Live Chat

Domain Scan

(empty)

Login


New Malware Alert*: Targeting WordPress Websites on Shared Hosting Servers
(23-jan-2025)

New Malware Alert Targeting WordPress Websites on Shared Hosting Servers

A new and highly concerning malware has begun to spread this week across WordPress websites hosted on shared hosting servers. This malware targets WordPress installations by injecting malicious code into the core files of active plugins and themes. It has been reported to even infect default themes, including Twenty Twenty-Four, and popular security plugins. If you're running a WordPress website, it is crucial to take immediate steps to prevent your website from becoming infected or compromised.

In this blog post, we'll discuss how this new malware spreads, its impact on WordPress websites, and the steps you need to take to secure your website from future infections.

  1. How the Malware Works

    2. The new malware spreads by injecting malicious code into the functions.php file of active themes, as well as the main plugin files. The malicious code includes several harmful activities:
    • Disabling Updates: The malware blocks automatic updates for both plugins and themes. This makes sure that any updates that could patch vulnerabilities and remove the malware are stopped, keeping the website under the attacker's control.
    • Remote Data Exfiltration: The malware collects sensitive information, such as server details, user information, and HTTP headers, and sends it to an external server controlled by the attacker.
    • Command Execution: The malware is capable of executing server-side commands using PHP functions like exec(), system(), and shell_exec(). This allows attackers to run arbitrary code on the server, increasing the risk of further compromise.
    • File Upload and Modification: It uploads new files or modifies existing ones on the server, potentially planting more malicious scripts or creating backdoors for future attacks.
    • Obfuscated Code: The malicious code is often obfuscated using base64 encoding and eval() functions to hide its true intentions and bypass detection by security software.

  2. How the Malware Spreads

    3. The malware typically spreads through the following vectors:
    • Infected Plugins/Themes: Plugins and themes, including the default WordPress themes (such as Twenty Twenty-Four), have been found to carry the malicious code. If a theme or plugin is vulnerable or outdated, attackers can exploit it to inject the malware.
    • Weak Credentials: Attackers can exploit weak passwords or poorly configured admin credentials to gain access to WordPress websites, where they inject the malicious code into the plugin or theme files.
    • Malicious File Uploads: If a website is improperly configured to allow dangerous file types or uploads without sufficient checks, attackers may upload PHP shells or other malicious files to the server.
    • Cross-Site Scripting (XSS): If plugins or themes don't properly sanitize user inputs, attackers may inject malicious scripts that execute within the browser or server environment.

  3. Signs That Your WordPress Website Might Be Infected

    4. If you notice any of the following, your website may be compromised:
    • Disabled Auto Updates: If plugins or themes fail to update automatically, this could be a sign that the malware is preventing updates.
    • Unexpected Outbound Traffic: A sudden increase in outbound traffic, especially to unknown or suspicious external servers, may indicate that your website is exfiltrating data.
    • Unfamiliar Code: If you find unfamiliar or obfuscated code in your theme's functions.php file or plugin files, your website might have been injected with malware.
    • Slow Site Performance: Malware infections can cause server resource spikes, making your website sluggish or even causing downtime.
    • Unauthorized User Accounts: Check your WordPress user list for any unfamiliar accounts, especially those with administrative privileges.

  4. Steps to Protect Your Website from This Malware

    5. If your WordPress website is hosted on a shared hosting server, we have already taken steps to protect the environment by disabling dangerous PHP functions such as exec(), system(), and shell_exec(). However, website owners need to take additional steps to secure their installations from future infections.

    a. Switch to a Clean Theme and Plugin
    Since the malware has been found to affect default themes like Twenty Twenty-Four and popular plugins, we recommend switching to a new, clean theme and reinstalling your plugins to avoid any potential backdoor access. If you are unsure which themes or plugins are safe, consider using only those you have freshly installed from the official WordPress repository or trusted sources.
    • Disable All Plugins: If you cannot immediately identify the infected plugin, disable all plugins and switch to a newly installed theme.
    • Reinstall Plugins: Reinstall all necessary plugins from official sources to ensure that no malicious code persists.

    b. Remove the Malicious Code from Infected Files
    If you have already been infected, the first step is to manually remove the injected code from the infected files. Since the malware has even affected security plugins, it's crucial to clear the infected code before running any scans. Once the infected code is removed, you can use a security plugin to check for further signs of compromise.
    • Security Plugin Scans: After cleaning up the infected files, use a security plugin like Wordfence or Sucuri to run a complete website scan. These plugins can help detect and remove any residual malware.

    c. Ensure Proper Website Security
    To avoid future infections, follow these best practices:
    • Enforce Strong Passwords: Ensure that all users, especially admins, use strong, unique passwords. Consider implementing two-factor authentication (2FA) for added security.
    • Limit File Uploads: Use proper validation for file uploads and ensure that only safe file types are allowed. Disable any functionality that is not necessary.
    • Regularly Update Themes and Plugins: Always keep your WordPress themes, plugins, and core installation up to date. Enable automatic updates for both plugins and themes whenever possible.
    • Use a Web Application Firewall (WAF): Install a WAF to filter out malicious traffic and protect your website from attacks before they even reach it.
    • Maintain Local Backups: Ensure you have an up-to-date backup of your website stored locally, allowing for easy restoration if needed.
    • Monitor Activity: Keep an eye on your server logs for any suspicious activity. Immediate detection of irregularities can help you act quickly before the malware can do significant damage.

  5. Conclusion

    6. This new malware spreading across WordPress websites has raised significant concerns for website owners, especially those on shared hosting servers. By targeting both default and third-party themes and plugins, the malware is able to compromise WordPress websites, causing data theft, remote command execution, and further vulnerabilities.
    While we have already disabled dangerous functions like exec() and shell_exec() in our shared hosting environment and removed the malicious code from affected websites, we urge all WordPress website owners to take proactive measures. Switch to clean themes and plugins, remove any malicious code, and follow the best practices outlined above to ensure your website remains secure.

By staying vigilant and following these steps, you can protect your website from this new wave of malware and prevent future infections.


Written by: Register.lk Systems Hero - Lakshani
BACK 2 BLOG