WordPress helps power one in four websites on the Internet today. Because of this, keeping an eye on the tactics used by hackers to compromise WordPress sites is of crucial importance for security firms.
Any new tactic or small change in their mode of operation could signal a rise of a new type of WordPress hacking campaign.
One of the latest tricks observed in hacked WordPress sites is the so-called directory-in-directory install or subdirectory installs.
Secondary site installs occur after server hacks
Detected by web security firm Sucuri, this scenario takes place when an attacker, through various methods, gets access to a website’s underlying server.
Sucuri’s Fernando Barbosa says that attackers, in this case, take the site’s database credentials from the wp-config.php file, and use them to install a second, a third, or more sites on the victim’s server.
To avoid detection, attackers don’t touch the user’s original website. They create subdirectories in the site’s main folder, where they install additional sites, completely separate from the original.
Because there’s no visible change to the original site, unless the webmaster notices the extra folders that have mysteriously popped up in the server’s FTP listing, or accesses the new site’s URL directly (domain.com/subdirectory), he won’t be alerted by the infection.
Trick used for SEO spam
Barbosa says that in the sites Sucuri removed where this tactic was observed, attackers had used these nested websites for SEO spam.
The hackers would create websites that promoted shady products on other sites. Because these websites ran from the victim’s main domain, they induced a search engine reputational damage for the hacked victim, who saw his website plummet in search engine rankings.
While these type of infection can be easily detected by installing a WAF (Web Application Firewall) that includes a component that watches the filesystem for new files and folders, most people people wouldn’t ever have a problem with this type of SEO spam if they’d keep their sites and plugins up to date and avoid getting their servers compromised in the first place.