WordPress Hacked by SoakSoak Malware

If you are one of the 70 million people who blog or use WordPress on the Internet, beware of the SoakSoak malware that has blacklisted over 11,000 sites. When a customer searches for your website on WordPress, the odds are increasing that Google will block it based on erroneous information from SoakSoak. It just started happening and it is predicted that over 100,000 websites will be impacted on WordPress. The malware slips through via the premium plugin called RevSlider Since the plugin is a "premium" and not "standard" as part of a package, the user should know about it.

The plugin is in many packages that WordPress offers in theme packages. Even if the owner of the website locates both and tries to disinfect and remove, the malware reinfects again. The malware and plugin can be attached to innocent images and can insert during a package install additional administrators for more control, without the knowledge of the user.

One way to detect it is to download Wordfence, a free app from WordPress, to protect your blogs etc. The two files that are infected are:

/wp-includes/template-loader.php
/wp-includes/js/swfobject.js

If you determine they have been recently been changed (look at date), there is a good chance the malware did this. What you need to do is reinstall from a clean file and clear your browser cache. To see if you have RevSlider on your computer, go to:

/wp-content/plugins/revslider/temp/update_extract/

/wp-content/plugins/cached_data/

Neither of them should exist. The good thing about this malware issue is that it only effects users of Chrome browser. There seems to be little impact on other browsers accessing WordPress sites.