September 16

The Hacker Motive: What Attackers Are Doing together with your Hacked Site

WordPress Hacking


This post was originally published on this site

Yesterday, September 15, 2020, the Wordfence Live group covered The Hacker Motive: What Attackers Are usually Doing together with your Hacked Web site. This companion post evaluations the motives we talked about live during Wordfence Live life and dives deeper in to the thoughts of attackers.

You can observe the movie of Wordfence Live below.


You can select these timestamps to jump around in the movie.

  • 00:00 Introduction
  • 6:45 The way the Wordfence site cleansing process works
  • 10:45 The way the Wordfence real-time blacklist works
  • 14:06 Updates on the WordPress Document Manager plugin vulnerability
  • 19:16 Backdoors
  • 27:00 Defacements
  • 35:51 SEO Spam hyperlinks
  • 39:00 Spam pages
  • 43:17 Japanese Keyword hack
  • 44:39 PHP Mailers
  • 47:49 Phishing
  • 51:01 Malicious Redirect
  • 52:23 Command and Control Botnet
  • 54:58 Cryptomining
  • 57:15 CHARGE CARD Skimmers
  • 58:57 Winners of the livestream swag


WordPress powers more than 35% of the web, making it probably the most popular content material management systems. Which means that WordPress can be probably the most targeted techniques. Hackers recognize that if they may become specialists at compromising WordPress vulnerabilities, they are able to target and exploit even more sites. With thousands of plugins and themes obtainable, the probability of discovering an very easily exploitable intrusion vector set up on numerous sites increases the attractiveness of WordPress as a focus on for malicious assaults.

WordPress hackers range between inexperienced script kiddies seeking to get began to sophisticated crime syndicates. A script kiddie who has hardly any technical experience may just bypass defacing websites for enjoyable and bragging privileges, whereas a dark hat hacking syndicate may save money period evading malware scanners, building complicated command and control systems to maximize their effect, and monetizing compromised websites using SEO spam hyperlinks and other methods. We shall explore these motives just a little further and offer you with some in-depth insight on why attackers focus on and compromise WordPress internet sites.

Our hope in doing this is that information will empower one to protect your web site, no matter how little or insignificant you may perceive your website to be. There’s immense value in virtually any WordPress web site, and hopefully to empower one to take steps to safeguard your web site from these kinds of attacks.

Hacker Motive #1: Installing Backdoors

A backdoor is really a piece of program code inserted somewhere on a niche site, either within an already existing valid document such as a theme’s 404 document or in a recently generated file, that delivers an attacker having the ability to execute instructions on the compromised site’s server. A backdoor may also establish a invert shell to the server to execute instructions and navigate the filesystem openly.

Attackers often install a number of backdoors to keep persistence on the compromised site. Which means that they possess a good way to revisit and regain usage of compromised sites. Attackers utilize this access to make modifications to a compromised web site that advantages a monetization strategy, or re-infect sites when infected content has been incompletely cleaned or vulnerabilities had been patched as the backdoor remained undetected.

Backdoors may also be installed by a good attacker hoping of gaining shell usage of a server. As soon as an attacker benefits shell access, they are able to possibly escalate their privileges by exploiting kernel-degree vulnerabilities to get root usage of the server, which may allow them to dominate other websites hosted on a single server.

In rarer situations, backdoors may also be added by developers through the development procedure for a WordPress web site to act as the maintenance hook or even killswitch when a niche site owner stops spending money on maintenance. If a programmer you don’t know nicely has created something for the site, it is very important verify they have not really additional any backdoors by carrying out a malware and vulnerability scan with something like Wordfence after the development procedure has concluded.

A simple PHP webshell an attacker might use to execute instructions about a compromised WordPress website could appear to be:

<?php echo shell_exec($_Find['cmd']); ?>

Hacker Motive #2: Defacement

Defacement occurs when a good attacker alters this content, or encounter, of a niche site to another thing typically without real immediate advantage to themselves. This is often something as easy as a tagline like “This web site had been hacked by r0gu3 1: L33t Hax0rs” with a natural cyber text background. Usually attackers will deface websites to deliver a political message or just to show off. There’s typically no money from defacing a niche site, though it might be designed to embarrass the site’s proprietor.

There was an enormous defacement campaign back February of 2017 whenever a Sleep API vulnerability was discovered inside variations 4.7 – 4.7.1 of WordPress that allowed unauthenticated attackers to up-date arbitrary posts. Thousands of sites were suffering from this vulnerability while attackers had been competing in what seemed to have already been a “Defacement Contest.”

The “Defacement Contest” is when attackers will try to deface as much sites as you possibly can to claim triumph over various other attackers, purely for bragging privileges.

The following can be an exemplory case of a defacement we saw back 2017 through the defacement contest exploiting the others API vulnerability.

There have been quite a few cases where “grey hat” hackers, who don’t possess completely malicious intent but nonetheless perform illegal actions, possess defaced sites purportedly to improve the awareness of online marketers and alert them to the truth that they will have vulnerable sites. Though much less typical, some attackers do try to cause minimal harm beyond making the website owner conscious that their web site is vulnerable.

Hacker Motive #3: Spam/SEO Content material Injection

Spam/SEO articles injection occurs when a good attacker injects HTML containing visible or even hidden links to exterior websites hoping of improving the search engine results positioning for those sites. That is mainly done for money. Attackers can be compensated on the dark market or dark internet to boost site’s SEO ranks or they are able to aim to enhance the SEO of these own websites by injecting these spam hyperlinks into victim’s websites.

Search engines may score a site’s recognition based on numerous ranking factors, like the number of one way links that site is wearing the web all together. Inbound hyperlinks tell the various search engines that some other site owners view the website as authoritative, and several backlinks from higher authority sites can enhance a site’s overall performance in the internet search engine result web pages (SERPs). Attackers seeking to succeed in the SERPs will attempt to place as much links on clean, higher authority sites as you possibly can in highly competing and lucrative niches. SEO spam is frequently used to market sites that online advertisement companies are unwilling or struggling to use for legal factors, such as pharmaceutical, on-line gambling, counterfeit products, and illegal download websites.

Our Security Solutions Team (SST) frequently finds these hyperlinks embedded in the bottom in articles, site footers, or even other locations. Occasionally these could be hidden from look at. In any event, SEO spam hyperlinks can proceed undetected for a long time if you are not really actively examining your site’s webpages or executing malware scanning on your own WordPress site.

Instance of the WordPress post containing the spam link.

Hacker Motive #4: Spam Page Development

Comparable to spam hyperlinks, spam pages make an effort to boost a niche site in an extremely competitive and rewarding niche higher inside the internet search engine result web pages. Unlike spam links, nevertheless, these attacks contain multiple HTML webpages containing spam content material injected right into a compromised web site. Additionally, it may involve spam web pages being developed within WordPress itself.

Sites which have older names of domain have higher authority rating factors on se’s and are a far more desirable focus on for attackers because the domain authority can be used in the spam pages developed by the attacker.

The motive for attackers in this scenario is monetization. The spam webpages they create usually contain affiliate links hoping that the attacker can push sales to company and make money using the affiliate earnings generated by the spam web pages. These spam pages could also redirect site customers to an alternative solution site selling products, once again as a way to monetize the compromised web site.

One normal spam page development hack that people often see may be the “Japanese keyword” hack. This typically involves the development of a folder with a number of HTML webpages that contains Japanese spam with affiliate marketer links to market merchandise. These web pages are very often indexed by Search engines and it may become so serious that serp’s for an infected web site only display Japanese keyword pages browsing results.

An exemplory case of a site’s serp’s showing Japanese keywords. Picture Source:

Hacker Motive #5: PHP Mailer Development

A PHP mailer script sends email messages on a server through PHP program code. Attackers will often make use of these scripts on a compromised web site to exploit the mailing features of the server and distribute unwanted spam communications. Spam usually identifies unsolicited emails made to grab your focus on try and help you to buy a product. Spam may also consist of email messages designed to technique you into executing activities like getting into your password, which may be regarded as phishing, or even to initiate other common frauds.

Spam is really as old as e-mail itself, in fact it is even now incredibly profitable despite having today’s advanced email filter systems.

Why carry out attackers compromise WordPress websites to send spam?
It’s simple. You’ve got a reputable and reputable site, therefore sending spam email messages from your site can be an attractive target since it will take more time for an attacker to obtain detected and turn off. Through the use of your site’s email support as the email supply, an attacker will probably bypass many email filter systems and their spam text messages will get delivered effectively to even more targets. Your site can be providing free mailing sources for the attacker to exploit and deliver their spam communications to make money, and whatever the traffic your website receives an attacker may use your web hosting and mailing resources with their benefit. Once again, the motive here’s to make money and move undetected so long as possible.

Hosting providers have a solid incentive to turn off malicious mailers delivering spam to be able to safeguard their IP addresses through blacklisting. Which means that the initial indication of a PHP mailer illness is often your site is turn off. Your site may possibly also find yourself on a blacklist if you’re not actively supervising and scanning your website for malware and indicators of compromise.

Hacker Motive #6: Phishing Campaigns

Phishing involves making use of legitimate-appearing emails to trick a consumer into performing some type of action, such as for example logging directly into a phony online banking web site. Compromised WordPress sites may be used as a way to obtain phishing emails being delivered, and they can sponsor phishing webpages posing as another site to be able to collect sensitive info..

Our Security Services Group has seen many instances where WordPress websites were compromised and a phishing package was installed. A phishing package is essentially a lot of money of data files used to make a webpage resembling the best site such as Search engines Drive or an on the web banking site. In such cases, your web site would act as a free of charge web host for malicious attackers hosting a phishing web page to harvest user information.

Hyperlinks to these webpages are usually then provided inside phishing emails, which are usually emails that may actually come from the best resource. The attacker is wishing users will go through the link in the e-mail and offer their credentials, or additional sensitive details, on the phishing web page.

Right here is an exemplory case of a phishing web page designed to harvest Google credentials we reported on inside 2017. Appears awfully near to the normal Search engines register area you generally see when logging in, right?

GMail information URI phishing sign-in web page

The vast majority of that time period, phishing campaigns are accustomed to target user credentials for services such as for example banking sites or corporate assets hoping of stealing information from those accounts to market on the dark web. Again, phishing strategies are predominantly constructed as a way to monetize, whether that end up being straight or indirectly by harvesting and promoting user credentials.

Make sure never to supply credentials or delicate information after simply clicking a link within an email. In the event that you receive what is apparently a see from Wells Fargo or WordPress for instance, make sure to go to that site right to log in and watch any notices. Carefully examine the contents of any e-mail, including the hyperlinks within, and believe any hyperlink is malicious.

Hacker Motive #7: Malicious Redirects

Malicious redirects are accustomed to redirect genuine site users to an alternative solution site, typically hoping of infecting the victim’s computer by way of a malicious download. Attackers prefer to install malicious software program on user computer systems for various reasons, but it often is due to one motive: monetization.

Attackers may also sometimes elect to redirect site customers to a spam web site hoping of selling items to, again, try to monetize.

Malicious redirects are usually the consequence of a cross-site scripting vulnerability or an arbitrary option change vulnerability. The simplest way to protect your website from getting exploited by these vulnerabilities is always to keep your designs, plugins, and core up-to-date also to run a internet application firewall to greatly help protect your website during interim periods whenever a vulnerability has already been discovered however your site has not however been up-to-date to patch the vulnerable program code. As a niche site visitor, the simplest way to protect yourself against malicious redirects is to apply antivirus software program on the gadgets you utilize to browse web sites.

An exemplory case of JavaScript an attacker might inject via an XSS attack to redirect your website people to a malicious web site could appear to be:

 <script kind="text/javascript">"");</script> 

Hacker Motive #8: Command & Handle Server With a Botnet

A botnet is really a band of already compromised hosts, known as “zombies,” typically utilized by an attacker to infect additional hosts or execute a DDoS attack. The Command and Handle, or C2, server will be what attackers make use of to regulate the compromised hosts and immediate them to execute many different actions. It is a motive where attackers don’t necessarily value the visibility or visitors to your internet site, but rather they’re seeking to utilize your site’s hosting assets.

Back in December of 2018, we followed an enormous brute-force campaign which used an attacker-created botnet to access more WordPress sites. Basically, an attacker made a command and handle server used to regulate the countless infected “zombie” WordPress websites and brute force various other WordPress sites using the resources of the currently compromised WordPress websites.

The motive behind command and control botnets can be monetization through exploitation of vulnerabilities also to achieve this quickly at level. These exploitations tend to be much more advanced and require the usage of backdoors on impacted systems to keep up persistence also to execute instructions initiated by handle servers. As soon as an attacker has handle of a botnet, they are able to use the other monetization methods detailed, or lease or market it directly.

Hacker Motive #9: Cryptomining

Cryptomining infections take place when attackers infect websites with cryptominers, which are accustomed to earn cryptocurrency, that is a digital type of currency employing a blockchain. Cryptocurrencies leverage blockchain technologies to get decentralization, transparency, and immutability. That is another scenario where in fact the attacker’s motive doesn’t require your website to be noticeable or popular, but instead the site’s hosting sources (or visitors) are usually exploited to provide money to the attacker.

We have observed massive campaigns previously where an attacker has used most of a server’s resources to be able to mine for cryptocurrency. This may have a significant effect on your web site as it could result in your website being taken offline leading to a reduction in availability. In addition, JavaScript-based cryptominers are also used to create cryptocurrency using site website visitor browsers during the past, though these are much less common than these were a couple of years ago.


In purchase to safeguard yourself from hackers, you have to think just like a hacker. By better knowing hacker motives for compromising vulnerable sites, you’re better outfitted to both diagnose impacted systems in case of a compromise along with protect your WordPress web site from learning to be a victim of an attacker’s tries at exploiting vulnerable program code.

We hope that people have helped you much better understand a few of the typical hacker motives and just why they could target your WordPress site, so that you can take the precautionary steps you should remain safe, including protecting your website with Wordfence Premium.

If you possess any friends or co-workers using WordPress, talk about this post using them. The safer we create the complete WordPress community by studying hacker motives, the safer most of us are from hackers seeking to compromise WordPress websites.

The post The Hacker Motive: What Attackers Are Doing together with your Hacked Site appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!