At Sucuri, our security researchers continually monitor for new malware variants and infection techniques targeting WordPress websites. Recently, we’ve uncovered multiple cases where threat actors are leveraging the mu-plugins directory to hide malicious code. This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making […]
Tag Archives: Website Backdoor
Fake Cloudflare Verification Results in LummaStealer Trojan Infections
Today’s blog post will be a follow up to a previous article we posted a few weeks ago: We continue to see new variants of this malware campaign emerge. WordPress websites continue to be used as staging grounds to trick website visitors into running malicious powershell commands on their Windows computers in order to infect […]
Credit Card Skimmer and Backdoor on WordPress E-commerce Site
The battle against e-commerce malware continues to intensify, with attackers deploying increasingly sophisticated tactics. In a recent case at Sucuri, a customer reported suspicious files and unexpected behavior on their WordPress site. Upon deeper analysis, we discovered a complicated infection involving multiple components: a credit card skimmer, a hidden backdoor file manager, and a malicious […]
WordPress ClickFix Malware Causes Google Warnings and Infected Computers
Since December of last year there has been a new fake Google reCAPTCHA campaign making its way through the WordPress world. Very similar to malware which we wrote about last Summer, the website malware injection attempts to trick unsuspecting victims into executing malicious Powershell commands within Windows OS environments with the end goal of infecting […]
Hidden Backdoors Uncovered in WordPress Malware Investigation
At Sucuri, we often encounter cases where malware is deeply embedded in websites, hidden in files and scripts that can easily escape detection. In this article, we’ll walk you through a real-life incident where a customer contacted us about unusual behavior on their WordPress website. After a detailed investigation, we uncovered multiple backdoors allowing attackers […]
Backdoors: The Hidden Threat Lurking in Your Website
Website backdoors are a silent yet deadly threat to website security. These stealthy mechanisms bypass standard authentication, providing attackers with persistent, unauthorized access to a website’s backend. Often overlooked, backdoors allow cybercriminals to maintain access long after an initial breach. Understanding the risks they pose and how to mitigate them is essential for website owners […]
PHP Reinfector and Backdoor Malware Target WordPress Sites
We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection was linked to the wpcode plugin, we found that several sites without this plugin were compromised as well. Upon deeper investigation, we discovered that this malware not only reinfects website […]
New Variation of WordFence Evasion Malware
We recently came across an infected WordPress environment which contained a new variation of WordFence evasion malware using some sneaky tactics to conceal itself from view. The site administrator was reporting some issues with potential credit card theft malware on their website, but they had already removed that themselves by the time we arrived at […]
2023 Hacked Website & Malware Threat Report
Education is essential for defending your website against emerging threats. That’s why we are thrilled to share our 2023 Hacked Website & Malware Threat Report. Disseminating this information to the community helps educate website owners about the latest trends and threats. This year, we’ve included new insights to highlight the most prevalent tactics and techniques […]
JavaScript Malware Switches to Server-Side Redirects & DNS TXT Records as TDS
Last August we documented a malware campaign that was injecting malicious JavaScript code into compromised WordPress sites to redirect site visitors to VexTrio domains. The most interesting thing about that malware was how it used dynamic DNS TXT records of the tracker-cloud[.]com domain to obtain redirect URLs. We’ve been tracking this campaign ever since — […]
