Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites

A new wave of SEO spam attacks is exploiting a deceptively simple yet effective tactic: disguising malicious plugins by naming them after the target website’s domain.

This method enables malware to blend seamlessly with legitimate site components, making detection and removal much more challenging for website administrators.

Domain-Mimicking Plugins: A New Stealth Tactic

During a recent investigation into an SEO spam infection, security researchers uncovered a sophisticated plugin masquerading as a legitimate site component by adopting the infected domain’s name.

The plugin’s folder and main file were both named in the format of the site’s domain (e.g., exampledomain-com/exampledomain-com.php), making it appear as a custom-built feature rather than a threat.

Once installed, the plugin injected spam content—most notably, pharmaceutical ads—into the website.

However, the spam was only served to search engine crawlers, such as Googlebot, while regular visitors saw no signs of compromise.

This selective activation allowed the malware to manipulate search engine rankings without alerting site owners or users.

The plugin’s code was heavily obfuscated, with thousands of variable assignments scattered throughout the file.

Instead of writing malicious commands directly, the attackers broke code into small, seemingly random pieces, which were later combined and executed.

This technique is common in sophisticated WordPress infections and is designed to evade both manual inspection and automated malware scanners.

Inside the Obfuscated Code: How the Malware Operates

The malicious plugin’s code was structured in several distinct parts:

• It began by establishing a function to download files from external sources, mimicking browser behavior to avoid suspicion.
• The code then fetched the current page’s content, scanning for hidden commands sent to the site.
• A hidden file (metainfo.jpg) stored encoded instructions, including a base64-encoded domain (mag1cw0rld[.]com) used for remote control.
• Crucially, the malware detected when a search engine bot visited the site. If so, it fetched and displayed spam content from the remote server, ensuring only bots—not human users—were exposed to the injected material.

This layered approach allowed the malware to persist undetected for extended periods, as traditional security tools and casual inspections often missed the plugin due to its legitimate-looking name and selective activation.

Mitigation and Prevention

Website owners are urged to:

• Keep all plugins, themes, and core software up to date.
• Regularly scan for malware and backdoors at both the server and client levels.
• Use unique, strong passwords for all accounts.
• Monitor logs for unusual activity and employ file integrity monitoring.
• Deploy a web application firewall (WAF) to block malicious bots and detect attacks.

If a compromise is suspected, immediate professional assistance is recommended to ensure thorough malware removal and restoration of site integrity.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates