<< back

Malicious “WordPress Player” plugin: how covert redirects hijack your site

Some WordPress sites are seeing visitors land normally and then—after a short pause—being whisked away to unrelated, sometimes unsafe pages. Our review of recent incidents points to a fake plugin dubbed “WordPress Player” that quietly injects code and takes control of the visitor’s browser. Here’s what’s going on, why it matters for your business, and what to do next.


What’s going on?

Attackers upload a plugin file named wordpress-player.php straight into wp-content/plugins/. It even claims the author is “WordPress Core” to look legitimate at a glance. Once active, it hooks into wp_footer so its code loads on every page view—but skips logged-in users, making the problem hard for admins to spot.


How the malware works?


Hidden video to set the trap

The plugin adds an invisible HTML5 video element that auto-plays and stays off-screen. The source points to a suspicious domain (videocdnnetworkalls[.]monster). While the clip itself isn’t the goal, the silent playback helps the attacker’s script establish control behind the scenes.


Live commands via WebSocket

Next, the script opens a persistent connection to an attacker-controlled server (wss://steamycomfort[.]fun/ws/player). Think of it like a live “remote control” channel. Each visitor gets a temporary ID, and the attacker can push instructions in real time—most notably, redirecting visitors to other URLs on command.


Why this matters to your business?

  • Lost trust and conversions: Customers who are redirected won’t stick around to buy or enquire. Many won’t come back.
  • SEO damage: Search engines may flag or demote sites that exhibit spammy behaviours like forced redirects.
  • Compliance & brand risk: Sending users to phishing, malvertising or adult content harms reputation and may trigger complaints.
  • Revenue impact: Even a short-lived infection can depress sales and lead to paid media wastage.


Warning signs to look for

  • Visitors (not admins) report being redirected after 4–5 seconds.
  • Unknown plugin file in wp-content/plugins/ with a core-sounding name (e.g., wordpress-player.php).
  • Strange domains referenced in page source or network logs, including videocdnnetworkalls[.]monster or steamycomfort[.]fun.
  • Clean front-end when logged in, problems only for logged-out users or on mobile.


Prevention and resolution

Act promptly. Redirect malware spreads and can return if footholds remain.

  1. Take a backup first: Snapshot files and database so you can roll back safely.
  2. Scan thoroughly: Use reputable security monitoring to find malicious files, database injections and backdoors—not just the visible redirect. Include wp-content, wp-includes and the database.
  3. Remove the malware: Delete wp-content/plugins/wordpress-player.php and any other injected files or cron jobs. If you’re unsure, use professional malware removal.
  4. Reset access: Change all WordPress, hosting and database passwords; review SSH/FTP accounts and tokens. Enable 2FA for all admins.
  5. Update everything: Bring WordPress core, plugins and themes to current versions. Remove unused or abandoned extensions.
  6. Harden logins: Add 2FA, strong passwords, and (optionally) IP allow-listing on /wp-login.php.
  7. Deploy a Web Application Firewall (WAF): A WAF filters malicious requests, blocks known attack patterns, and helps prevent reinfection. Consider a managed WAF as part of ongoing WordPress security.
  8. Monitor continuously: Keep security monitoring in place for file changes, blacklist status and suspicious outbound connections.


Good practice going forward

  • Source plugins responsibly: Avoid pirated or “nulled” software. Only install from trusted vendors and the official directory.
  • Least privilege: Limit admin accounts; give users only the access they need.
  • Regular maintenance: Plan monthly website maintenance with managed updates, vulnerability checks and backups.


How matm can help

  • Managed WordPress, plugin & theme updates
  • Security monitoring and WAF setup
  • Regular backups & fast site recovery
  • Malware removal and emergency response

If you’re seeing redirects—or want to improve your malware protection—we can help. Email [email protected] or call 01952 883 526.

Based on research by Sucuri. Read the original: Analysis of a Malicious WordPress Plugin: The Covert Redirector.