Websites Compromised to Boost Hacker SEO

Home/Compromised, Cybersecurity, Internet Security, Malware, Mobile Security, Secuirty Update, Security Advisory, Security Update, wordpress/Websites Compromised to Boost Hacker SEO

Websites Compromised to Boost Hacker SEO

Cybercriminals are now hacking websites to insert malicious links that help boost their own search engine rankings. This technique, known as blackhat SEO, is becoming increasingly common.

The main goal of this campaign is to spread online casino spam, which is currently the most common type of spam found on hacked websites.

Attackers take advantage of weaknesses in WordPress websites to upload spam content that promotes online casinos, especially in countries where gambling is restricted.

To stay hidden, they use several techniques:

  • They create duplicate folders that look identical to real website pages.
  • They replace the original page with one filled with spam links.
  • Users and search engines are redirected to these fake pages without knowing.

This method works because it abuses how web servers like Apache and Nginx handle page requests before WordPress loads them.

Researchers at Sucuri also found a more advanced version of this malware.
Instead of putting malicious files only in themes or plugins, the attackers hide the code in multiple places — including inside the WordPress database with misleading names — making it much harder to detect and remove.

Hidden Malware

The malware works in layers: it alters the database and loads content dynamically to stay hidden. Researchers found the malicious script added to the bottom of the theme’s functions.php file.

The malware pulls a base64-encoded payload from the WordPress option named wp_footers_logic and runs it with PHP’s eval() function. If eval() is disabled, it saves the decoded payload to wp-content/cache/style.dat instead. The payload watches incoming requests for certain URL paths and serves cached spam when those paths are matched.

When activated, the payload loads spam content from attacker-controlled sites (for example, browsec[.]xyz). To survive cleanup, the attackers also insert reinfection code into other plugin files. That reinfection code looks for specific markers; if it doesn’t find them, it will re-insert the malicious payload into the theme’s functions.php file and the main file of the first active plugin — ensuring the SEO spam keeps returning.

Mitigation

To protect your website from SEO spam injections:

  • Keep WordPress, themes, and plugins updated — outdated components are the main entry point.
  • Remove unused plugins and themes — fewer components means fewer vulnerabilities.
  • Enable file integrity monitoring — detect unauthorized changes to core files like functions.php.
  • Restrict write permissions on /wp-content/, /wp-includes/, and plugins/themes.
  • Use a Web Application Firewall (WAF) to block malicious requests and known exploit patterns.
  • Scan for unexpected database entries (especially unusual wp_options keys).
  • Change all admin credentials, and enforce MFA for logins.

If you suspect a compromise:

  • Restore clean versions of core files.
  • Audit functions.php, plugin files, and the database for hidden code or base64 content.
  • Clear all cache directories — many SEO spam payloads hide there.
Post Views: 104
By | 2025-11-11T03:29:06+05:30 November 11th, 2025|Compromised, Cybersecurity, Internet Security, Malware, Mobile Security, Secuirty Update, Security Advisory, Security Update, wordpress|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!