SoakSoak Malware Compromises 100,000 WordPress Sites with RevSlider Plugin

On Sunday, Sucuri reported a huge malware campaign referred to as "SoakSoak" that had compromised over 100,000 self-hosted WordPress sites.

broken lock security

On Sunday, Sucuri reported a huge malware campaign referred to as "SoakSoak" that had compromised over 100,000 self-hosted WordPress sites. Already, Google has flagged more than 11,000 domains that were compromised as malicious.Not only are WordPress sites at risk of being compromised by the SoakSoak malware, but it’s an attack that could have been prevented---at least to a certain degree.According to Sucuri, the root cause of SoakSoak is a security vulnerability in the premium WordPress plugin from ThemePunch called Slider Revolution Responsive WordPress Plugin (also referred to as RevSlider or Slider Revolution).A ThemePunch representative responsed to the Sucuri announcement about the malware by publishing a comment to that article. The representative explained that the vulnerability was actually discovered in February 2014 and was fixed in a new version of the plugin (version 4.2). That means only WordPress sites that have the plugin installed but never upgraded to the newest version of the plugin are at risk of a SoakSoak attack.

What’s the Problem?

Why is SoakSoak affecting so many sites and causing so many problems now? The reason is two-fold.First, since RevSlider is a premium plugin, only people who purchased the plugin directly from ThemePunch will receive automatic upgrades through their WordPress dashboards. If the plugin came bundled into a theme used on a WordPress site, the site administrator might not even realize the plugin is installed. They wouldn’t get automatic upgrade reminders, so the vulnerable plugin is just sitting there waiting to be compromised.Second, many WordPress site owners and administrators don’t upgrade their plugins in a timely manner, which means they still have the vulnerable plugin versions installed on their sites.According to ThemePunch, it has offered a “free update” button on the RevSlider product page of its website since September 2014, which is easy to download and install. However, it’s clear from this news from Sucuri that many RevSlider users didn’t take the time to upgrade or never got the message that they should upgrade.

What Should WordPress Site Owners Do?

First, determine whether you’re using the WordPress-hosted application at WordPress.com or the self-hosted application at WordPress.org. Only self-hosted WordPress sites were affected from this attack.Second, check to see if the RevSlider plugin is installed on your site. According to ThemePunch, Envato (the marketplace where the RevSlider plugin is sold) published an article providing the steps that plugin users should take.Third, even if you don’t use the RevSlider plugin, you should run a malware scan and security check (e.g., Sucuri offers a free tool to do this) to make sure your system is clean.Image: Nick Carter licensed CC BY 2.0

Illustration of colorful books on a shelf against a dark background.