Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mysteriously, a large number of sites running on WordPress have been hacked causing them to deliver  crytpo-ransomware and other malicious software, to visitors. Until last week, web security services were unaware of this massive lapse in security.

Three separate security firms have since come forward to report that visitors of a massive number of legitimate WordPress sites are being silently redirected to malicious sites, which host code from the Nuclear exploit kit.

Users with outdated versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer are highly susceptible to getting infected with Teslacrypt ransomware package. The ransomware encrypts files on the computer with a decryption key which can only be availed at a hefty ransom to restore user files.

“WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads,” Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. “This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit.”

Researchers at Heimdal Security Software wrote in a blog post: “The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use.” Hackers are exploiting an unidentified vulnerability with obfuscated JavaScript which redirects traffic to a domain called chrenovuihren. An online ad pops up on the site which forces traffic to the site hosting the Nuclear exploit kit.

“This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files.” Website security firm Sucuri, said in a statement in a blog post, Monday. “This malware uploads multiple backdoors into various locations on the webserver and frequently updates the injected code. This is why many webmasters are experiencing constant reinfections post-cleanup of their .jsfiles.”

Three of the Best WordPress Security Plugins Reviewed

With cyberattacks getting increasingly common, about 30,000 per day, it’s more important than ever to protect your site. You can take steps to safeguard your data without paying external services. Setting a complicated password and keeping your site up-to-date goes a long way, but the extra blanket of security provided by security plugins certainly helps and is worth shelling out a few extra dollars for premium features.

There’s a ton of WordPress security plugins, so we’ve reviewed only three of the most popular ones out there:

  1. WordFence

This plugin is free but for additional features there is a premium version. It routinely scans all your WordPress files for malware infections and notifies you if any is found. Using two factor authentication (with SMS), it stops brute force attack. WordFence gives users the option to block people from certain countries, and has a firewall to block fake traffic. The plugin claims to speed up your website 50 times faster, and can support multiple sites on the same account.

  1. iThemes Security

Formerly known as ‘Better WP Security’, iThemes is a popular choice with users. It scans your site to find vulnerabilities and fixes them as quickly as it sends you a report. It not only hides sensitive core files, but increases the password’s security level and blocks ‘bad users’. If iThemes is faced with a user with repeated login attempts, it will block and report their IP addresses. Pro users get two-factor authentication using a mobile app, password expiration, a track log of users’ actions, and a malware scan automatically every day.

  1. Sucuri Security

This plugin is a product of Sucuri Inc., a web security company focused on detecting and remediating compromised websites. Its security activity monitoring feature tracks all changes to help security experts understand how it is being compromised. Sucuri Security also Security Activity Auditing has File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications and a Website Firewall.

WordPress 4.4.2 Update Released to Patch Vulnerabilities

WordPress 4.4.2 has been released as an update to all versions to provide patches for two security vulnerabilities. To improve functionality, 17 bugs from the previous version are also addressed. The update is now available to download and WordPress recommends that everybody update immediately.

One of the two security fixes in 4.4.2 is a possible Server-Side Request Forgery (SSRF) vulnerability. It impacts local addresses and allows hackers to bypass access controls, like Firewall, to crash infected systems. The actual WordPress code commit that fixes the SSRF issue states that “ is not a valid IP.”

This is not the first time WordPress has pushed a fix for SSRF. In June 2013, WordPress 3.5.2 was released with a patch-up for a SSRF vulnerability.

The Mitre Common Weakness Enumeration (CWE) states in its definition of SSRF as,“By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”

Open redirection attack is the second issue tackled in the new update. An open redirection attack links to external sites — phishing sites or other kinds of malicious sites — by abusing web functionality. “A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect,” Mitre’s Open Redirect definition states. “This simplifies phishing attacks.”

A new block of code which will bring about better validation of the Web addresses used in HTTP redirects, is WordPress’s solution for the open redirection attack insecurity.

After the Jan 6th update of WordPress 4.4.1, this is the second update of the year for WordPress. Like last time, automatic updates are being rolled out to sites that support automatic background updates. To download manually, you can either head over to Dashboard > Updates in WordPress and click on the “Update Now” button, or download WordPress 4.4.2 from WordPress directly.


WordPress Update 4.4.1 Released

Last week, WordPress announced the release of an update to address security and maintenance issues. The publishing platform urged users to update their systems immediately, protecting them from a cross-site scripting (XSS) vulnerability.

Aaron  Jorbin, a WordPress contributor who published news of the update’s release on the company’s official blog, warned that WordPress versions 4.4 and earlier could allow sites to be compromised due to the cross-site scripting vulnerability.  The loophole was discovered and reported by Crtc4L.

The bug allows remote attackers to gain access and compromise sites. Hackers are able to pass malicious content between sites through the cross-site scripting vulnerability. The kind of code injection bypasses the same-origin policy, which is an important concept in web security applications. Wikipedia says under the policy, “a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.” 

The vulnerability was spotted by Crtc4L, who is an independent security researcher based in the Philippines. They were awarded a bounty through HackerOne for their discovery.

In addition, the update also contains several bug fixes unrelated to security. Among them are support for all the new emoji characters lately added to the emoji collection, including the diverse hand gestures and faces. Fans of emojis on iOS will rejoice at the long-awaited news.

WordPress 4.4.1 fixes 52 bugs from the last version. Fixes to solutions included: “Some sites with older versions of OpenSSL installed were unable to communicate with other services provided through some plugins,” and “if a post URL was ever re-used, the site could redirect to the wrong post.”

Automatic updates are being rolled out to sites that support automatic background updates. To download manually, you can either head over to Dashboard > Updates in WordPress and click on the “Update Now” button, or download WordPress 4.4.1 from WordPress directly.

Recap 2015 — A Year of Security Vulnerabilities


The time to make new year resolutions is here. The time to wave goodbye to 2015. The time of fresh beginnings. The time to look back on the good and bad of the past year. And the time to review all that happened and move on as a better version of yourself.

Contrary to popular opinion, it’s not always external hack attacks that do the most harm. Sometimes it is inherent flaws in the system unnoticed by users until the minute they are exploited. Techworld did a great piece on security flaws of the year 2016 detailing accidental flaws in services leading to attacks in 2015.

Google Android Flaws

Google’s Android platform for smartphones has spread far and wide. Stretching across several manufacturers has made it difficult to push updates to all devices at the same time, leading to multiple security issues. In the summer of 2015, many security flaws were made public, of which Stagefright was the most devastating. Followed by Stagefright 2.0, it had a way of beating Android 5.0 lockscreen’s security code.

Anti-virus Flaws

Of all the anti-viruses, the most flawed (yet popular) AVG was first singled out by an Israeli security firm enSilo which discovered a software flaw. It was patched in two days. However, later on a Google engineer found another flaw in AVG’s Chrome browser Web Tune-Up plug-in which allowed attackers to scour through entire browsing histories.

Juniper VPN ‘Back Door’ Flaw

Apparently the VPN part of Juniper’s NetScreen firewall kit has had a backdoor since 2012. A weakness in a piece of encryption furniture called Dual_EC_DRBG random number generator contained a software flaw that allowed the insertion of a back door.


TalkTalk attacked thrice

The telecommunications company was attacked not just once, but thrice! According to the company, ‘only’ 159,959 accounts were compromised, of which 15, 656 had their bank account details compromised.

Independent’s ransomware

Independent news blog was caught serving TeslaCrypt ransomware by Trend Micro. The site was attacked several weeks before Trend informed them.


WordPress Security: 2015 in Review

Another day, another year and 2015 is drawing to a close. It’s been an interesting year with Donald Trump making waves in the presidential elections, and finishing off with Steve Harvey crowning the wrong Miss Universe! 2015 is a year to remember. In the midst of the holiday cheer, it’s also the time to reflect back on the past year to learn and grow from our mistakes.

By mistakes, we mean lapses in your WordPress security — not on how you need to start hitting gym! With WordPress attacks on the rise, it’s more important than ever to keep your site safe and beware of some common pitfalls. Only last month, data security firm Imperva confirmed in their WAAR Report 2015 that WordPress has been the victim 3.5 times more than other Content Management Systems.

WordFence has released the results of their first annual WordPress Security Survey. A large sample of 7,375 WordPress users took part in the survey revealing data of security behaviour of WordPress users, from those with little to no experience to total experts.

Of the respondents, 38.9% admitted to being a victim of a WordPress attack in the past year. It appears that a majority of the victims were not proactively scanning their site for viruses but rather stumbled upon it. Over 35% of the sample said that they were alerted to their site being compromised while visiting their site. Around 27% said that their hosting provider took their site offline and 26% were contacted by a customer.

Although more than half of WordPress users find their income greatly affected when their site goes compromised, it appears from the survey results that expert users were far more concerned about site security than advanced and intermediate users.

Plugins often make it to the news for creating vulnerabilities in the site’s defense system, yet interestingly the survey found that the most used plugin type installed was a security plugin. It was closely followed by contact form, SEO and anti-spam plugins.

As a site owner, it’s your responsibility to keep your site well protected. Use these 4 simple ways to protect your site from ever getting compromised.

Merry Christmas and a Happy New Year from everybody at WPSOS! See you next year ;)

GoDaddy and SiteLock Partner to Add Security to Small Business WordPress Sites

It seems like very week there are new reports of security attacks on WordPress sites, and according to recent reports the numbers are just getting higher. GoDaddy, the highly popular domain registrar and web hosting company, has decided to add extra security to WordPress sites owned by small business owners. The company has partnered with SiteLock, a website security provider, to reduce security vulnerabilities and attacks.

The two companies which have been working together since April 2014, have announced a new plugin keeping web developers and designers in mind. With just one click, businesses will be able to access and understand their website security situation. Without having to leave your website, the plugin gives you an at-a-glance view of security scan results within the WordPress dashboard.

“This brought their security information to the forefront in WordPress so they can manage their portfolio of websites without having to ever leave the WordPress site,” SiteLock President Feather said. “They can scan to make sure it’s free of malware and can do all this within one interface. It’s a powerful tool for them because it enables them to do it in real time as they’re working and adding features to their site.”

Other features include security scans on WordPress pages in draft mode and real-time updates to resolve threats with minimal latency between the time they are identified and resolved. The plugin can also recognize specific vulnerabilities and quickly resolve them on its own.

Tom Serani, SiteLock Executive Vice President of Business Development, said, “As the hosting space continues to evolve, we wanted to offer a strategic solution through a trusted small business advisor and partner like GoDaddy. We worked together to make it easy for customers to seamlessly integrate security into their sites.”

Users can use one set of log-in credentials through the plugin to access and manage both their GoDaddy account and SiteLock information.

WP Engine Suffers Security Breach

WP Engine has suffered a major security breach it forcing to reset over 30,000 customers’ passwords. On Tuesday, the WordPress hosting outfit confessed to the hack attack. It posted recommendations on resetting passwords with updated step-by-step links on how to do it.

WP Engine is a Hosted service provider, which manages WordPress hosting for mission critical sites around the world. Set up by WordPress to better support the giant web publishing platform, it had stayed clear of any security vulnerabilities — unlike WordPress and its themes- up till now.

In an urgent security notification on its site, WP Engine announced the security breach. They said, “At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.”

“We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention” said the WP Engine Team, referring to the resetting of passwords. “While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them.”

The firm immediately reached out to its clients informing them of the attack and on how to guard their accounts. Users with an account at WP Engine should change their password and keep a watchful eye over email comings and goings, as well as, their financial transactions.

WP Engine apologized for the attack, “We apologize for any inconvenience this event may have caused. We are taking this exposure as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.”

Breaking News: Reader’s Digest and other WordPress sites are compromised

A large number of Internet users have been infected via the Angler exploit kit, after visiting compromised sites in the past week. The hacking campaign has been pushed from many WordPress sites, most notably that of Reader’s Digest — the popular, monthly family magazine.

According to security blog, Malwarebytes, the attack consists of compromised WordPress sites injected with malicious script that launches another URL whose final purpose is to load the Angler exploit kit. Owners of attacked WordPress sites should remember that although the injected scripts and URL’s follow the same pattern, they vary over time.

In the initial investigation by Malwarebyte, it was found that the Necurs backdoor trojan is loaded on the computer of visitors to the infected sites, delivered by the Bedep trojan via the uploaded Angler Exploiter Kit. If you have visited Reader’s Digest or any other compromised site, run a security scan on your computer.

But if you are one of the infected sites, then don’t hesitate in contacting us. It is our specialty to clean up all malware and hacker attacks on WordPress sites. We have a highly experienced team who have seen all kinds of viruses and malware, and effectively dealt with them.

In an email to SCMagazine on Tuesday, Reader’s Digest spokesperson Pauli Cohen said, “We became aware of the malware attack last week and have been working with our security provider, technology partners and platform provider to investigate the issue and perform extensive security checks on our website. At this point, we are addressing all known vulnerabilities of the site. We take security very seriously and are taking every step to ensure the integrity of our site.”

Although it is our specialty to help restore security to hacked WordPress sites, we believe it is always important to guard yourself against an attack in the first place. Getting your site back up and running is no problem for us. However once you’ve realized that your site has been hacked, then give us a call at +1 (650) 600‑1970 as soon as possible to mitigate the damage.

Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Security attacks on websites and blogs are higher than ever before. According to Imperva’s new Web Application Attacks Report, Content Management Systems (CMS’s) were attacked three times more often than other Web applications. The data security firm confirmed that WordPress has unfortunately been the victim 3.5 times more than the others.

It comes as no surprise that WordPress is the most attacked CMS. Not only is the most popular service but new data from W3Techs, which measures both usage and market share, reported last week that WordPress accounts for a quarter of the web. They said,“WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

As 2015 draws to a close, WordPress has taken a real beating this year with an increase in brute-force attacks. Hackers and malware are doing a lot of damage by taking advantages of vulnerabilities caused by weaknesses in the 30,000+ plugins on WordPress.

Imperva’s report said,“CMS frameworks are mostly open source, with communities of developers continuously generating sequences of plugins and add-ons, without concerted focus towards security. This developer model constantly increases the vulnerabilities in CMS applications, especially for WordPress which is also PHP based.”

Non-CMS applications were less susceptible to remote command execution (RCE) attacks than CMs’s according to the report’s findings. Furthermore, the report found that WordPress is five times likelier than other CMS’s to be hit by remote file inclusion (RFI) attacks.

Some of the trends discovered in Imperva’s annuals report were continuing from last year’s report, such as increased SQL Injection (SQLi) and Cross-Site-Scripting (XSS) attacks and more attacks on WordPress. A newcomer this year is the mega trend of Shellshock Remote Code Execution (RCE) attacks, scanning web applications on an equal basis.

The report said, “We conclude that the increasing availability of web attack tools and services — with computational power becoming less expensive and ubiquitous — are driving the new wave of volumetric malicious attacks. The evolution of attacks against web applications has continued with increased sophistication, magnitude, and velocity. However, there is hope thanks to the growing effectiveness of reputation-based detection mechanisms, and their ability to identify attacks by tracking previously identified malicious activity to its origins.”