There has been an increase in the detection of malware embedded in databases via WPCode – Insert Headers and Footers. This malware will be explained in detail.
What is WPCode – Insert Headers and Footers plugin?
The WPCode plugin is a plugin that allows you to embed arbitrary HTML and JAVASCRIPT code into headers and footers. It is often used to add CSS to a site’s design or to use Google’s access analysis tags.
However, this plugin can also embed PHP programs. While it is generally not possible to embed and run PHP programs in databases, the WPCode plugin allows hackers to embed malware in databases that many malware scanners do not inspect.
Malware embedded in WPCode
The WPCode plugin is not vulnerable, and a hacker could first exploit other vulnerabilities, gain administrative privileges to the site, add the WPCode plugin to the site, embed malware as a snippet of the WPCode plugin on the site, and then exploit the WPCode plugin to gain access to the site. and also embeds CSS in the snippet that hides the WPCode-related UI in the admin panel as if the WPCode plugin were not installed on the site.
Database tables in which malicious code is embedded wp_options, wp_postmeta, wp_post table, etc.
Key for options table wpcode_snippets
Example of CSS code to hide the fact that an illegally embedded WPCODE plugin is installed
function fix_style()
{
echo '<style>';
echo '#toplevel_page_wpcode { display: none; }';
echo '#wp-admin-bar-wpcode-admin-bar-info { display: none; }';
echo '#wpcode-notice-global-review_request { display: none; }';
echo '</style>';
}
This code will erase the display of the menu and plugin list in the Wpcode admin screen, which was introduced illegally by the hacker.
Therefore, the WordPress administrator will be unaware that WPCODE has been installed without their permission when they log in to the site.
Malware embedded in WPCODE
In addition to the above, WPCODE snippets also contain malware code that can generate malicious users, retrieve malicious code from other sites and write it to the server, JAVASCRIPT code that redirects the site to another site, write links to the site content without permission, and other functions. This includes malware code.
Response to malware embedded in WPCode
Such malicious snippets can be detected with the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
If a rogue WPCode snippet is detected, it will be erased line by line.
(Since the wp-option table, in which malicious WPCode snippets are often embedded, is a table in which various WordPress configuration data is written, we recommend that you take precautions and back up your database when deleting database rows).
You can also check if WPCode is installed by itself by connecting to the server using FTP software and looking for the folder insert-headers-and-footers in the wp-content/plugins/ folder.
You can also check for the presence of WPcode’s incorrect code in the database by using database connection software such as phpmyadmin or adminer and searching the database with the following query (which is a style sheet that hides WPCODE from the admin panel).
#toplevel_page_wpcode { display: none
