SiteLock team reveals a WordPress plugin, WP-Base-SEO, that executes independent actions every time a page is loaded. The plugin, a forgery of a well-known plugin to optimize the site for search engines, is not listed in the WordPress.org plugin directory, and it cannot be found by itself. Such a fake plugin is installed by a hacker after he gains access as admin or by means of other plugin or another application.
The plugin is installed in the folder /wp-content/plugins/wp-base-seo/ and there are two malicious files acting in the form of a base64 encoded PHP eval request: wp-seo.php and wp-seo-main.php.
To secure your site for such malicious actions, it is compulsory to install only plugins listed on the WordPress directory or that you trust. Also, it is recommended to install a wordpress security plugin, like Wordfence Security or Sucuri Security. From time to time, check the plugin directory of your WordPress site and, if you find one or more plugins that you do not know, delete it.