1,000+ WordPress sites compromised through automatic update feature

More than 1,000 WordPress blogs have been modified to redirect visitors to sites serving malware, affiliate and pay-per-click redirectors, and low quality PPC search result aggregators, through the WordPress’ automatic update feature.

The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.

The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.

The update.php file contains the “wp_update_core” function, which is used by the WordPress Automatic Update feature, says Sinegubko.

“Behind the scenes, the ‘wp_update_core’ function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades,” he explains.

“Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the “wp_update_core” function begins to work. It reinfects the just-updated and new wp-settings.php file.

Consequently, only users who have the automatic update feature enabled can have their blogs compromised by this means. Those who update their WP installation manually or via Subversion (SBV) are safe.

“WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change,” Sinegubko concludes.