Cybercriminals have ramped up attacks on WordPress websites by stealthily modifying theme files to serve unauthorized third-party scripts.
This campaign leverages subtle PHP injections in the active theme’s functions.php to fetch external code, effectively turning compromised sites into silent distributors of malicious ads and malware.
The breach came to light when the site owner noticed unfamiliar JavaScript being executed on their pages.
Recently, a prominent client discovered that every visitor to their site was unknowingly loading malicious JavaScript from attacker-controlled domains—undermining user trust, exposing sensitive data, and putting site integrity at risk.
A quick inspection of the page source revealed a solitary script tag referencing porsasystem.com. This single line of code was the key to unraveling the entire attack. Subsequent searches on PublicWWW showed that the same script was present on at least 17 different WordPress sites, suggesting a widespread operation targeting vulnerable installations.
VirusTotal analysis of the malicious URL confirmed the worst: 17 security vendors had already blocklisted the domain for distributing harmful content.
Further probing into the JavaScript payload revealed it loaded ads and redirected traffic through cloaking techniques, making removal more challenging.
The absence of visible symptoms such as defaced pages or login failures allowed the attackers to remain undetected for extended periods.
Anatomy of the Malicious PHP Injection
A full file-system audit uncovered the true source of the compromise: a deceptive snippet appended to the bottom of the theme’s functions.php file.
On the surface, the injected code appeared harmless—a small function wrapping a call to wp_enqueue_script.
However, closer examination showed it dynamically constructed a remote URL and fetched JavaScript using wp_remote_get, then echoed it into the page footer. The infection chain operates as follows:
- The malicious function registers and enqueues a script handle, embedding the attack payload into the site’s front end.
- Every page load triggers a server-side HTTP request to the attacker’s server, retrieving updated JavaScript that can include new ad campaigns or malicious redirects.
- The function hides its presence through innocuous naming conventions and a lack of comments, ensuring it blends seamlessly with legitimate theme code.
Because many site administrators do not inspect theme files regularly, especially after updates or plugin changes, this approach grants attackers ongoing access to inject unwanted content without triggering alarms.
Mitigations
To defend against this growing threat, WordPress site owners should adopt the following practices:
Regular File Integrity Checks
Implement automated scanning of core and theme files to detect unauthorized modifications. Solutions like Wordfence or Sucuri can compare file hashes against known-good versions and alert administrators to any changes.
Least Privilege Principle
Ensure that only trusted users have write access to theme directories. Restrict permissions on the functions.php file to prevent unauthorized edits, and avoid operating with overly permissive FTP or SSH credentials.
Secure Update Workflow
Keep WordPress core, themes, and plugins up to date to minimize exposure to known vulnerabilities attackers exploit to gain initial access. Before applying updates, back up files and databases to enable swift rollbacks if issues arise.
Manual Code Reviews
Periodically review custom theme and plugin code, focusing on functions that enqueue or include external assets. Watch for unfamiliar function names or code blocks that reference remote domains.
Website Firewall and Monitoring
Deploy a Web Application Firewall (WAF) to block malicious HTTP requests and shield your site from known attack patterns. Coupled with real-time monitoring, a WAF can intercept suspicious traffic before it reaches vulnerable scripts.
The silent injection of malicious PHP code into WordPress theme files represents an evolving threat vector that preys on routine website maintenance gaps.
By embedding stealthy functions in functions.php, attackers can hijack visitor sessions, distribute unwanted advertising, and potentially deliver more harmful payloads—all without leaving obvious traces.
Vigilance through file integrity monitoring, strict permission controls, diligent update practices, and code audits is critical to safeguarding WordPress sites against this stealthy compromise. Vigilant security hygiene transforms WordPress installations from soft targets into resilient bastions against surreptitious attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
