Huge WordPress Malware Infective in Excess of One Million Websites


Over one million WordPress websites have been compromised due to a backdoor malware campaign known as the Balad Injector. This includes subcategories used by a significant number of websites such as WooCommerce and WPBakery. The injector integrates into exploits using a Linux backdoor, giving instant access to the site’s code and persisting without being immediately identified.

The Balad Injector redirects WordPress site visitors from the original URL to a fake push notification, fraudulent tech support page, or a false lottery webpage. All of these variants lead to illegal data mining, phishing attempts, and scams that entrap unknowing users. The particular vulnerabilities this takes advantage of in WordPress websites are the themes and plugins included in the platform.

This comes hot off the heels of an uptick in cybercrime, with Statista reporting that around 15 million data records were exposed in the third quarter of 2022 through data breaches. The Balad Injector can be used in multiple ways on sites, with different versions targeting specific flaws like the database, code, or URL itself.

This calls for better security practices and cybercrime education for daily users. A recent study from the University of Southampton revealed that plenty of website users are prone to falling prey to fake websites if they are performing under time pressure and don’t have enough analytical reasoning. In the case of the Balad Injector, this discrepancy in fake site detection enables it to redirect users to fake domains.

There are plenty of ways to spot a fake site, such as an unknown domain with a meaningless domain name, a lack of a real SSL certificate, misspellings, grammatical errors, and a very new domain creation or registration. As for those that actually host websites, it may be beneficial to use managed WordPress hosting providers as they come with consistent updates, integrated security features, uptime support, and solid backups and solutions for data recovery.

If your WordPress site has been hacked, the first thing you need to do is contact your hosting service to rectify the malware and restore your site to a safe and functional state. It’s also a good idea to restore your backup, reinstall your plugins, and remove compromised server files.

The Balad Injector is able to use multiple paths to take the necessary credential to infect your database and server. With this in mind, a thorough and clean sweep is needed to ensure that it doesn’t have an alternate means to maintain access. Because of how deeply it roots itself into access points, it can be very easy to miss the backdoors and be outsmarted by a proxy.

Totally removing this malware is very challenging, particularly because of its ability to make use of hidden access points that let it regain control even after the obvious infection has been mitigated. It is also creating customized exploits based on the specific vulnerability it is targeting, which has recently been revealed to be an active campaign since 2017.

While hosted WordPress sites usually receive updates and security features, it’s still important for site owners to do their part in ensuring they are safe from such intricate attacks. The basics to keep in mind are: use a powerful password that is not used in any other website or account, avoid sharing passwords (especially on digital spaces), make sure to keep all themes, plugins, and software updated, do regular checks, keep a number of regular backups, and enable two-factor authentication.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.