How to Protect Your WordPress Site from Keylogger Malware

Mar 12, 2018


Article ImageIt’s probably not surprising that WordPress powers 30% of the internet. But you may be surprised to learn that, at the time of this writing, over 2,300 websites run on WordPress were infected by malware, based on data provided (here, here and here) by PublicWWW, a source code search engine.

The malware includes a keylogger that records keystrokes in order to gain unauthorized access to passwords and other confidential data; it also installs a malicious script that produces an in-browser cryptocurrency miner. The ramifications are serious, possibly resulting in stolen admin credentials that can allow hackers to easily log into your WordPress site and, if the site offers e-commerce capabilities, pilfer vulnerable payment and personal data.

Website security company Securi, which reported that this malware infected over 5,400 sites last December, noted in a recent blog post that a number of injected scripts have been used in this attack, including a cdjs[.]online script that’s injected into either a WordPress database or a WordPress theme’s functions.php file.

“The keylogger captures all of the user’s actions on the keyboard, and is ready at any time to send all that has been recorded to the hacker,” says Amil Haimov, CEO of Cobweb Security. “The (malware) itself cannot appear on the website on its own—it must be the result of a hack.”

Chris Olson, CEO of The Media Trust, says WordPress, being the most popular self-hosted, open source CMS, has always experienced its fair share of compromises and is the perfect target for bad actors. “While open source platforms provide a fabulous ‘plug-n-play’ infrastructure, they are not supported by the vendor; therefore, they lack the protection users expect—there’s no accountability for the developer community should a feature or plug-in be compromised,” says Olson. “Plus, not only do most WordPress users lack technical expertise, but many users also build their initial site and don’t continuously evaluate its vulnerability, which will change over time.”

The pain inflicted by malware like this keylogger can be significant.

Tips to Combat Malware 

“Not only does an attack harm the reputation of a website owner, but it can also expose the individual or company to fines associated with the inability to secure data and protect consumer data privacy rights,” Olson says. “General industry estimates put the cost of a successful cyber attack at [an average] $2 million in terms of lost revenue and remediation. Some estimate $10,000 in liability for a single attack, with large enterprises reporting long-term remediation costs ranging from one to five percent of revenue.”

To fix any website infected with this malware, Securi’s blog post recommends removing the malicious code from the theme’s functions.php file, scanning the wp_posts table for potential injections, replacing all WordPress passwords, and updating all third-party themes, plugins, and other server software.

Jeff Capone, CEO/co-founder of data security firm SecureCircle, says these latter two steps are crucial. “Create and use secure passwords, and turn on two-factor authentication,” says Capone.

Also, “only install highly reviewed plugins from verified sites like”

Haimov cautions that more than one of your websites may be vulnerable. “Many administrators create dozens of sites on one hosting account. When a hacker gets into a shell, all of the websites become accessible to him. As a consequence, you’ll need to check and repair all the sites on that account,” says Haimov.

Additionally, prepare to rethink your overall approach to security. “The first step is to identify owned and operated website code and then compare it to what actually executes to render content on users’ browsers outside the firewall. Then, analyze the heretofore unknown vendors, which may require research to understand their purpose or activity on the website, which vendor called them, and any potential risk they pose to the enterprise, employees, partners or customers,” suggests Olson.

Lastly, decide if that vendor should be allowed to execute on your website. “Vendors providing necessary value to website functionality should know your security expectations,” adds Olson. “Sharing your requirements with third parties goes a long way in demonstrating reasonable care for protecting consumers, which can help mitigate liability should something go wrong.”

Related Articles

There may be no tool more important to the daily life of web users, but more overlooked, than the WCM system. Ask the average web surfer what powers the content he or she consumes, and he or she would likely just look at you dumbfounded. But businesses and publishers know how important WCM systems are to getting their messages out to the masses. While WCM systems may be the foundation much of the web is built on, the industry is changing shape all the time.
How much of your traffic comes from Facebook? Whatever your answer is, it's about to change. Facebook has officially announced changes to its Newsfeed algorithm that will put content from friends ahead of, well, everything else. So, whether you're a media outlet or a marketer, your social media strategy is about to get a big shake-up.
In the world of digital ads, two names continue to dominate: Google and Facebook. The competition isn't even close, with these online juggernauts now representing 73% of all U.S. digital advertising, a rise from 63% in the second quarter of 2015, per Pivotal's Brian Wieser in a recent note to clients. But a recent report by investment firm Cowen, "Ad Buyer Survey VI," suggests that Facebook may be poised to snatch that crown, due to the growth in video ads and Instagram.
Some print publishers see a helping hand arising from an unlikely source: Augmented Reality (AR.) Unlike Virtual Reality (VR), which plucks the reader out of their environment and takes them elsewhere courtesy of a headset, AR is designed to enhance the environment in which the reader finds herself by overlaying digital information onto the real world, via a phone screen or AR-enabled headsets.