You may be surprised to learn that hundreds of thousands of self-hosted WordPress sites may currently be infected with Russian malware inserted by a premium slider plugin. This revelation comes from Tony Perez of Securi Security who notes that Google has blacklisted 13,000 websites due to this malware, describing that eradication will be difficult due to lax webmaster practice on many self-hosting sites.
Let me explain how to check your site for the malware, where the malware originated and propagates, and how you can protect yourself from similar attacks in the future.
How to check for SoakSoak malware on your site
Before I explain the specifics of the malware let me tell you upfront how to check for it. Go to the Securi Sitecheck page ( http://sitecheck.sucuri.net/ ), type in your website name and hit enter. (That’s the easy part).
Apparently a vulnerability in RevSlider was discovered in March on one of their user forums and was patched sometime thereafter. Of course this means that older versions of this plugin remain vulnerable to the malware.
Daniel Cid of Securi notes that eradicating this malware from an infected site requires removal of the malware and implementation of a website firewall.
How to Nostradamus these issues for the future
One of the most useful email newsletters that I receive is the Wordfence newsletter (though I am signing up for the Securi newsletter now, too). Here’s why:
- Wordfence Security Alert re Slider Revolution plugin – September 4, 2014
- Slider Revolution Plugin Critical Vulnerability Being Exploited (Securi blog) – September 3, 2014
Three months before SoakSoak malware became a thing, both Securi and Wordfence sent out alerts to the effect of “Hey, if you’re using this plugin you may want to update it and / or delete it.”
I find it worthwhile to skim these newsletters to see if any plugins I’m using may be vulnerable. This won’t future proof your site entirely, but it may give you a heads up that there is danger lurking.