- Administrator access to a WordPress site is gained by exploiting a vulnerability or simply logging in via leaked credentials.
- SEO poisoning is used to push the malicious or fake website to the top in search results.
WordPress is a well-known open-source content management system (CMS) used for creating websites and personal blogs. Given the wide usage of the platform which is used by 35% of all websites, it makes an ideal target for threat actors.
A weak point in the platform is all it takes to allow an attacker to break a website’s security and take control over it. Here’s a look at some critical points that can lead to attacks on WordPress sites.
Attacking WordPress sites via hacked admin access
This attack method is initiated after attackers gain administrator access to a WordPress-powered site. Access to the site is gained by exploiting a vulnerability or simply logging in via leaked credentials.
After the website is compromised, the attackers can install a customized backdoor or a malicious plugin to upload other payloads.
The deployment is done by using GET or POST requests when the payload is encoded inside COOKIES or POST data.
Deploying Alfa-Shell on infected websites
Alfa-Shell is an advanced web shell deployed on infected WordPress sites. It is capable of getting database credentials from the WordPress configuration file, dumping the database and getting all virtual domains and DNS settings.
Usually, a web shell provides a user-friendly interface for RCE on WordPress-powered sites. In this case, Alfa-Shell can download and execute a reverse shell from the developer website. In this way, an infected WordPress can serve an advertisement redirector for unsuspecting victims.
Also referred to as Black Hat SEO, these techniques is used to push the malicious or fake website to the top in search results. The technique is most effective for particular keywords that serve advertising, an upcoming election, World Cup, Olympics, and adultery.
In some cases, attackers flood their websites with keywords that are most searched. In other scenarios, attackers use cloaking techniques to deliver different web content to a user than it does to a search engine spider. Another method involves compromising and injecting malicious code inside a sub-domain of a website to trick search engines.
Spreading misleading articles
An infected website with false and misleading articles can easily grab the attention of a user. Often, these articles are written unintelligibly. The compromise is done through WordPress’s XML-RPC application programming interface (API), which enables data to be transmitted and performs several tasks such as uploading a new file, editing and publishing a post.