The problem
I have encountered a project where the WP (WordPress) website was redirecting to some "ad" websites.
Identifying the problem
By debugging, from Google Chrome Sources
panel with pause script execution
, we identify the redirection occurring from a third party script injected in .php
files inside the project.
Root cause
A plugin update Related Posts Plugin.
The WP admin updated the plugin after an update notice without knowing the plugin actually became a "malware" that highjacked websites.
Of course, the source code is not available from the plugin website so it is hard to check the integrity of code beforehand. And after checking the WP page of the plugin the status is This plugin was closed on March 30, 2019 and is no longer available for download.
, but the plugin owner has pushed an update on April 10, 2019 at around 7PM (Paris time) (Covering up the tracks?).
Fixing the problem
1) Plugin removal
Plugin removal might fix the problem only if it didn't affect external files to the plugin.
2) Cleaning by hand (unsafe)
In my case, the "malware" succeed to change files at ${ROOT}/wp-includes/
. So I had to clean all the javascript
injections "by hand".
3) Backup
If you have a backup
of the database before the infection, I advise to delete the project and reinstall the project and feed backup
.
Avoid plugin malware
- Never update plugins on production environment
- Do backup
- Check plugin source code before installing
Sources:
Redirection malware third party link
Gist of similar malware
Plugin incriminating StackOverflow post
Related hacked problem
Top comments (2)
Thanks for sharing useful information!! I am really impressed to see that you have provided such an interesting information about WordPress.
I was struggling with the same issue since last 3 days and finally solved it. Anyways can you suggest me some better option to get cheap linux hosting other than redserverhost.com?
Thank you once again!!