February 11, 2016

Mobile AppA spate of articles from web security companies report that numerous WordPress sites have been the victim of an attack that leads to code being injected into the JavaScript of WordPress installations. The code is injected into all of a site’s legitimate JavaScript files, and includes various backdoors as well as redirects that send users to sites serving malware.

Because backdoors are inserted into multiple JavaScript files, it’s likely that if any single site on a hosting account is compromised, the other sites on that account will be compromised too. If backdoors remain in any of the sites, it’s probable the other sites will become reinfected even after being cleaned.

It’s not clear how exactly the attackers are compromising WordPress sites, but it’s likely to be a combination of different vectors. It’s also not yet been confirmed that all of the attacks we’re discussing here are carried out by the same group, although it is considered likely.

Once sites are compromised, the attackers are leveraging their access for a variety of purposes. It appears that users are being redirected to sites that host advertising that serves malicious code.

According to Malwarebytes, the advertising laden sites are a diversion from the true purpose of the attacker, which is to infect users’ machines with malware. Users are redirected to servers hosting the Nuclear exploit kit, which attempts to exploit vulnerabilities in software on the user’s system — typically Flash, Java, and other vulnerability prone software — to install malware, which includes the Teslacrypt ransomware package. Victims will have their data encrypted so that they can be extorted to hand over cash in exchange for the decryption key.

The infection may not be apparent to site administrators or regular site users because only first-time users are redirected — a common tactic of online criminals to reduce the chances of detection.

While it’s not clear exactly how these attacks are compromising WordPress sites, WordPress site owners should ensure that they follow all WordPress security best practices to minimize the likelihood of a successful attack.

Site owners should ensure that access credentials to their servers include long and random passwords. Site owners should check WordPress login credentials, but they should also ensure that any SSH and FTP logins also use secure passwords.

Where possible, WordPress users should implement two-factor authentication on their site. TFA considerably decreases the risk that an attacker can carry out a successful brute force attack.

Out-of-date WordPress installations and plugins are often the vector used by attackers to compromise sites. Regularly updating their WordPress site is one of the most important things a WordPress user can do to keep it safe.

A security scanner like Sucuri’s free malware and security scanner, or the Wordfence security plugin can help site owners detect any malware inserted into their site more quickly.


Power up your sites and stores with custom-built technology designed to make every aspect of the digital commerce experience better. Make your digital commerce experience better with Nexcess.

We use cookies to understand how you interact with our site, to personalize and streamline your experience, and to tailor advertising. By continuing to use our site, you accept our use of cookies and accept our Privacy Policy.