The plugin contains code belonging to a real SEO plugin.
The plugin contains code belonging to a real SEO plugin.

About 4,000 WordPress websites have been infected with malware that disguises itself as a search engine optimization plugin to attract unwary webmasters.

The fake plugin is called WP-Base-SEO and is based on a legitimate SEO module so it is easily overlooked during security scans and seems to be a viable tool by a web team intent on boosting its traffic, said a research team at SiteLock. What the plugin actually does is create a backdoor to the victimized site. The cyberattacker is likely scanning the internet looking for outdated WordPress plugins, particularly those running a plugin called RevSlider, SiteLock said.

ThreatPost cited SiteLock analyst Weston Henry who noted that a large portion of the WordPress sites had an out of date version of RevSlider installed. An examination of the plugin finds two malicious files located in /wp-content/plugins/wp-base-seo/wp-seo-main.php.

In previous cases where WordPress sites running RevSlider were compromised the attacker installed ransomware using the Neutrino exploit kit.

WordPress is a frequent target for hackers.