14 DAY TRIAL // With WordPress dominating the CMS market by far, hackers will become more creative and aggressive in taking over websites and keeping them infected for as long as possible.
A new trick discovered by Sucuri experts during the past weeks sees attackers leveraging yet another WordPress core file to insert malicious code on hacked websites and redirect traffic to malicious sites.
The file in question is wp-includes/template-loader.php, a core WordPress file that is responsible for managing the site's page templates.
In this most recent incident, hackers had altered this file to casually redirect some of the website's legitimate traffic to a malicious page that was offering users product keys for various Microsoft products at reduced prices.
Compromising WordPress core files likely to remain a trend
For years, hackers have compromised websites and, in most cases, loaded their own custom files on each hacked server. That's why webmasters and developers created security solutions that scanned for newly added files and alerted users.
Since these products got more popular and slowly evolved into more complete Web Application Firewalls (WAFs), hackers also had to adapt and started nesting their malicious code inside plugin, theme, or core CMS files.
While users often remove plugins and themes from their sites, attackers slowly started favoring core CMS files to host their malicious code. Incidents where WordPress files have been hacked and had their core CMS files replaced have been reported before.
In most cases, these hacks were used to spread SEO spam, but this most recent incident shows that they can be used for anything a hacker would desire.
While in this case traffic was sent to a scammy-looking website that offered questionable "product keys," the attacker could have very easily redirected the malicious traffic to an exploit kit and attempted to infect the user with malware.
In today's current state of the Internet, if you're running a website with a relatively good search engine ranking, it would be recommended to start looking for a professional WAF, or at least for a script that provides file integrity monitoring and notification.