New WordPress Malware SoakSoak – How to Scan your Site and Remove it

WordPress is undoubtedly the most preferred and popular website platform with more than 74 Million sites running on WordPress. Due to its popularity, it is Hackers’ all time favorite hangout spot. If you didn’t know, wordpress is always under attack making headlines every now and then. Read this. this. and this.

Again a new malware attack called soaksoak is on the loose and has already compromised more than 100,000 WordPress sites according to Sucuri, a website security firm. You will see a browser warning – ‘The Site Ahead Contains Malware’ (see above image) or ‘Visiting this site may harm your computer‘ if your site is affected.

How to Scan and Remove the new ‘soaksoak’ Malware – “The Site Ahead Contains Malware” Fix

Read on even if you have watched the video

There are different ways to do this and different sites and plugins that you can use but I’ll try to keep it as simple as possible.

1. Update WordPress and Plugins

First thing first, check if your WordPress and all your plugins are up to date. Update them, if they’re not. You can do this by hovering over to Dashboard > Updates

2. Scan for Malware

Install the wordpress plugin – Wordfence and open it. This is the plugin we are going to use to scan and fix some of the affected files (core wordpress files). It should be somewhere below Settings on the left menu.

Click on ‘Start a Wordfence Scan’. This will take some time depending on your site.

3. Fix the Malware Affected Files

Once the scan is complete, scroll down and you will see which files were affected. In most cases it is these two files that are affected:

• Template-loader.php (located at: /wp-includes/template-loader.php) And
• swfobject.js (located at: /wp-includes/js/swfobject.js)

Click on “Restore the original version of this File” button. Do this on both the files. (see image below)

Check any other php or js (javascript) files that were modified recently which you didn’t authorize and do the same as above. If files other than wordpress core files are affected then you won’t be able to do the “Restore” with WordPress.

You will have then have to do it manually. If it is a plugin file then uninstall the plugin and install the latest version of it.

4. Update Slider Revolution (Revslider) plugin

Update the Slider Revolution (Revslider) plugin or better, uninstall or remove the Revslider plugin and then install the latest version of the plugin. Then use an FTP client to browse to  yoursite/wp-content/plugins/revslider/temp  and delete all the files in it.

What if you can’t find Slider Revolution or haven’t installed it?

• It is possible that it’s integrated in one of your installed Themes on your site. Update that theme or contact the theme developer.
• If you are on a Shared Hosting then it is possible that one of the sites on your share hosting has Slider Revolution (Revslider) plugin installed on it or integrated in one of the installed themes. So check all your sites one by one.

5. How the Malware got access to your site: Slider Revolution (Revslider)

According to Sucuri.net the source of the problem is a vulnerability in the WordPress Plugin Slider Revolution (Older Version below 4.2) through which the hacker got access to your site and planted the soaksoak malware.

This vulnerability was reported long back and the developers of Slider Revolution plugin patched it in their 4.2 version of the plugin. So if your version is below 4.2 it’s time to update.

For more information on it Read this

6. Submit Site Review: Google Webmaster Tool

This step is optional but I highly recommend it. Without this step it may take weeks or even months for Google to remove your site from their blacklist so your site will continue to show the browser warning whenever someone visits your site.

Signup: signup for Google Webmaster tool if you haven’t and verfiy your site. Here is a guide to do this

=> Setup Webmaster Tool

Submit: Then submit your site to google for review. In Google webmaster tool, go to

> Security Issues (below Crawl on Left Menu). Scroll down and tick “I have fixed these issues”

> Click the Request a Review button. Click here for more information on this.

If your site is on a Shared Hosting then make sure to check all the other sites and repeat all the above steps for each. I know it’s a pain but this is the only way we’re gonna fix this so let’s get it rolling and if you face any problems do not hesitate to leave a comment below and I will be happy to help.

Note: It will take some time for Google to review your site so be patient and your site should be back to normal in a day or two. For one of my sites, it took a week.

What is a Malware?

Malware is short for Malicious Software and is a broad term referred to different types of malicious softwares like Virus, Spyware, Trojans etc. Malwares are designed to damage your computer (stand alone or network) or website or to steal information or to make unauthorized changes to your computers or websites.

For more information click here.

Free Online Malware Scan Tools (WordPress or any site)

Here is a list of free online tools that you can use to scan for virusses or malware on your site. These tools are good for detection of problems but for the removal of the detected problems, they usually charge a fee.

However, the information these tools provide (scan results) are valuable. With the help of these information and by doing a little bit of research online, you will be able to remove or fix those problems by yourself.

https://sitecheck.sucuri.net  (probably the best one)

https://www.virustotal.com

https://app.webinspector.com

https://www.quttera.com

How to Secure my WordPress site?

Here are a few tips to secure your site and stay out of trouble.

1. Always keep your WordPress upto-date including all the plugins. Remove/ uninstall any plugins that you don’t use or inactive plugins that you don’t intend to you in the future.
2. Always choose a unique username. Do not use your site name as your username, that’s an open invitation to the hackers.
3. Always choose a strong password and change it whenever your site is hacked. This applies to your cpanel and ftp passwords as well. Here are some rules for choosing your password:
   • Do not choose a password that can be guessed. If your site is chuckNorris.com  don’t choose a password that includes chuck or norris or you could be in trouble  😛
   • Do not choose a password similar to Username.
   • Do not choose password based on a dictionary word. Ex: smile123
   • If possible use a combination of alphabets, numbers and special characters(!@#$%^&*())  Ex: zambuling4@
4. Install a security plugin like iThemes Security or Bulletproof WordPress and follow their at least the basic recommendations.
5. Change the username Admin or create another one and delete Admin user. Also change the ID of the administrator. The ID should never be “1”. Install the above security plugins and you will know how to do it, it’s easy.
6. Hide the Admin Login access to your site. By default it is www.honeybooboo.com/wp-admin  You can change it with the use of the above security plugins to something like www.honeybooboo.com/magic  Now you must remember this else you won’t be able to login to your site. I recommend using iThemes Security plugin.
7. Follow most of the recommended settings by your security plugin to secure your site to the next level.
8. And last but certainly not the least, Back it up Buddy!!  This is said over and over almost everywhere but we always forget or ignore it. So please backup your site from time to time so in case the problem goes out of hand, you can restore your entire site back and then do what is necessary to prevent future attacks. You can backup using:
   • Website’s Control Panel: do  a complete back of your site from your website’s control panel from time to time
   • Free WordPress Backup Plugins: backup using free wordpress plugins like BackWPup or Revisr 
   • Premium (Paid) WordPress Plugins: backup on cloud using premium plugins like VaultPress or BackupBuddy

Please keep in mind that no site is 100% secure but with above changes in place, it will be way too hard for a hacker to sneak into your site. With a few precautions and security measures you can avoid a lot of trouble later.

Final Notes

This is certainly not the ultimate guide on WordPress Malware Protection and Removal, that in itself is a vast topic; too vast to be covered in a blog post but someone affected by the recent ‘soaksoak’ malware  will find it useful.

If you have any questions or want to share your experience, leave a comment below. I would also like to know what security plugin you use for your site.