Security researchers have identified a surge in backdoor infections on hundreds of websites hosted on GoDaddy’s Managed WordPress service, which were all compromised by the same payload.
The incident impacted websites like tsoHost, MediaTemple, Domain Factory, Heart Internet, 123Reg, and Host Europe Managed WordPress websites. The infected sites shared a nearly identical backdoor embedded in the wp-config.php file.
Among the 298 websites found with the backdoor, at least 281 were hosted by GoDaddy.The discovery was made by Wordfence researchers, who first noticed the overall increase in infected websites on March 11.
Reportedly, attackers used a 2015 Google search SEO-poisoning tool and embedded it into the wp-config.php file.
“The backdoor in question has been in use since at least 2015,” said a Wordfence blog post on Tuesday. “It generates spammy Google search results and includes resources customized to the infected site.”
While Wordfence is yet to determine the cause of the intrusion, it hinted at the massive GoDaddy data breach from 2021 that exposed the accounts of 1.2 million customers as a potential candidate.
The security researchers urged owners of websites hosted on GoDaddy’s Managed WordPress platform (including the websites mentioned above) to manually check their sites’ wp-config.php file or use an automated specialized malware detection tool to verify their integrity.
Along with the security advisory, Wordfence also provided a list of instructions on how to clean up your WordPress website, should you suspect or discover that it’s been hacked.