From many time, fake plugins are used to hack into websites. They are mostly added into head to load directly that scripts in websites. It is responsible for redirecting to scam and ad websites. It includes tiny URL shorter, which will then redirect to fake websites and can install adware. That fake plugin is called “index” or “wp_update”, and it contains malicious popuplink.js file. Infected pages typically have these two scripts in their head section.
The plugins use the config.php file, where they store settings used by the plugin: the redirect URL, timeouts, settings that govern visibility of the plugin, and how the malicious script opens URLs.
It’s interesting to see how they have used a long list of user capabilities to detect the role of the current user and hide the plugin/malware presence if it’s a site administrator. It’s definitely not the most obvious and efficient way to do it. Most likely it’s done to make it less clear what the code does.
Most of the time, torrent and download websites are infected with this. So people tends to click on the website multiple times a day, which does both the job. Exploiting the computer and redirecting to adware.