The “XM1RPC” campaign injects malicious files into WordPress websites’ root directories.
The “XM1RPC” campaign injects malicious files into WordPress websites’ root directories.

Security researchers discovered a search engine spam campaign that plays on WordPress administrators' use of the XML-RPC infrastructure. The campaign, dubbed “XM1RPC” by Sucuri researchers, injects malicious files into WordPress websites' root directories.

The attacks use code injection to infect sites with a backdoor script, according to the security firm's blog post. The campaign leverages the “xm1rpc.php” file name, a misspelling of the WordPress XML-RPC interface, to inject websites built with the open-source tool. The XML-RPC interface (using the “xmlrpc.php” script) enables the WordPress API functionality.

The SEO poisoning attack “infects all sites that share the same FTP account, which means cleaning just one website won't help, as hackers use the compromised site to reinfect all sites on the server in a matter of minutes,” Sucuri Remediation Lead Fernando Barbosa wrote in the Tuesday blog post.

Attackers have repeatedly attacked the XML-RPC infrastructure in DDoS and bruteforce attacks exploiting the remote procedure call protocol.