Watch out for SoakSoak, a new malware threat that has compromised more than 100,000 WordPress websites and led to more than 11,000 domains’ being blacklisted by Google. WordPress is a hugely popular and widely used Web publishing platform, so it’s important to understand how the SoakSoak malware works, and what you can do to prevent your own WordPress site from being compromised.
Approximately one in six websites—or about 60 million worldwide—are hosted through WordPress, so the damage could be, or may still get, much worse. In a blog post on Tripwire’s State of Security, David Bisson explains that once a WordPress site is infected, it may unexpectedly redirect users to the SoakSoak.ru domain, and/or download malicious files to the users’ computers to further propagate the attack.
The short answer to the question “What can I do to prevent my WordPress site from being compromised?” is to make sure you keep WordPress itself and any plugins you use up to date. You should also remove any plugins you aren’t actually using. Attackers are apparently exploiting critical vulnerabilities in WordPress plugins as an easier, stealthier way of spreading malware through WordPress sites. Many plugins are not actively maintained by the developers, and not monitored by the users who have them installed, so they’re an easy back door for compromising a website.
Matt Johansen, senior manager of the Threat Research Center for WhiteHat Security, pointed out that this is just the latest in a string of serious vulnerabilities affecting WordPress sites over the last few months, and that SoakSoak is just the latest malware to take advantage of one of these critical flaws to worm its way through WordPress sites.
Johansen cautions, “As is the case with many WordPress security events, the culprit is plugins which are inherently more insecure and harder to keep up to date as opposed to WordPress core. Users of WordPress should update to latest versions of all plugins used immediately in order to avoid this or other malware attacks.”
While the concept may seem new to average users publishing WordPress sites, the idea of updating or removing add-ons or plugins is a proven security best practice. Security experts have long recommended that users keep all software and drivers updated, and network administrators know that it’s best to avoid installing or enabling services that aren’t going to be used, because they just expose the server to unnecessary risk.
Vulnerable plugins is only one part of the problem. Robert Hansen, VP of WhiteHat Labs at WhiteHat Security, noted that allowing plugins to update automatically is another danger. “This shows not only that plugins are inherently more dangerous than WordPress core code, but also that the design of allowing code to update itself without any warning to the administrator is a common flaw in web-design.”
Just as attackers have compromised smaller, less secure third parties as a means of attacking larger victims like Target, malware developers know that it’s much easier to discover and exploit vulnerabilities in third-party plugins. The fact that SoakSoak has been able to spread to more than 100,000 WordPress sites is evidence of the risk you’re exposing yourself to by leaving out of date or unused plugins active on your website.
Hansen summed up, “Companies like WordPress.com and WPEngine.com do reduce the damage by quickly identifying and fixing the problems for the clients, but it’s best to keep the fewest plugins possible installed.”