rolffimages - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

WordPress security: How can the SoakSoak malware be stopped?

Enterprise threats expert Nick Lewis offers advice on how to defend against the SoakSoak malware targeting insecure WordPress sites.

I read that the attackers behind the SoakSoak malware have altered the Javascript code to infect WordPress sites. How has SoakSoak been changed, and is there any way to mitigate the new malware?

The updated SoakSoak malware targets insecure WordPress websites, specifically a WordPress plug-in called RevSlider. The SoakSoak malware exploits a vulnerability in the RevSlider plug-in that allows an attacker to upload a malicious theme to the WordPress site then infect a WordPress install.

It is important to note that the RevSlider plug-in is not installed by default. However, a novice webmaster might not know to check all plug-ins for WordPress (or any software with plug-ins or optional modules) for updates. It is critical to keep all plug-ins or modules (along with core software) up to date to ensure WordPress security.

Mitigating the risk from the SoakSoak malware is different than most malware targeting personal computers. WordPress runs on a Web server and usually on a server-related operating system. Therefore, remediation steps for a server would be needed at the worst case, which could result in rebuilding the server and restoring data from backups. In a best case scenario, the WordPress install is the only aspect impacted, so WordPress is the only software that needs to be replaced with a secure version.

When the new SoakSoak malware emerged, it was reported that some people only replaced the files changed by the SoakSoak malware. Given that any of the WordPress files could have been changed, all such files should be restored from a secure backup or known-good install files. WordPress would then need to be secured to prevent the attack from happening again.

Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)

Next Steps

Get info on how to secure CMS systems, including WordPress, Joomla and Drupal

This was last published in June 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal