title/Blog name. Till now, it looks like a massive black hat SEO campaign. However, it could be more than that.
Here is how it appears in Google search results:
Typically in these cases, hackers change the standard WordPress setting “blogname” to display desired keywords/titles. This could also be confirmed by the HTML page analysis of these hacked sites. Here is the malicious HTML responsible for this hack in these sites-
<meta property="og:title" content="Home - 1800ForBail" /> <meta property="og:url" content="hxxps://deliverygoodstrategy[.]com/destiny?tt=2&/" /> <meta property="og:site_name" content="1800ForBail" /
The reason that the attacker was able to manipulate these HTML codes could be attributed to plugin vulnerabilities. In most of these cases, the victim sites were using outdated and unpatched plugins and themes. Some of the plugins that were previously found as a culprit in the site URL attacks are WordPress GDPR Compliance, TagDiv themes, Freemius Library (and all plugins that use it), Convert Plus, etc.
Other Similar Attacks
This “1800ForBail” blog name attack is similar to cases we have seen in the past. Cases like Japanese SEO spam, Korean SEO spam where the hackers change a site’s URL to render Japanese/Korean keywords to increase the visibility of his site.
Another attack that it resembles is the Site URL attack. In Site URL attacks, hacker changes the URL of the hacked websites to that of his domain. The purpose of this is to redirect visitors of the site to his domain.
To restore your website from this nightmare, you should change the “Blog title” setting from their WordPress admin interface (or the “blogname” option in the wp_options table). Also, since a lot of trouble arises from outdated & vulnerable plugins/themes, updating them is the most prudent measure.
In addition to this, installing a premium website protection on your website will make you more immune to defacing attacks like these. In case you are infected by the “1800ForBail” attack, contact us and we will be happy to help you out.