The discovery was made by Denis Sinegubko, the founder of the helpful Unmask Parasites website, who points out the irony of webmasters trying to keep their sites safe by using automatic updating, and then having them compromised through the same means.
The individuals behind the attack have discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects.
The update.php file contains the "wp_update_core" function, which is used by the WordPress Automatic Update feature, says Sinegubko.
"Behind the scenes, the 'wp_update_core' function checks for available updates, downloads new files, replaces old files and does all the rest stuff required to successfully complete WordPress upgrades," he explains.
"Your blog is supposed to be fully updated just before this function returns. At that moment all infected core WordPress files (such as wp-settings.php) should be replaced with new clean copies. And this is exactly the moment when the malicious code in the “wp_update_core” function begins to work. It reinfects the just-updated and new wp-settings.php file.
Consequently, only users who have the automatic update feature enabled can have their blogs compromised by this means. Those who update their WP installation manually or via Subversion (SBV) are safe.
"WordPress developers should consider adding some integrity control into their system (e.g. checksum control for core WP files) and warn webmasters (blog administrators) if core files change," Sinegubko concludes.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.