Recently, Astra Security Threat Intelligence Team has spotted an ongoing malware campaign targeting WordPress sites in the wild. This malware campaign is causing serious repercussions such as:
- inaccessible WP admin dashboard,
- redirecting login page,
- site redirecting to malicious pages,
- fake gaming, toys & dating related spam pages popping up,
- SEO spam search results ranking on Google, and so on.
We’ve been tracking similar types of campaigns for the last couple of years and observed that this ongoing campaign is somewhat similar to the Pharma hack and Spam link injection hack we reported earlier.
A large number of sites are being targeted
As a security provider, we continuously monitor the latest cyber threats and malware campaigns that disrupt businesses on a daily basis. In this malware campaign, we are seeing a large number of WordPress and Magento sites being targeted. Currently, the source of the campaign is unidentified but the pattern that is used to target and infect sites is quite familiar.
Here are some of the examples of spam pages/URLs and search engine results that we found for an infected site:
Once the hacker infects a site, he creates multiple fake spam pages (in this case, the hacker creates gaming, toys and dating related pages). These pages then get indexed by Google and start ranking on the SERPs as legitimate search results, owing to the good SEO standards of the compromised site.
Unlike the Korean SEO Spam hack, this hack displays results in the English language in Google search. Another thing to note about this hack is that it creates a large number of fake pages on a site – in hundreds.
In another variation of this hack, we saw users being locked out of their websites as their admin login page starts redirecting. In some cases, the website also started redirecting.
Those who could still access their website’s backend, said they couldn’t find the spam blog posts in the backend but could see them ranking on Google. This hints that the campaign has been skillfully designed to hide the malware location very well.
One of our customers said,
“I’ve been trying to recover my WordPress dashboard for over a week now – login redirects too many times and fails or shows a page not found error.”
Another customer said,
“depending on how I try to access the dashboard it just doesn’t get there. using wp-admin login, in Chrome/Edge I get a too many redirects error. Trying from CPanel, I get a page not found. And then I get a Google report that my most visited pages are something about games and dolls, and I don’t have anything like that on my website…“
Similar URLs are also tracked by Google Search Console as legitimate URLs of an infected site.
If you’re seeing any of the above symptoms for your website, you should immediately get professional help from security experts who can clean this infection for you quickly.
How to check if your site is infected?
If you are unsure about this hack on your website, follow the below steps to confirm if your WordPress or Magento site has been hacked or not:
- Scan your WordPress site with an SEO spam detector.
- Check for spammy keywords in your Google Analytics or Google Search Console. If you find any irrelevant keywords such as “viagra”, “Nexium”, or “Cialis“ then your WP site may be a victim of a WordPress pharma hack.
- Check if your site is Blacklisted by Google.
- Check if your account has been suspended by your hosting provider.
If you are sure that your site is hacked then you must take immediate steps to remove this malware. You may follow this guide to effectively remove WordPress spam from search results.
Also Read: Step-by-Step WordPress Malware Removal Guide