Cleaning up a WPCode – Insert Headers and Footers WordPress Infection

Published by John on August 9, 2024 Under Wordpress

Recently, while looking into some email reputation issues for a client, I discovered that their WordPress site had been hacked.

At first, it looked mostly innocuous, with a weak WordPress admin password leading to an account having been compromised and then used to create a bunch of spammy looking posts, admin accounts, and pages for things like AI written school papers and other common spam. After running some scans, I also discovered a few infected files, which I cleaned up.

However, the site was still redirecting to a spam site intermittently and what I discovered was a rather interesting use of the WPCode – Insert Headers and Footers plugin.

WPCode – Insert Headers and Footers falls into a family of fairly risky plugins, which allow you to insert PHP code into the database that then gets run on the site. It creates a custom post type, called wpcode, as well as several global settings, which get used to run code on the site.

This can certainly make things easy if you don’t have hosting or file access and need to run some PHP. However, executing PHP code from the database can also be quite dangerous, as it opens up a pretty big attack vector and anyone who gets database access can then maliciously run PHP code on the server. It’s ease of use also likely increases the chance that someone who doesn’t know much about PHP might just copy and paste something into their site without really knowing what it does.

In this case, the hacker was using this plugin to execute php code on the site, which did the normal ‘is this a bot or a person malicious website redirect’, but it also used the code to hide the plugin from the list of installed plugins, as well as hiding notifications and other menu items.

So, at first glance, even if you know to check for these sorts of plugins, it would be easy to miss it.

The moral of this story is that when doing scans, in addition to checking for malicious files and plugins, make sure to also check that the active plugins on the site match what is displayed in the admin section, as well as manually checking the database for WPCODE and other similar sort of plugins.


No Comments |

Add a Comment