Website Security News

Last month, we came across an ongoing JavaScript-based malware campaign affecting compromised websites. The malware injects a fullscreen iframe that silently loads content from a suspicious external domain. This type of malicious script aims to force users to view unsolicited content, often for ad fraud, traffic generation, or deceptive social engineering. This is the fake cloudflare captcha that was shown when we access the malicious domain capcloud[. Continue reading Malicious JavaScript Injects Fullscreen Iframe On a WordPress Website at Sucuri Blog.

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. Continue reading WordPress Vulnerability & Patch Roundup — July 2025 at Sucuri Blog.

So, your support team is suddenly flooded with tickets about “421 Misdirected Request” errors, and you’re wondering if the internet is just having a bad day. Spoiler: it’s not. But Apache might be. Let’s break down what’s going on, why it’s happening now, and how to fix it—whether you’re using Plesk, cPanel, or flying solo with your own Apache setup. What Is a 421 SNI Error Anyway? The HTTP 421 “Misdirected Request” error is Apache’s way of saying: “Hey, I wasn’t expecting you on this connection.” This happens when the Server Name Indication (SNI) in the TLS handshake doesn’t match the hostname Apache is expecting. Continue reading Why Your Website Might Be Throwing a 421 SNI Error (And What to Do About It) at Sucuri Blog.

Recently at Sucuri, we investigated a malware case reported by one of our clients. Their WordPress site was compromised, and the attacker had installed a fake plugin. Upon analysis revealed that it was a sophisticated backdoor plugin designed to create a persistent and hidden administrator account. What Did We Find? The infection was located inside the WordPress plugins directory: ./wp-content/plugins/wp-compat/wp-compat.php The plugin claimed to fix compatibility issues with newer WordPress and PHP versions. Continue reading Unauthorized Admin User Created via Disguised WordPress Plugin at Sucuri Blog.

Recently, our team uncovered a particularly sneaky piece of malware tucked away in a place many WordPress users don’t even know exists: the mu-plugins folder. In fact, back in March, we saw a similar trend with hidden malware in this very directory, as detailed in our post Hidden Malware Strikes Again: MU-Plugins Under Attack. This current infection was designed to be quiet, persistent, and very hard to spot. ./wp-content/mu-plugins/wp-index.php For those unfamiliar, mu-plugins stands for “must-use plugins.” These are special WordPress plugins that are automatically activated and cannot be deactivated from the WordPress admin panel. Continue reading Uncovering a Stealthy WordPress Backdoor in mu-plugins at Sucuri Blog.

Sucuri is pleased to announce the completion of a product upgrade with our new Backups platform. For those already subscribed to our Backups platform, you will begin to see (over the next week or so), a new destination for where to access your new Backups. For those who have never purchased our Backups before, you will automatically be routed to the new experience moving forward. Some of the exciting new improvements made to the platform include: Additional frequency options (now adding 12-hour and 6-hour schedules) Ability to select storage region of your Backups Easier navigation through your files & database for exclusion purposes One thing to note is that as we migrate to the new platform, we will retain the previous 90 days worth of existing Backups in the event you or our support team need to refer back to that. Continue reading Product Update – New Backups Platform at Sucuri Blog.

Last month, a customer contacted us after noticing their WordPress website was unexpectedly redirecting to a spam domain. The redirection occurred approximately 4-5 seconds after a user landed on the site. Upon closer inspection of the site’s source code we found a suspicious Google Tag Manager loading. This isn’t the first time we’ve seen GTM abused. Earlier this year, we analyzed a credit card skimming attack where attackers injected a payment skimmer via a GTM container. Continue reading WordPress Redirect Malware Hidden in Google Tag Manager Code at Sucuri Blog.

Last month, a customer contacted us, concerned about persistent and inexplicable redirects on their WordPress website. Our investigation quickly unearthed a sophisticated piece of malware deeply embedded within their site’s core files. This wasn’t just a simple redirect; it was a complex operation designed for search engine poisoning and unauthorized content injection. What Did We Find? Our initial analysis led us to the wp-settings.php file, a critical WordPress core component. We discovered two highly suspicious lines of code that immediately stood out: This code snippet is the initial entry point for the malicious payload. Continue reading Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors at Sucuri Blog.

In a recent article we discussed some of the reasons sites are frequently attacked. That article covered browser redirects, and we’ll explore an example of such a case here. Website themes are a common attack vector for many reasons. The theme is guaranteed to load on every page, that is the core design of any site, and themes can easily be customized in the site’s admin panel. However, sometimes an attacker will inject code directly into the theme’s files since those are not readily visible by a website administrator and any changes may go unnoticed unless the admin is specifically looking through the site’s directory structure and manually inspecting code. Continue reading Attackers Inject Code into WordPress Theme to Redirect Visitors at Sucuri Blog.

During our investigation of an SEO spam infection (spam content designed to manipulate search engine results), we discovered a nicely crafted plugin that named itself after the infected domain, helping it evade detection. While this tactic was simple, it easily blended in with other legitimate plugins, making it harder to spot during the troubleshooting process. The plugin was designed to appear harmless, with a folder name that mimicked the site’s domain. This unique customization made the plugin easy to overlook, as it appeared to be a legitimate component made specifically for the site. Continue reading Fake Spam Plugin Uses Victim’s Domain Name to Evade Detection at Sucuri Blog.

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. Continue reading Vulnerability & Patch Roundup — June 2025 at Sucuri Blog.