On January 29, 2018, the widely used website content management system (CMS), WordPress, was once again infected with malware. To date, approximately 2000+ websites running the open-source CMS have become victims of a cryptocurrency keylogger.
Security firm Sucuri found the keylogger traced back to a domain name “Cloudflare[.]Solutions”, which has since been taken down. (Cloudflare is also the name of a network management and cybersecurity firm. The company has no relation to the cryptocurrency keylogger).
“Cloudflare[.]Solutions” was found as a src value in the infected websites’ theme’s function.php file and injected as a malicious script that ran the keylogger. Other newly registered web domains were also used as replacement for the original Cloudflare[.]Solutions domain to continue sending data to the hackers, via the WebSocket protocol.
Sucuri researchers concluded, “The reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn’t even notice the original infection.” Sucuri suggests that the malicious code needs to be removed from theme’s functions.php file or scan wp_posts tables.
Here is a link to an article that explains simple and in-depth ways to fix WordPress hacked sites and ways to protect it from happening again.