An aggressive malware campaign is corrupting many WordPress-based websites, and any Windows PC user who hasn't kept his or her Web browser up to date and visits those sites is at risk of being infected with irreversible encrypting ransomware.
Several security companies issued warnings this past week that many WordPress sites had been surreptitiously hacked and were redirecting visitors to malicious pages hosting the Nuclear browser exploit kit, which tries to infect Windows PCs with Teslacrypt, a ransomware strain that encrypts files and demands payment to unlock them.
To avoid infection, you'll need to make sure your Adobe Flash Player, Adobe Reader and Microsoft Silverlight browser plugins are up-to-date, or disable them entirely. If you use Microsoft Internet Explorer, update that too.
WordPress-based sites get infected all the time, because many of them are set up and run by amateurs who don't keep up with software updates or security patches. But this malware outbreak is different because of the scope of the infections and the severity of the malware payload.
In a blog posting yesterday (Feb. 5), Copenhagen-based Heimdal Security said it had observed "hundreds" of WordPress sites infected in this malware campaign, likely just a fraction of the total number of compromised sites. In its own blog posting Monday (Feb. 1), Menifee, Calif.-based Sucuri noted that the malware was especially difficult for WordPress administrators to remove.
"If you host several domains on the same hosting account, all of them will be infected via a concept known as cross-site contamination," wrote Sucuri's Denis Sinegubko. "It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations — an abandoned site will be the source of the reinfection."
If you're administering a WordPress site, make sure your WordPress software, and the various extensions you may use, are fully up to date. Make your administrative password unique and strong, and turn on two-factor authentication if it's available.