It’s probably not surprising that WordPress powers 30% of the internet. But you may be surprised to learn that, at the time of this writing, over 2,300 websites run on WordPress were infected by malware, based on data provided (here, here and here) by PublicWWW, a source code search engine.

The malware includes a keylogger that records keystrokes in order to gain unauthorized access to passwords and other confidential data; it also installs a malicious script that produces an in-browser cryptocurrency miner. The ramifications are serious, possibly resulting in stolen admin credentials that can allow hackers to easily log into your WordPress site and, if the site offers e-commerce capabilities, pilfer vulnerable payment and personal data.

Website security company Securi, which reported that this malware infected over 5,400 sites last December, noted in a recent blog post that a number of injected scripts have been used in this attack, including a cdjs[.]online script that’s injected into either a WordPress database or a WordPress theme’s functions.php file.

“The keylogger captures all of the user’s actions on the keyboard, and is ready at any time to send all that has been recorded to the hacker,” says Amil Haimov, CEO of Cobweb Security. “The (malware) itself cannot appear on the website on its own—it must be the result of a hack.”

Chris Olson, CEO of The Media Trust, says WordPress, being the most popular self-hosted, open source CMS, has always experienced its fair share of compromises and is the perfect target for bad actors. “While open source platforms provide a fabulous ‘plug-n-play’ infrastructure, they are not supported by the vendor; therefore, they lack the protection users expect—there’s no accountability for the developer community should a feature or plug-in be compromised,” says Olson. “Plus, not only do most WordPress users lack technical expertise, but many users also build their initial site and don’t continuously evaluate its vulnerability, which will change over time.”

The pain inflicted by malware like this keylogger can be significant.

Tips to Combat Malware 

“Not only does an attack harm the reputation of a website owner, but it can also expose the individual or company to fines associated with the inability to secure data and protect consumer data privacy rights,” Olson says. “General industry estimates put the cost of a successful cyber attack at [an average] $2 million in terms of lost revenue and remediation. Some estimate $10,000 in liability for a single attack, with large enterprises reporting long-term remediation costs ranging from one to five percent of revenue.”

To fix any website infected with this malware, Securi’s blog post recommends removing the malicious code from the theme’s functions.php file, scanning the wp_posts table for potential injections, replacing all WordPress passwords, and updating all third-party themes, plugins, and other server software.

Jeff Capone, CEO/co-founder of data security firm SecureCircle, says these latter two steps are crucial. “Create and use secure passwords, and turn on two-factor authentication,” says Capone.

Also, “only install highly reviewed plugins from verified sites like wordpress.org.”

Haimov cautions that more than one of your websites may be vulnerable. “Many administrators create dozens of sites on one hosting account. When a hacker gets into a shell, all of the websites become accessible to him. As a consequence, you’ll need to check and repair all the sites on that account,” says Haimov.

Additionally, prepare to rethink your overall approach to security. “The first step is to identify owned and operated website code and then compare it to what actually executes to render content on users’ browsers outside the firewall. Then, analyze the heretofore unknown vendors, which may require research to understand their purpose or activity on the website, which vendor called them, and any potential risk they pose to the enterprise, employees, partners or customers,” suggests Olson.

Lastly, decide if that vendor should be allowed to execute on your website. “Vendors providing necessary value to website functionality should know your security expectations,” adds Olson. “Sharing your requirements with third parties goes a long way in demonstrating reasonable care for protecting consumers, which can help mitigate liability should something go wrong.”