Website Security News

Spammy posts and pages being placed on WordPress websites is one of the most common infections that we come across. The reason being is that the attack is very low-level in terms of sophistication: All that is required of the attacker is to brute force their way into the wp-admin panel; from there they just have their scripts/bots post spam posts and pages effectively achieving a blackhat SEO attack. Since an out-of-the-box WordPress website contains no protection on admin access other than a password (with no limit on the number of failed login attempts), and the admin users can often be discovered via enumeration, this remains a very popular type of spam infection on the platform. Continue reading The Case of Hidden Spam Pages at Sucuri Blog.

I recently wrote about a case where a malicious plugin was used to steal admin credentials. Here we will examine yet another malicious plugin that creates a malicious admin user right in the website. Examining the malware While examining the site, we noticed a plugin located at wp-content/plugins labeled php-ini.php. This is strange since directories generally don’t contain extensions, especially one like .php since those are reserves for files. Continue reading Malicious WordPress Plugin Creates Hidden Admin User Backdoor at Sucuri Blog.

A few weeks ago, we received a support request from a website owner who was experiencing unexpected redirects. Visitors landed on the website normally, but after about 4–5 seconds, the site redirected them to unrelated and suspicious websites. During the investigation, we discovered a malicious plugin that was responsible for this behavior, continuing the trend of attackers using fake WordPress plugins. So far, we have seen at least 26 websites infected with the same malicious plugin, and it appears to be spreading through pirated or compromised installations. Continue reading Analysis of a Malicious WordPress Plugin: The Covert Redirector at Sucuri Blog.

In our daily interactions online, trust is a fundamental currency. We trust servers to handle our data, process our requests, and reliably deliver content. But what happens when that trust is abused and turned against the server itself? What if an attacker could trick your server into becoming an unwitting accomplice, abusing its privileged position to launch attacks from within the perceived safety of your own network? This is the core danger of Server-Side Request Forgery (SSRF), a vulnerability that has earned its own spot in the OWASP Top 10. Continue reading Understanding SSRF: Abusing Server Trust from the Inside Out at Sucuri Blog.

A common trend we see is that bad actors will upload malicious plugins to WordPress sites. These plugins serve a wide variety of functions from injecting spam to redirecting sites to other malicious content. In this article we will examine a more dangerous method where plugins can be used to steal admin credentials. Identifying the malware During a routine malware scan we noticed a plugin labeled wp-runtime-cache in the wp-content/plugins directory. Continue reading Fake WordPress Caching Plugin Used to Steal Admin Credentials at Sucuri Blog.

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. Continue reading Vulnerability & Patch Roundup — May 2025 at Sucuri Blog.

The depiction in the media of hackers tends to be that of balaclava-wearing villains who type furiously in a dark basement, motivated by nothing but evil intentions. However, while this may be true in some instances, by and large the determining factors that result in malware attacks are largely motivated not by ideology or malice but by material interests. In writing this post I couldn’t help but think of the self-parody TV series CSI: Cyber, specifically the episode where the basement-dwelling, greasy-haired, evil hacker hacks a roller coaster ride, killing everyone on board, simply because he is a bad evil guy who wants to do bad evil things to unsuspecting good people. Continue reading What Motivates Website Malware Attacks? at Sucuri Blog.

We recently assisted a customer who reported a persistent and concerning “Java Update” pop-up appearing on their WordPress website. This type of deceptive notification is a common tactic used by attackers to compromise website visitors. Our investigation revealed a malicious plugin operating stealthily within their WordPress environment. What Did We Find? A plugin installed in the /wp-content/plugins/contact-form/ directory, posed as “Yoast SEO”, complete with fake metadata to mislead site owners. However, it served a completely different purpose. Continue reading Fake Java Update Popup Found in Malicious WordPress Plugin at Sucuri Blog.

Last month, a customer reached out to us after noticing suspicious URLs on their WordPress site. Visitors reported being prompted to perform unusual actions. We began our investigation, scanning the site for common malware indicators and looking for signs of obfuscated JavaScript or injected iframes. What we found, however, was more subtle and potentially more dangerous. We have seen similar infections previously where the attacker would ask the users to run PowerShell commands on their system. Continue reading Fake Google Meet Page Tricks Users into Running PowerShell Malware at Sucuri Blog.

A new Cloudflare infection has once again been targeting WordPress sites. This new iteration of malware mimics a legitimate-looking Cloudflare verification page, which then tricks victims into following various commands and downloading malware. This style of malware is not new – our researcher Ben Martin wrote about a similar campaign targeting WordPress sites back in March. The difference between this new infection and previous ones is the location of where the malware is located – spread out among multiple themes and fake plugins. Continue reading Another Fake Cloudflare Verification Targets WordPress Sites at Sucuri Blog.

Picture this: your SSL certificate is like a carton of milk in your fridge. Sure, it’s good for a while, but let it sit too long, and you’re inviting a sour situation. At Sucuri, we’ve decided our certificates deserve a fresher approach—90 days fresh, to be exact. That’s right, we’re now renewing our SSL certificates every three months, and we’re here to tell you why this is the cybersecurity equivalent of a daily kale smoothie: good for you, great for security, and honestly, pretty trendy. Continue reading 90 Days to Shine: Why Sucuri’s SSL Certificates Are Living the Short Life (and Why That’s Awesome) at Sucuri Blog.