Website Security News

Last August we documented a malware campaign that was injecting malicious JavaScript code into compromised WordPress sites to redirect site visitors to VexTrio domains. The most interesting thing about that malware was how it used dynamic DNS TXT records of the tracker-cloud[.]com domain to obtain redirect URLs. We’ve been tracking this campaign ever since — and we’ve recorded multiple changes in obfuscation techniques and domain names used in their DNS TXT traffic direction system (TDS). Continue reading JavaScript Malware Switches to Server-Side Redirects & DNS TXT Records as TDS at Sucuri Blog.

If you’re managing a WordPress site, it’s crucial to ensure it runs smoothly and securely. Many site owners worry that WordPress maintenance is a complex chore that requires a ton of technical expertise, but that’s not entirely true. This guide is here to show you the steps you can take on your own to help maintain your WordPress site and keep it running at its best. Think of your WordPress site like a car. Continue reading WordPress Maintenance: Tasks & Best Practices at Sucuri Blog.

In recent months, we have encountered a number of cases where attackers inject malware into website software that allows for custom or miscellaneous code — for example, the miscellaneous scripts area of the Magento admin panel, or WordPress plugins such as Custom CSS & JS. Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery. Continue reading Credit Card Skimmer Hidden in Fake Facebook Pixel Tracker at Sucuri Blog.

Web shells are malicious scripts that give attackers persistent access to compromised web servers, enabling them to execute commands and control the server remotely. These scripts exploit vulnerabilities like SQL injection, remote file inclusion (RFI), and cross-site scripting (XSS) to gain entry. Once deployed, web shells allow attackers to manipulate the server, leading to data theft, website defacement, or serving as a launchpad for further attacks. Given their stealth and versatility across various programming languages (PHP, Python, Ruby, ASP, Perl, Bash), web shells pose a significant threat to a website’s security. Continue reading Web Shells: Types, Mitigation & Removal at Sucuri Blog.

We often write about malware that steals payment information from sites built with Magento and other types of e-commerce CMS. However, WordPress has become a massive player in ecommerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store. This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart ecommerce malware to target a wider range of CMS platforms. Continue reading Magento Shoplift: Ecommerce Malware Targets Both WordPress & Magento CMS at Sucuri Blog.

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners about potential threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. The vulnerabilities listed below are virtually patched by the Sucuri Firewall and existing clients are protected. Continue reading WordPress Vulnerability & Patch Roundup March 2024 at Sucuri Blog.

A new client recently came to us reporting seemingly random pop ups occurring on their website. While it was clear that there was something amiss with the website it was difficult to reproduce the issue. However, by inspecting our server side scanner logs we were able to locate the source of the unwanted behavior — and it turned out to be a remarkably interesting JavaScript injection related to a massive malware campaign that we internally call Sign1. Continue reading Sign1 Malware: Analysis, Campaign History & Indicators of Compromise at Sucuri Blog.

The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with black hat SEO tactics, or inject content — the range of possibilities for misuse is vast, making it a prime target for hackers. .htaccess malware can be hard to pinpoint and clean up since it allows an attacker to make multiple changes to the web server and its behavior. Continue reading What is .htaccess Malware? (Detection, Symptoms & Prevention) at Sucuri Blog.

At Sucuri, we believe in making the internet safe for everyone. One way we show this is through our free WordPress security plugin. The Sucuri WordPress plugin is available for download in the WordPress repository. It comes with a range of security features, including WordPress hardening, malware scanning, core integrity check, post-hack features and email alerts to help keep your website protected. This year, we’re rolling out a number of new features and enhancements to help improve your plugin experience and strengthen your website’s security — all free of charge. Continue reading Sucuri WordPress Plugin Updates for 2024 at Sucuri Blog.

In January, my colleague reported about a new Balada Injector campaign found exploiting a recent vulnerability in the widely-used Popup Builder WordPress plugin which was initially disclosed back in November, 2023 by Marc Montpas. In the past three weeks, we’ve started seeing an uptick in attacks from a new malware campaign targeting this same Popup Builder vulnerability. According to PublicWWW, over 3,300 websites have already been infected by this new campaign. Our own SiteCheck remote malware scanner has detected this malware on over 1,170 sites. Continue reading New Malware Campaign Found Exploiting Stored XSS in Popup Builder < 4.2.3 at Sucuri Blog.

Two weeks ago we discussed a new development in website hacks: Web3 crypto wallet drainers. We’ve been closely following the most significant variant which injects drainers using the external cachingjs/turboturbo.js script. Our SiteCheck website scanner has already detected this version on over 1,200 sites since the beginning of February, 2024. Since our last post, this malware campaign has seen two new iterations resulting in distributed brute force attacks against target WordPress websites from the browsers of completely innocent and unsuspecting site visitors. Continue reading From Web3 Drainer to Distributed WordPress Brute Force Attack at Sucuri Blog.