Sergey Nivens - Fotolia

How does a WordPress SEO malware injection work and how can enterprises prevent it?

Security expert Nick Lewis explains how to prevent WordPress SEO malware injection attacks that rank the attacker's search engine results higher than legitimate webpages.

WordPress was recently the target of an SEO malware injection attack that has been known to evade detection. How does a WordPress malware injection attack work and what should enterprises do to prevent it?

The word malware refers to many things beyond a Windows PC getting infected with a virus, but that is often the first thing people think of. Malware is generally malicious software that has unique characteristics and impacts Windows and Mac OSes, mobile devices, servers, IoT devices, and so on.

Some malicious software targets specific applications, like the open source word processing software WordPress. This type of attack is called SEO malware injection.

Cloud-based security company Sucuri recently blogged about two websites infected with Search engine optimization (SEO) injection malware. SEO attacks occur when search engine results are manipulated by an attacker to rank the attacker's webpages higher than legitimate webpages.

Sucuri described SEO malware injection attacks as inserting spam contents into WordPress pages that are then indexed by search engines. Sucuri didn't address how the attacker accessed the WordPress sites, but it could have been via a compromised account, insecure WordPress plugins or out-of-date software, to mention a few.

The attacker was able to insert the spam content into the HTML code and directly into the database. This malware injection attack could have included only the spam content along with external web content or it could have included JavaScript that pulled content from a third-party website. The database entries could have had similar content to the HTML spam, but stored it in the database rather than in the HTML code. The attacker also changed the database connection used in the WordPress files to pull spam content from the database along with the legitimate contents to minimize the chances of being detected.

In terms of how to handle an SEO malware injection attack, WordPress can be protected by following these steps, assuming other aspects of your enterprise security program provide in-depth defense:

  1. keep WordPress and all of its plugins up to date, which you can accomplish by enabling auto-updates;
  2. use secure account management, like multifactor authentication, to protect admin accounts;
  3. use an encrypted connection for WordPress management;
  4. limit public access to the system to only trusted systems to limit the attack surface;
  5. back up the system securely;
  6. if the resources are available, use a web application firewall;
  7. review the WordPress security guide; and
  8. consider this expert advice on how to run a secure WordPress installation.

Dig Deeper on Threats and vulnerabilities