15,000 WordPress Websites Hacked according to Sucuri, the first to notice the attacks. As per the security firm, each hacked website has roughly 20,000 files being utilized as a part of the search engine spam operation. In addition, the majority of the websites are powered by WordPress, as shown in PublicWWW.

The researchers have concluded that the threat actors’ purpose is to create enough indexed pages to raise the authority of the false Q&A sites and, as a result, rank higher in search engines.

Because even a temporary presence on the first page of Google Search would lead to a significant number of infections, this effort is likely preparing these websites for use in the future as malware droppers or phishing sites.

WordPress Websites Hacked
WordPress Websites Hacked

Based on the fact that the landing sites contain a file named “ads.txt,” a different plausible explanation is that the proprietors of the sites seek to increase traffic to commit advertising fraud.

Targeting websites that use WordPress

According to Sucuri, the cybercriminals are manipulating WordPress PHP files like ‘wp-singup.php,’ ‘wp-cron.php,’ ‘wp-settings.php,’ ‘wp-mail.php,’ and ‘wp-blog-header.php’ to insert the redirects to the bogus Q&A discussion forums.

In other instances, the attackers will place their PHP files on the website that is the focus of their attacks by utilizing arbitrary or seemingly valid file names such as ‘wp-logln.php.’

The files that have been infected or injected with malicious code contain code that checks to see if the users visiting the website are signed in to WordPress and, if they aren’t, sends them to the URL https://ois.is/images/logo-6.png if they aren’t already there.

WordPress Websites Hacked
WordPress Websites Hacked

However, browsers will instead have JavaScript loaded that sends visitors to a Google search click URL that leads users to the advertised Q&A site. This happens because this URL does not send images to browsers; instead, it redirects users to the promoted Q&A site.

Using a Google search click URL increases the likelihood that URL performance metrics will grow in the Google Index. This gives the impression that the sites are popular, which raises the possibility that they will rank higher in the search results.

In addition, diverting through Google search click URLs helps the traffic appear to be more authentic, which may allow it to avoid detection by some security tools.

The goal of excluding logged-in users as well as those who are now standing at the ‘wp-login.php’ page is to prevent the redirection of the site administrator, which would result in the raising of suspicions and the cleaning up of the hacked site.

The PNG image file generates the Google Search redirection result by using the ‘window.location.href’ function. This function sends the user to one of the following targeted domains:

  • en.w4ksa[.]com
  • peace.yomeat[.]com
  • qa.bb7r[.]com
  • en.ajeel[.]store
  • qa.istisharaat[.]com
  • en.photolovegirl[.]com
  • en.poxnel[.]com
  • qa.tadalafilhot[.]com
  • questions.rawafedpor[.]com
  • qa.elbwaba[.]com
  • questions.firstgooal[.]com
  • qa.cr-halal[.]com
  • qa.aly2um[.]com

Due to the fact that the threat actors employ several subdomains for the aforementioned, the whole list of landing sites is much too vast to provide here (1,137 entries). Those interested in studying the entire list can locate it at this location.

Because most of these websites hide their servers behind Cloudflare, the analysts working for Sucuri were unable to discover more about the individuals behind the operation.

The same threat actors are likely responsible for the creation of each of the websites since they all use comparable website-building templates and appear to have been produced using the same automated tools.

Sucuri was unable to determine how the malicious actors gained access to the websites that were utilized for redirections. On the other hand, it usually occurs due to the exploitation of a weak plugin or the brute-force guessing of the WordPress administrative password.

It’s recommended that all WordPress plugins and website CMS be updated to the most recent version and that two-factor authentication (2FA) be enabled on admin accounts.

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center