Keylogger discovered on over 5,000 wordpress websites

This year, an investigation found many WordPress websites that featured cryptocurrency-mining malware. It seems that this malware has evolved and has become a keylogger that collects information entered by visitors during their visits to these websites. It has already been detected on more than 5, 500 WordPress sites.

Keylogger Discovered On Over 5, 000 WordPress Websites

Last April, the security company Sucuri discovered these 5, 500 sites that used CMS infected with malware for cryptocurrency mining. An increasingly common practice. Although, it seems that over the months this threat has changed noticeably.

Keylogger in WordPress

Initially, I used the WordPress functions.php file to make requests against a bogus Cloudflare address. So you could establish a WebSocket thanks to a library. But, all of this has evolved over time. It seems that for the moment cryptocurrency mining has stopped. Now, this malware has mutated into a keylogger. So all the spaces on the web to enter text have changed.

They are obtaining the information of the users and is capable of stealing the credentials of access to the user profiles of the web service and in WordPress. So CMS management can be compromised. Users are recommended to change their password as soon as possible to avoid possible problems.

For those users whose WordPress website is affected, the solution is to look for the file functions.php. Inside it, find the function add_js_scripts and delete it directly. Then find all the statements in which this function is mentioned and delete them too. Once this is done, the ideal would be to change the passwords or access credentials.