On January 29, 2018, the widely used website content management system (CMS), WordPress, was once again infected with malware. To date, approximately 2000+ websites running the open-source CMS have become victims of a cryptocurrency keylogger.
Coinhive is a JavaScript Monero Blockchain miner service that mines digital cryptocurrency. Coinhive runs a snippet of JavaScript code in the background of the visitor’s browser while they visit a site that ran the Coinhive service. Coinhive was hacked and used to target WordPress sites.
Recently, hackers started a new campaign of malicious Javascript miners that contain a keylogger, so whenever an individual visits an infected site they are susceptible to the cryptocurrency service and keylogger. The keylogger tracks the keystrokes of visitors and extracts any private information that may be found from a filled ecommerce checkout form or login form.
Security firm Sucuri found the keylogger traced back to a domain name “Cloudflare[.]Solutions”, which has since been taken down. (Cloudflare is also the name of a network management and cybersecurity firm. The company has no relation to the cryptocurrency keylogger).
“Cloudflare[.]Solutions” was found as a src value in the infected websites’ theme’s function.php file and injected as a malicious script that ran the keylogger. Other newly registered web domains were also used as a replacement for the original Cloudflare[.]Solutions domain to continue sending data to the hackers, via the WebSocket protocol.
Sucuri researchers concluded, “The reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn’t even notice the original infection.” Sucuri suggests that the malicious code needs to be removed from theme’s functions.php file or scan wp_posts tables.
Here is a link to an article that explains simple and in-depth ways to fix WordPress hacked sites and ways to protect it from happening again.