Threat Intel Solutions

* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Malicious Script Injection on WordPress Sites============================================= [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)* December 5, 2024  Recently, our team discovered a JavaScript-based malware affecting WordPress sites, primarily targeting those using the Hello Elementor theme. This type of malware is commonly embedded within legitimate-looking website files to load scripts from an external source. The malware injects a malicious external script into the theme’s **header.php** file, leading to harmful consequences for site owners and visitors.Domains Involved:* **spadeanalytica** -[**.** -]**com*** **uph-analytics** -[**.** -]**com*** **awebstats** -[**.** -]**com**As of writing this article, 200+ websites are infected with this malware according to publicwww.com.* * * ### Infection DetailsThe malware is injected into the **header.php** file with the following code snippet.“““[SiteCheck](https://sitecheck.sucuri.net/) detects these suspicious javascript codes as resources from a blacklisted domain.### Why Does This Happen?In most cases, malware like this gains entry through outdated themes, plugins, or weak security practices. In this instance, the code is embedded within the theme’s **header.php** file. Attackers target core theme files since they load on every page and make an effective vector to propagate malicious behavior.### Why Is This Dangerous?The injected script from an untrusted domain enables the attacker to control aspects of the website’s functionality, leading to issues such as:* Stealing user information, including session data and cookies.* Redirecting users to ad networks or spam sites, damaging site credibility.* It can also affect a site’s SEO ranking. Sites flagged with malicious scripts can face penalties from search engines, reducing visibility and affecting traffic.### Remediation Steps* Manually remove any unauthorized script tags referencing suspicious domains from **header.php**.* Ensure your WordPress themes, plugins, and core files are up to date to prevent vulnerability exploits.* Regularly scan your website with [SiteCheck](https://sitecheck.sucuri.net/) or another security tool to catch any malware early.* Disable file editing in your WordPress configuration (**wp-config.php** ) by adding `define(‘DISALLOW_FILE_EDIT’, true);` to reduce the risk of unauthorized changes.* Consider additional security measures like two-factor authentication, secure passwords, and strict user roles to [harden your WordPress security](https://blog.sucuri.net/2023/07/how-to-harden-wordpress-a-basic-overview.html) further.  ##### [Puja Srivastava](https://blog.sucuri.net/author/puja-srivastava)Puja Srivastava is a Security Analyst with a passion for fighting new and undetected malware threats. With over 7 years of experience in the field of malware research and security, Puja has honed her skills in detecting, monitoring, and cleaning malware from websites. Her responsibilities include website malware remediation, training, cross-training and mentoring new recruits and analysts from other departments, and handling escalations. Outside of work, Puja enjoys exploring new places and cuisines, experimenting with new recipes in the kitchen, and playing chess.##### Related Tags* [Malware](https://blog.sucuri.net/tag/malware),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security)##### Related Categories* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2019/06/closed-source-e-commerce-platforms-can-be-compromised.html) [Closed Source E-commerce Platforms Can Be Compromised](https://blog.sucuri.net/2019/06/closed-source-e-commerce-platforms-can-be-compromised.html)—————————————————————————————————————————————————* Krasimir Konov* June 3, 2019 These days, the majority of store owners opt-in for the easiest closed-source ecommerce platform options. For the most part, these platforms typically allow users to… [Read the Post](https://blog.sucuri.net/2019/06/closed-source-e-commerce-platforms-can-be-compromised.html)  * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2018/08/fake-cloudflare-injection.html) [Fake Cloudflare Injection](https://blog.sucuri.net/2018/08/fake-cloudflare-injection.html)——————————————————————————————-* Fioravante Souza* August 8, 2018 Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I–‘ll talk about the new redirects of cloudflare.pw.-*-*-*-*… [Read the Post](https://blog.sucuri.net/2018/08/fake-cloudflare-injection.html)  * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2017/08/mobile-malware-targets-ecommerce-websites-users.html) [Mobile Malware Targets eCommerce Websites -& Users](https://blog.sucuri.net/2017/08/mobile-malware-targets-ecommerce-websites-users.html)——————————————————————————————————————————————* Moe O* August 11, 2017 A mobile malware is a malicious software that targets mobile/smartphones, tablets and similar devices. The attacks may vary from fatal damage to the OS (bricking)… [Read the Post](https://blog.sucuri.net/2017/08/mobile-malware-targets-ecommerce-websites-users.html)  * [Sucuri Updates](https://blog.sucuri.net/category/sucuri-updates)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)[](https://blog.sucuri.net/2020/06/how-we-clean-infected-websites.html) [Experience + Technology: How We Clean Infected Websites at Sucuri](https://blog.sucuri.net/2020/06/how-we-clean-infected-websites.html)—————————————————————————————————————————————-* Art Martori* June 16, 2020 Our malware removal service is particularly effective because it combines automated and human elements. The process gets off to a quick start thanks to cleanup… [Read the Post](https://blog.sucuri.net/2020/06/how-we-clean-infected-websites.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html) [Konami Code Backdoor Concealed in Image](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html)———————————————————————————————————————–* Ben Martin* February 2, 2023 Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in… [Read the Post](https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html) [From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail](https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html)————————————————————————————————————————————————————————————–* Denis Sinegubko* August 10, 2023 A vast majority of website malware employ the ever-familiar HTTP/HTTPS protocols for its malicious activities. But, we also periodically confront more interesting hybrid malware leveraging… [Read the Post](https://blog.sucuri.net/2023/08/from-google-dns-to-tech-support-scam-sites-unmasking-the-malware-trail.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html) [WordPress Popunder Malware Redirects to Scam Sites](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html)———————————————————————————————————————————————* Ben Martin* April 1, 2022 Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected… [Read the Post](https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-scam-sites.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html) [SEO Spam Campaign Exploiting WordPress REST API Vulnerability](https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html)——————————————————————————————————————————————–* Denis Sinegubko* March 15, 2017 Just over a week ago, WordPress released version 4.7.3 to patch multiple security issues. Despite the automatic update feature provided by many hosting companies, there… [Read the Post](https://blog.sucuri.net/2017/03/seo-spam-via-wp-rest-api-vulnerability.html)  * [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/11/wp-cli-how-to-install-wordpress-via-ssh.html) [WP-CLI: How to Install WordPress via SSH](https://blog.sucuri.net/2022/11/wp-cli-how-to-install-wordpress-via-ssh.html)————————————————————————————————————————* Rianna MacLeod* November 22, 2022 Sure, there are tons of one-click installers floating around for WordPress. But they’re not always the most secure option — and can still be tedious… [Read the Post](https://blog.sucuri.net/2022/11/wp-cli-how-to-install-wordpress-via-ssh.html)  * [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html) [WordPress Security — Unwanted Redirects via Infected JavaScript Files](https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html)———————————————————————————————————————————————————————————-* Denis Sinegubko* April 4, 2017 We’ve been watching a specific WordPress infection for several months and would like to share details about it. The attacks inject malicious JavaScript code into… [Read the Post](https://blog.sucuri.net/2017/04/wordpress-security-unwanted-redirects-via-infected-javascript-files.html)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 51 – Information

Denis

Blog: Sucuri

Impair Defenses: Disable or Modify Tools

Impair Defenses

Software Discovery: Security Software Discovery

Software Discovery

Associated Indicators:
22awebstats.com

awebstats.com

22spadeanalytica.com

https://publicwww.com/websites/%22uph-analytics.com%22/

22uph-analytics.com

uph-analytics.com

https://publicwww.com/websites/%22awebstats.com%22/

https://publicwww.com/websites/%22spadeanalytica.com%22/