True or false: Technical Analysis of WordPress black hat SEO plug-in (1)

True or false: Technical Analysis of WordPress black hat SEO plug-in (1)

In Wordpress, malicious programs are usually hidden in Plug-ins or themes. They have different forms. Some send spam, some implant invisible links ...... However, the principles of such malware are well understood. They are nothing more than the functions required by the website administrator in the malicious plug-in. Then, the website administrator installs the software directly without rigorous confirmation.

Interesting black hat SEO plug-in

Just this week, I met a typical black hat SEO plug-in, and its implementation method is very interesting.

The core file of the malicious plug-in is under the root directory of the website. By using this file, hackers inject the following code into the Index. php file.

if ( file_exists( 'wp-core.php' ) ){ require_once( 'wp-core.php' ); }

Index. php injection like this looks very suspicious and also tells us that the wp-core.php is not installed because it will break through the Wordpress conventions.

Next, let's look at the wp-core.php file.

‍‍‍Analysis‍Wp-core.php files‍‍

The file contains more than 500 lines of code. In its comments, the plug-in was developed to protect Wordpress CMS from Brute-force attacks, in addition, 302 redirection is used for protection, and the first loading is required.

In the middle of the file, I found the "bootstrap" code.

First, he injects the Bruteforce protection code into the wp-login.php.

Add the onsubmit administrator to the logon form and set "antibot_ajax" cookies. Then, a code is added to check whether cookies are set. logon is not allowed if no cookies are set. In this way, it seems that the operation against robots has actually protected the user, without any malicious means.

Next, let's take a look at the "Auth 2nd level" code:

This looks even more suspicious. It injects a piece of encrypted code. We decrypted the code and were surprised to find that the code was normal. As the plug-in author said in the remarks at the beginning, this is the second verification. If the login name and password are valid, the user's email address will be retrieved from the WP database. The password will be replaced from the third character until the @ symbol location. Finally, the email address must be verified.

Therefore, even if the robot supports Javascript and cookies and is lucky enough to pass the first anti-bot protection, the second layer will fail because the second layer of protection requires mailbox verification. In this way, even if someone steals your Wordpress Password, you will not be able to log on if you do not confirm your mailbox.

After the user confirms the email address, there will be an additional setup step‍‍WP_FLV_EMAIL_CONFIRMED‍‍The cookie is set to save for 1000 days, so they do not need to perform email verification every time they log on.

The final "bootstrap" section contains the code that injects the wp-core.php into index. php (you can see at the beginning of the article ). It ensures that bruteforce protection is always available, and if the code in the wp-login.php is removed, it can fix it on its own.

If we forget to add functionality to Wordpress in unconventional ways, this code can indeed provide powerful protection mechanisms. Of course, this does not seem so perfect and does not play a major role in targeted attacks, especially when attackers understand this protection mechanism. However, it is undeniable that this protection mechanism will indeed solve unnecessary problems for webmasters. At least this protection mechanism can prevent 95% of automatic enumeration attacks.