More than 100,000 WordPress sites have been infected with a new strain of malware after a vulnerable plug-in was not fixed.
The Russian malware, called SoakSoak, utilises a fault in a slideshow plug-in called Slider Revolution. The team behind the plug-in have known about the flaw since September, but nothing has been done to eradicate the issue.
According to security researchers at Sucuri, Google has already blocked 11,000 infected domains, but as many sites will be unaware if they are infected, it will be difficult to prevent the malware spreading.
In order to remove the threat completely, the premium plug-in will have to be updated, which may have to be done manually by site administrators. Dulfy, a video game website, has successfully managed to remove the malicious code and has now implemented a firewall, but the site owner still believes the threat could return.
"The firewall will be a temporary measure until we can figure out what is doing it," Kristina Hunter told Gizmodo.
The SoakSoak attack has the potential to cause major havoc given the prevalence of the WordPress content management system. More than 70 million websites use the platform, although only self-hosted WordPress sites are currently affected.
Of course, anyone who visits an infected site is also at risk, particularly given the fact that Google has only taken down a fraction of affected domains. It’s not just smaller, regional sites that use the WordPress platform either, global news outlets such as Time are also WordPress-based, meaning it is almost impossible to tell if you’re visiting an infected site or not.
While it is not yet clear what the aim of the SoakSoak malware is, it is unlikely to be beneficial for anyone other than the attackers themselves. So far, WordPress has not confirmed what steps it is taking to remove the threat, but if the Slider Revolution team had tackled the issue in September then the malware would already have been dealt with.