Skip to main content

Fake SEO plugin backdoors into WordPress installations

A fake SEO plugin is being used by attackers to compromise WordPress installations. The plugin is called WP-Base-SEO, and is a forgery of a legitimate search engine optimization plugin called WordPress SEO Tools.
Threat ID:
CC-1317
Category:
Trojan
Threat Severity:
Low
Threat Vector:
Download, Backdoor
Published:
11 April 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A fake SEO plugin is being used by attackers to compromise WordPress installations. The plugin is called WP-Base-SEO, and is a forgery of a legitimate search engine optimization plugin called WordPress SEO Tools.

Affected platforms

The following platforms are known to be affected:

WordPress Core

WordPress - all versions

Threat details

The plugin’s wp-seo-main.php file hooks WordPress’ native add_action() functionality to run a malicious base64 encoded PHP eval request. The result is the creation of a backdoor which a malicious actor could use to gain access. The plugin’s wp-seo-main.php file hooks WordPress’ native add_action() functionality to run a malicious base64 encoded PHP eval request. The result is the creation of a backdoor which a malicious actor could use to gain access.

Remediation steps

Type Step
  • Manually Check Installations for suspicious files
  • Implement Strong Alpha Numeric Passwords to secure installations
  • Update WordPress core, themes and plugins to the latest secure versions

Last edited: 17 February 2020 11:30 am