A Bunch of WordPress Sites Have Been Injected with Malicious JavaScript

More than 6,000 sites were hacked in April alone, redirecting unsuspecting users to unwanted ads and scam sites.
Conor Cawley

If you have a WordPress website, you might want to check on your security, as a new report found that thousands of pages from the popular website builder have been hacked to redirect visitors to scam sites.

There are plenty of scams online without your own website turning against you. Email phishing scams, malicious links, and ransomware attacks are constantly floating around the online world and avoiding them has become a veritable minefield of cybersecurity.

Now, WordPress — a website builder plagued with security issues — appears to be experiencing a pretty serious hack, with a number of its websites sending users to scam sites plagued with suspicious ads.

Analysts Discover Malicious JavaScript in WordPress Sites

According to analysts from Sucuri, a website security platform, over 6,000 WordPress websites were infected with malicious JavaScript in April alone. The goal of the hacking campaign was to redirect users to unwanted ads and scam sites, ideally getting users to click on and even make purchases from the pages in question. As for how they were able to gain access to WordPress pages:

“This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year,” said Krasimir Konov, a malware analyst at Sucuri, in the report.

Unfortunately, this does not come as a surprise to anyone familiar with WordPress. While the website builder is quite popular, boasting 455 million websites on the web, it's riddled with security gaps, largely due to the massive catalog of plug-ins and themes available.

In fact, one study found that WordPress has seen a 150% increase in vulnerabilities over the last year, allowing this kind of hack to occur quite easily compared to other options on the market. Even worse, the study found that 29% of WordPress security vulnerabilities are never patched at all.

Is WordPress a good website builder?

With this kind of hack, it's safe to wonder if WordPress is worth all the security concerns at all. After all, the last thing you want for your site visitors is an unwelcomed trip down malicious link lane, right?

Well, the value of WordPress as a website builder is pretty specific to your needs. It offers an easy-to-use platform with lots of plug-ins and themes (which, as we mentioned, is part of the problem in regard to security), and it provides a wide range of useful and helpful blogging features, making it a go-to option for lots of content creators.

However, if you're a business looking to showcase your work, sell products online, or generally engage with your customers in a way that isn't blogging, there are lots of better options out there. Our research found that Wix is your best bet when it comes to website builders, with Squarespace and Shopify representing solid second choices depending on your company.

Additionally, if you want to keep using WordPress, locking down some online security tools might be a good idea. Antivirus software should help you keep the malicious actors at bay, as they will alert you to instances of scams and hacks as soon as possible.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Conor is the Senior Writer for Tech.co. For the last six years, he’s covered everything from tech news and product reviews to digital marketing trends and business tech innovations. He's written guest posts for the likes of Forbes, Chase, WeWork, and many others, covering tech trends, business resources, and everything in between. He's also participated in events for SXSW, Tech in Motion, and General Assembly, to name a few. He also cannot pronounce the word "colloquially" correctly. You can email Conor at conor@tech.co.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals