In mid-December 2014, it became abundantly clear that something was going on with websites that were using the CMS, WordPress. Google blacklisted more than ten thousands sites in conjunction with a new string of malware going around—a strain of particularly potent malware that has affected over 100,000 WordPress sites since it first made its appearance online. That made it big news in the online security community and across the internet in general. Some of the biggest companies in the world use WordPress-supported websites for everything from information distribution to ecommerce. As one of the largest and most versatile platforms, this attack is a big deal for anyone who has a website.
But what exactly is SoakSoak (and why does it have such a silly name)? Are there ways to prevent SoakSoak from affecting your website and are there ways to fix your website, if it is has already been compromised by SoakSoak?
What is SoakSoak?
SoakSoak’s origins are Russian. You may see it occasionally called soaksoak.ru, because of its Russian heritage. The script infects your WordPress code, slipping in when widgets or tools are installed. For example, if you follow online security news, you may have heard that RevSlider has a vulnerability that creates a backdoor into your WordPress site. This is one of the first places that SoakSoak was seen—but it is not the only place that it has been seen.
If one website is infected, it can quickly infect all of the other websites being hosted on that same server, so if you share server space with a website that uses RevSlider or another of the tools that have this kind of vulnerability, it’s possible that your website also has been affected by this malware. The two WordPress files that get infected with this malware are:
The virus infects these two files and installs malicious code that can do a number of things, including download themselves onto users’ computers, steal credit card information from those using an ecommerce website, delete vital information from both the website and the computers, etc. When we say it’s nasty, we mean it.
How to Prevent SoakSoak
Unfortunately, if you share server space with other websites, there might not be a way to prevent SoakSoak, unless you move your website to a dedicated server, all its own and do not use RevSlider. If your website is already the sole inhabitant of its server and you do not use RevSlider, you are probably safe. If you have RevSlider, it’s probably a good idea to take it off immediately.
There are some ways to lessen the risk of this virus affecting your website. The first is to make sure you have effective antivirus and antimalware software on your computer. This will protect the website files stored on your computer and the computer itself from the effects of any malware.
Consider switching web hosting companies. There are lots of budget hosts out there. These are great for small businesses or burgeoning bloggers who need their websites online, and for cheap, but they usually don’t invest in great firewalls. If you really want to protect your website, make sure you’re using a reliable (if more expensive) hosting company.
Only download the most trusted plugins and themes and keep them updated. Old plugins and themes and the websites that offer them are great targets for hackers.
How Do You Know if SoakSoak Has Affected Your Website?
The best way to deal with SoakSoak is to assume that it has already affected your computer and run it through a malware checker. There are lots of free tools online that will scan your website’s code and files for any malicious activity, including this newest threat. These are not foolproof, of course, but they are a good way to see if you have been attacked.
Chrome has also been very proactive about protecting its users from this malware. If you try to use Chrome to access a webpage that has this malware code embedded in it, Chrome will usually throw up a warning page, before allowing you to access the page. If you visit your page (as a visitor, not as the owner of the website), and you see this warning, there’s a pretty good chance that you are currently infected.
Some users have even gotten alerts on the Google webmaster tools accounts, letting them know that their website has been infected and that there is a problem with the code on their websites. While all of these are good ways to see whether or not your WordPress has been affected, there is a more definite way. If you check the code in those two files above and find malicious code, you have been infected. If you’re not code-savvy and still want to check your page, consider installing a WordPress plugin that reviews your code for any malicious bits.
How to Fix SoakSoak
If you discover that your WordPress is being affected by SoakSoak, there are a few things you can do. The very best way is to start fresh, by deleting the infecting files and putting clean files in their place (this is why it’s important to keep your original files around, boys and girls). Since you might not know exactly which file is the problem, unless you use a plugin to find it or search through all of the code yourself, just replacing all of the files is often a good idea. Oftentimes, you’ll be able to just “re-install” everything from your original files on your Dashboard.
If your website has been infected for some time, you might have been flagged by Google as a site that harbors malware. Check and see if this has happened in your Google Webmaster tools. If it has, you should be able to request a review, which will enable you to get your website unlisted as a malware-harboring website, and get back to normal.