Thousands of WordPress sites have been infected by a mystery malware

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Thousands of WordPress websites were infected with an unknown malware variant, cybersecurity researchers from Sucuri have found. 

The malware would redirect the visitors to a different website, where ads hosted on the Google Ads platform would load, bringing in profits for the website’s owners.

The Sucuri team found an unknown threat actor managed to compromise almost 11,000 WordPress-powered websites. 

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 


WordPress is the world’s most popular web hosting platform, and is generally perceived as secure. However, it also offers countless WordPress plugins, some of which carry high-severity vulnerabilities. 

While the researchers could not pinpoint the exact vulnerability used to deliver this malware, they’re speculating that the threat actors automated the process and probably leveraged whatever known, unpatched flaws they could find. 

The malware’s modus operandi is simple - when people visit the infected websites, they would get redirected to a different Q&A website which loaded ads located on Google Ads. That way, Google would essentially get tricked into paying the ad campaign owners for the views, unaware that the views are actually fraudulent.

Sucuri has been tracking similar campaigns for months now. In late November last year, the researchers spotted a similar campaign that infected roughly 15,000 WordPress sites. The difference between these two campaigns is that in last year’s one - the attackers didn’t bother hiding the malware. In fact, they did the exact opposite, installing more than 100 malicious files per website,

In the new campaign, however, the attackers went to great lengths to try and hide the existence of the malware, the researchers said. They also made the malware somewhat more resilient to counter-measures, remaining persistent on the sites for longer periods of time.

To protect against such attacks, the researchers said, it’s best to keep the website and all of the plugins up to date, and keep the wp-admin panel secure with a strong password and multi-factor authentication. Those that have already been infected can follow Sucuri’s how-to guide, should change all access point passwords, and place the website behind a firewall.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.