pixel_dreams - Fotolia

New WordPress malware: What to do about WP-Base-SEO

A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to avoid it.

A new piece of WordPress malware has been discovered disguised as an SEO plug-in called WP-Base-SEO. The malware plug-in has the ability to create backdoors on infected WordPress accounts. How does this new WordPress malware work, and are there any ways for users to identify fake or malicious plug-ins?

It's never been easy to evaluate potentially malicious software, and the stakes continue to get higher. App stores adding minimal security checks have made it somewhat easier, but you're stuck in the walled garden of the app store vendor. While this can protect end users, it doesn't help when what you need isn't in the app store.

There is a WordPress app store that offers thousands of plug-ins for websites using WordPress, but it has minimal criteria for hosting plug-ins.

Jessica Ortega, web security research analyst at SiteLock LLC, a website security company based in Scottsdale, Ariz., wrote about a malicious SEO plug-in for WordPress. Ortega noted that the code looks legitimate based on the header comment in the code.

However, as SiteLock researchers analyzed the code, they identified potentially suspicious functionality that could create a backdoor on the infected WordPress install. One of the simple obfuscation steps the WordPress malware authors used in the plug-in was to use the code $myfunc = 'bas' . 'e64_' . 'dec' . 'ode'; to hide the usage of the PHP base64_decode function, which decodes data that was encoded using the multipurpose internet mail extensions base64 binary-to-text encoding scheme.

Something like this should seem out of place in a potentially legitimate plug-in, which could alert your Spidey sense that something is wrong. However, it is very difficult for nontechnical people to evaluate code at this level, so relying on app store security checks and user feedback may be the best some users can be expected to do.

Malicious programs masquerading as legitimate software, such as this WordPress malware, is not uncommon. Enterprises should encourage their app stores to incorporate security into the entire ecosystem and to add additional checks of the application and the developer to improve trust in the store. While there may be increased costs, enterprises may be willing to pay for the time savings from not needing to spend as much time evaluating software.

Enterprises may even want to collaborate within their industry peers or Information Sharing and Analysis Centers to share this information. The SiteLock Research Team also mentioned using a service or application to check website security, which is good advice.

Next Steps

Learn how to protect against malware on the endpoint

Find out how running in an infrastructure-as-a-service virtual machine can help to secure WordPress

Read about what CISOs can do to mitigate insider threats

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing