Hack Alert: Massive WordPress Javascript Infections In Legitimate JS Files

WordPress Javascript Infections

In the last week, there has been a huge spike in WordPress javascript infections. One of the scarier things about this newest hack, it that it is infecting legitimate javascript files. Also, if you are hosting more than one domain on your current hosting plan, this infection is creating backdoors on all of your WordPress installations. We’ve spent the last two days scrubbing Skookum Monkey and our demos clean of this WordPress javascript infection. It’s insidious and a cause has yet to be determined. In this post, we’ll tell you how to detect the infection and how to clean it.

Before we get started, you can learn more about this hack on Sucuri’s blog and on Ars Technica.

Because this hack only affects first-time visitors to a website, we only became aware of it when were alerted via Google Search Console.

Cleaning the WordPress Javascript Infections

1. Turn Off Any Javascript Caching

Because this hack is affecting javascript, one of the first places it injects itself is in .js cache files, especially if you are minifying javascript. If you do not turn off your .js caching and empty all of your caches, the infections will not go away.

2. Install iTheme Security

If you do not already have iThemes Security installed, do it now!

Once you’ve activated the plugin, click the “Get API” button. Then click the third option in the second box for quick secure, and close that box.

You will now be in iThemes Security Settings. At the top, you’ll see an area that says, “Go to” with a dropdown that says, “Choose a section.” Select “Malware Scanning,” then hit “Scan Homepage for Malware.”

If your site is clean, you’re good. If it’s not, make a note of all the files infected, as pictured in the top image.

Download fresh copies of WordPress and all infected plugins. Unzip them into a folder. We called our folder “Hack repair.”

Via FTP, upload the fresh files.

Wait 10 minutes, then scan again.

If people visit your site while you are cleaning things up, more files will get infected. So, you may have to go through the entire process multiple times, with multiple plugins, before your site is clean.

Be sure to do this on all sites you may have hosted under the same hosting package.

3. Scan All Sites Every Day

Because it has yet to be determined what is causing this issue, there is a chance that your sites will get reinfected. We thought we got it all yesterday, only for it to crop up again today. Also, you may be clean today, but tomorrow you may get hit. Until a cause is determined for these WordPress javascript infections and a fix is released, your site is not safe and you need to be vigilant.

If you don’t know how to do any of the above steps, ease your mind: Hire Skookum Monkey to take care of these WordPress javascript infections issue and to continue to monitor your site until a cause and permanent fix is found.

One Response to Hack Alert: Massive WordPress Javascript Infections In Legitimate JS Files

  1. Good info, thanks for making me aware of this problem and giving a detailed explanation of how to check for it and solve if it’s a problem. Luckily doesn’t seem to be an issue on the WordPress website I’m currently managing.

Leave a reply