Attackers Inject Code into WordPress Theme to Redirect Visitors

July 13, 2025, 12:19 p.m.

Description

An analysis reveals a recent attack vector targeting WordPress themes, specifically injecting malicious code into the footer.php file. The injected code uses a function called r2048 to retrieve a URL from a remote server and redirect visitors. This method is particularly insidious as it's not visible from the WordPress dashboard. The attackers utilize either cURL or file_get_contents to fetch the redirection URL, allowing for dynamic control over the destination based on factors like the user's browser or device. This technique underscores the importance of regular theme and plugin audits, as well as securing FTP and SSH access to prevent unauthorized file modifications.

External References

https://blog.sucuri.net/2025/07/attackers-inject-code-into-wordpress-theme-to-redirect-visitors.html
https://otx.alienvault.com/pulse/6870b25f2615d0a0d9852b01
Tags
wordpress
code injection
curl
redirect
2025-07-11
footer.php
theme injection
file_get_contents
r2048 function

Date

  • Created: July 11, 2025, 6:42 a.m.
  • Published: July 11, 2025, 6:42 a.m.
  • Modified: July 13, 2025, 12:19 p.m.

Indicators

  • http://youtubesave.org/rl/g.php
  • youtubesave.org
Download all indicators here!

Attack Patterns