DEV Community

Rémi
Rémi

Posted on

WordPress - Hacked site redirections

The problem

I have encountered a project where the WP (WordPress) website was redirecting to some "ad" websites.

Identifying the problem

By debugging, from Google Chrome Sources panel with pause script execution, we identify the redirection occurring from a third party script injected in .php files inside the project.

Root cause

A plugin update Related Posts Plugin.

The WP admin updated the plugin after an update notice without knowing the plugin actually became a "malware" that highjacked websites.

Of course, the source code is not available from the plugin website so it is hard to check the integrity of code beforehand. And after checking the WP page of the plugin the status is This plugin was closed on March 30, 2019 and is no longer available for download., but the plugin owner has pushed an update on April 10, 2019 at around 7PM (Paris time) (Covering up the tracks?).

Fixing the problem

1) Plugin removal

Plugin removal might fix the problem only if it didn't affect external files to the plugin.

2) Cleaning by hand (unsafe)

In my case, the "malware" succeed to change files at ${ROOT}/wp-includes/. So I had to clean all the javascript injections "by hand".

3) Backup

If you have a backup of the database before the infection, I advise to delete the project and reinstall the project and feed backup.

Avoid plugin malware

  1. Never update plugins on production environment
  2. Do backup
  3. Check plugin source code before installing

Sources:
Redirection malware third party link
Gist of similar malware
Plugin incriminating StackOverflow post
Related hacked problem

Top comments (2)

Collapse
 
Sloan, the sloth mascot
Comment deleted
Collapse
 
redserverhost profile image
Red Server Host

Thanks for sharing useful information!! I am really impressed to see that you have provided such an interesting information about WordPress.
I was struggling with the same issue since last 3 days and finally solved it. Anyways can you suggest me some better option to get cheap linux hosting other than redserverhost.com?
Thank you once again!!