100,000+ WordPress Sites Compromised Using the Slider Revolution Security Vulnerability

photo credit: Ravages - cc
photo credit: Ravagescc

Over the weekend, the security team at Sucuri discovered that more than 100,000 WordPress sites have been hit with the SoakSoak.ru malware campaign. This campaign has resulted in more than 11,000 domains being blacklisted by Google.

SoakSoak modifies the wp-includes/template-loader.php file in order to inject Javascript, which contains the malware, into every page on compromised sites. You can check to see if your site is affected by using Sucuri’s free SiteCheck scanner.

After researching the compromised sites, Sucuri found that SoakSoak’s vehicle of attack is the critical security vulnerability that was discovered in the Slider Revolution plugin and made public in September. At that time, Envato identified more than 1,000 themes sold through its marketplace that were potentially affected by this particular vulnerability.

The Slider Revolution issue, though silently patched in February, has been actively exploited since its disclosure. Many WordPress site administrators have not updated their copies of the Slider Revolution plugin to the patched version, leaving their sites open to compromise. Since the plugin is packaged with many themes sold through Themeforest, site owners are not always aware that they are vulnerable.

According to the report from Sucuri, the SoakSoak attack first scans sites to locate the vulnerable file within the Slider Revolution plugin in order to gain access to the wp-config.php file. If successful, the intruder then attempts to upload a malicious theme to the site, followed by injecting the Filesman backdoor into the website. The attacker then injects another backdoor in order to modify the swfobject.js file to inject malware that redirects visitors to soaksoak.ru.

This malware attack is particularly difficult to clean up after. If your site has been compromised, you cannot simply remove the infected files. The backdoors will also need to be addressed, as well as the Slider Revolution vulnerabilities. Sucuri advises stopping malicious attacks through a firewall. If your site or one of your clients’ sites is using the Slider Revolution plugin, it is imperative that you check to see if you are affected and update your site and plugins immediately.


33 responses to “100,000+ WordPress Sites Compromised Using the Slider Revolution Security Vulnerability”

  1. It’s disappointing that so many sites are affected by the vulnerabilities considering sites like the Tavern and others did a great job of telling people about the issues with Rev Slider. I wonder what happened? Did they never find out about it? Could they simply not upgrade? Did sites not want to upgrade? We’ll never know.

    • I was surprised similar … when checked stats how many WP sites use old version of WP.
      Its funny to be hacked bc. slider – some picture on webiste :D
      First of all mostly I don’t understand who and why put any slider on website. On other hand, some quality useful plugins majority of users don’t touch.

      • Why people put slider on web site? The reason is that WordPress has evolved from a pure blogging platform to a full-blown CMS, and people make business out of it. In my area, there are several graphic design companies started to use WP to design web sites for other companies and they don’t need programming skills and they solely rely on plugins and themes to design web sites. When this kind things happened, they don’t have knowledge to act upon.

    • Hey Jeff,

      We (Envato) emailed all buyers of themes with rev slider in it as well, which you’d expect to be the most effective way of reaching them (not *all* of them will read the Tavern). I guess some people don’t read their email!

      I did meet a guy at a responsive web design meetup recently who said that they’d been hacked the day before. They’d received the email and looked at it and couldn’t see how hackers would exploit the vulnerability, so didn’t update. Then got hacked. Doh!

      Of course there are themes on other marketplaces with Rev Slider bundled, so it could be buyers from there (I don’t think they emailed buyers), or people with pirated copies. But I suspect people just didn’t take it seriously even when emailed. Some people gotta learn the hard way.

      • How about you guys at envato stop selling junk that simply does not work. If you have any doubts about this check some of your trustpilot reviews – I am one of many that reported stuff that you sell that is total rubbish and then refuse to refund for.

        • Hey Paul,

          Actually if something doesn’t work, we normally do give a refund. Do you have a ticket number with us that I can follow up for you? Better not post it here – maybe click the link on my name, which will take you to my personal site where you can use the contact form. Anyway, happy to look into it for you, although obviously can’t promise anything without knowing the details.


    • I think I can shed some light on why people did not upgrade.
      The sites that did not upgrade can be split into two categories, the sites that are being managed by the developer and the sites that have been handed to the client, putting them in full control.

      When the client is handed the site, they generally dont know what to do, so they usually do nothing. If they do happen to login to their website (which is rare) they will likely not update the plugins and themes. Worse still, themeforest only emails the developer and so the end client is left completely unaware as most themes do not notify of available updates. However the revolution slider does, but the update wont work as the theme needs to be updated as a whole.

      Then you have the developers (who dont care) because I know that other developers like you and I who follow news will update as soon as an issue is publicized and an update pushed through. But most developers won’t update. I recently had a long talk with a developer who has not updated cpanel or any other items within their server since the day it was setup, some 4+ years ago. Their explanation was that when they update, things break and that needs to be addressed which costs money and reduces profit. By not updating the server, they can save money and just roll the customers site back to the last uninfected backup, knowing perfectly well that that will likely contain the vulnerability that resulted in the infection to begin with.

      These are hard lessons to learn, but I do like it as it shows the low quality developers from the high quality developers in my humble opinion.

      • in other words, clients do not want to pay enough money to have their sites properly managed. When you have a race to the bottom in how much clients are willing to pay for a web site it is no wonder the service is bad or non existing (the original developer could have notified the “abandoned” site owners). It is not the fault for the developers but of the clients and anyone that sell them the idea that having a wordpress based site is “free”.

        • Sorry, I hadnt replied a lot earlier.
          No, I do not think that it is a case of the client not wanting to pay more, but a case of some developers focusing on income and not quality.
          For example, almost all of our clients enter our company through services that do not cost a lot. However, they see our quality and come back again and again. Just one example of a client is one who first purchased our plugin for $99.99. They were so happy with the quality and attention to detail that they came back to us so many times and so frequently that within 3 months, they spent $3000 with us.
          You are absolutely correct that a race to the bottom line is not a good one.
          Do you buy a car that has the right features, or just buy the cheapest one on the market?
          As developers, we need to be pushing quality to customers.
          All our clients are given a package which includes monthly updates. While this is a service that we consume the cost of, it almost guarantees that they stay as our customer and come back time and again for more services as it builds trust.
          Take for example, the 2 situations.
          1) Customer gets hacked and contacts the dev to ask for assistance.
          2) Dev upgrades site when vulnerability is present and update fixes said vulnerability.
          In case #2 it builds trust. Case #1 destroys it.

    • Some options for reasons the sites didn’t update:

      (1) Developer handed the site over to a client, but with no one hired to maintain it. Many (most?) site owners don’t understand the importance of having someone maintain their site for them.
      (2) Site owner never logged into their admin panel and ignored all emails about it (if they received any at all).
      (3) The site is dead, or almost dead. Lots of sites are just sitting their stagnant and unused. Getting hacked is a bit of non-issue for those sites.
      (4) The owner figured it will never happen to them and are too scared to update.
      (5) For “security” purposes, they turned the WordPress update system off.

      What disturbs me the most in this whole debacle is how theme developers just randomly shove code like that into their themes without checking out it’s quality first.

  2. Ouch. That’s a lot of domains blacklisted by Google. That has to hurt, but where there’s misery, there’s also happy competitors who have moved up in search as a result of these now blacklisted domains. Saw this in the dashboard and made sure to scan my network for vulnerabilities. While this security concern with the Revolution Slider wasn’t an issue, I did notice some security concerns which required resolution so at the least, thanks for bringing my network’s security to the forefront of my mind. Definitely don’t want my websites distributing malware and getting blacklisted, to say the least. Although, it certainly wouldn’t be the first time one of my websites was hacked. Cat and mouse; such is life.

  3. Another good example who the best hosts are respectively. If you choose a web hosts whose only claim to fame is unlimited space, and not a word about security on their home page, then you can expect little to minimal security help in future (when you need it most).

  4. I think this kind of attack towards WP sites will become more and more. WP has evolved from a pure blogging platform to a full-blown CMS, and people are making business out of it. There are several web design companies in my area are using WP to build web sites for other companies. Some of them don’t have programming background, let alone cybersecurity, and rely solely on plugins and themes to design the web site. When this kind things happened, I don’t think they have enough knowledge to act upon.

    Plugin and theme developers should be blamed definitely for this security attack, if they could take security more seriously, the attack could have been prevented long before. On the other hand, I am thinking maybe the WordPress development team can do something to increase the security. For example, if it knows some plugin or theme has security vulnerability, then it can disable it automatically. It sounds very intrusive, but isn’t Automatic Update already doing that?

  5. I’ve dabbled with companies like Envato/Themeforest,Mojo themes, etc. and have had clients come to me with themes from them as well. By and large the experience has been very poor. Oddly coded and configured themes that have very poor documentation and sketchy support.

    Unless I am developing my own theme I only use and recommend themes that are in the WP repository. These have been vetted by WP and are of good quality.

  6. I’ve bought a few WordPress plug-ins from ThemeForest that didn’t work out, but plug-ins are often a crap-shoot anyway, paid or otherwise. ThemeForest does a decent job – you review the comments, change logs and good luck – buyer beware!

  7. Hi Everyone, First things first, I’m a developer but not a website developer and I’m interested and have enough codding skills to work on a theme or two. I was thinking about reshaping my company website (old ugly and html only website) with WP Theme but hearing the news about security and also you guys talking about ThemeForest, Envato and others so badly makes me dubious.

    What do you guys recommend for me to get my hands on a premium looking website, doesn’t need to have much functionality, the current one is static, that I can work on and manage.

    Thanks in advance and,

    Merry Christmas.

  8. Once upon a time, knowing how to code and being mindful of security issues, was what kept the masses at bay.

    These days however with WP et al, if you know how to use a mouse and keyboard, that’s all you need to setup a site. Everything has been ‘dumbed down’ to such a level now, give it few more years, my dog could probably open his own site.

    As a point of reference, visited GWM Forum the other day. Mutliple posts from non-tech-site-owners asking totally clueless questions. EG this pearler – “GWMT tells me my WP site is failing some mobile compatiblity tests, how do I fix it?” But no URL supplied!

    Granted if someone has the skills and wants to get into a site, they’ll find a way. However script kiddies et al will give up and move to a softer target. The thing is if your a coder (bona fide webmaster) you know how to keep the cr#p at bay and out of your site(s).

    Reiterating, once upon a time, knowing how to code etc etc was what kept the masses at bay.

    In closing, I’ve even gone so far as to contact a couple of sites which have been hacked, to let them know and instead of being thanked, all I got was abused and treated like I was trying to pull some scam. Unfortunately most people are so paranoid these days, that everyone is considered a threat.


Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.