A WordPress website owner reported an issue where users from search results were redirected to random, potentially harmful websites. Despite utilizing the Wordfence scanner, the client could not detect any suspicious activities while logged into the website. However, this redirection only occurred for guest users; logged-in users remained unaffected. This indicated that the website had been compromised, and the malicious actors were cleverly targeting guest users.

The Investigation

The website owner initially attempted to uncover the source of the redirects using the Wordfence scanner, a popular WordPress security plugin. However, the scanner failed to detect any suspicious code. This was because the malware was cleverly hidden and only activated when a guest user visited the site.
Determined to find the culprit, the website owner turned to the SecureWP remote scanner. The SecureWP scanner, employing various techniques, including mimicking a guest user arriving from a search engine or a Googlebot, successfully pinpointed the malicious script embedded before the body content.


The Vulnerability

Upon further investigation, it was discovered that the malware was exploiting a known vulnerability in the WPBakery Page Builder plugin, a widely used WordPress plugin for creating custom page layouts. This vulnerability, CVE-2020-28650, allowed malicious actors to inject malicious code into the website.


The immediate action involved updating the WpBakery Page Builder plugin to the latest secure version, eliminating the exploited vulnerability.


  • Regularly update your WordPress plugins and themes to ensure they are patched against the latest vulnerabilities.
  • Conduct regular website security audits to identify and address potential vulnerabilities before they can be exploited.