Q
Manage Learn to apply best practices and optimize your operations.

New WordPress malware: What to do about WP-Base-SEO

A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to avoid it.

A new piece of WordPress malware has been discovered disguised as an SEO plug-in called WP-Base-SEO. The malware...

plug-in has the ability to create backdoors on infected WordPress accounts. How does this new WordPress malware work, and are there any ways for users to identify fake or malicious plug-ins?

It's never been easy to evaluate potentially malicious software, and the stakes continue to get higher. App stores adding minimal security checks have made it somewhat easier, but you're stuck in the walled garden of the app store vendor. While this can protect end users, it doesn't help when what you need isn't in the app store.

There is a WordPress app store that offers thousands of plug-ins for websites using WordPress, but it has minimal criteria for hosting plug-ins.

Jessica Ortega, web security research analyst at SiteLock LLC, a website security company based in Scottsdale, Ariz., wrote about a malicious SEO plug-in for WordPress. Ortega noted that the code looks legitimate based on the header comment in the code.

However, as SiteLock researchers analyzed the code, they identified potentially suspicious functionality that could create a backdoor on the infected WordPress install. One of the simple obfuscation steps the WordPress malware authors used in the plug-in was to use the code $myfunc = 'bas' . 'e64_' . 'dec' . 'ode'; to hide the usage of the PHP base64_decode function, which decodes data that was encoded using the Multipurpose Internet Mail Extensions base64 binary-to-text encoding scheme.

Something like this should seem out of place in a potentially legitimate plug-in, which could alert your Spidey sense that something is wrong. However, it is very difficult for nontechnical people to evaluate code at this level, so relying on app store security checks and user feedback may be the best some users can be expected to do.

Malicious programs masquerading as legitimate software, such as this WordPress malware, is not uncommon. Enterprises should encourage their app stores to incorporate security into the entire ecosystem and to add additional checks of the application and the developer to improve trust in the store. While there may be increased costs, enterprises may be willing to pay for the time savings from not needing to spend as much time evaluating software.

Enterprises may even want to collaborate within their industry peers or Information Sharing and Analysis Centers to share this information. The SiteLock Research Team also mentioned using a service or application to check website security, which is good advice.

Next Steps

Learn how to protect against malware on the endpoint

Find out how running in an infrastructure-as-a-service virtual machine can help to secure WordPress

Read about what CISOs can do to mitigate insider threats

This was last published in September 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How do you keep your WordPress installations free from malware?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close