Early last month Wordfence released a comprehensive paper covering WP-VCD, the most prevalent malware campaign affecting the WordPress ecosystem in recent memory. In this paper we examined the campaign from a number of angles, such as the behavior of the malware itself, its method of distribution, and its evolution over time.

The presence of threats like WP-VCD demands that WordPress users remain vigilant about the security of their sites in the long term. Scams like these are prolific for a reason: They’re effective. Our data shows that WP-VCD is still infecting more new sites per week than any other active malware campaign. Even after publishing a paper on the campaign, we have yet to identify any meaningful change in the rate of new infections.

Tips For Remaining Vigilant Against Scams

1. Be responsible with the third-party code you add to your website. While WP-VCD is simple enough to avoid by steering clear of nulled plugins and themes, recent history has shown that even ostensibly-legitimate developers are capable of adding questionable code to their products.
2. If you are not personally handling the development of your website, ensure you fully trust the people you’ve assigned the task. Less-than-reputable “gig” developers, who claim to offer full custom site builds for a price that’s too good to be true, frequently cut corners that will cost you headaches at minimum. Even if they’re not intending to infect your website, they’re still interested in cutting costs by getting commercial themes for free, and they’re not sticking around your site long enough to make sure it’s clean.
3. As a general rule, never trust a page you didn’t intend to visit. WP-VCD and other recent attack campaigns have been identified injecting malvertising scripts. These scripts redirect a site’s visitors to unwanted locations. These pages attempt to trick you into giving them what they want. This includes phishing for logins with claims like “You must log in to your Google account to view this content”, or prompting you to engage in a tech support scam by claiming your device is corrupted or infected. They’ll also ask mobile users for permission to receive push notifications, which can be used to send further spam notifications.
4. Periodically visit your sites from new devices and locations without logging into them. WP-VCD’s malvertising code attempts to hide itself from administrators by storing a cookie on their device and logging the IP address they connected from. That way, even if the admin logs out, it can still hide until they clear their cookies and connect from a new IP address. This technique is not unique to WP-VCD, and can be useful in identifying other malicious activity that would have otherwise gone unnoticed.
5. If your site was a victim of WP-VCD or another malware infection, you should inform your users as quickly as possible. Responsible site ownership means being forthright about the fact that your site’s visitors may have encountered dangerous code. Plus, depending on the way browsers cache your site, some of your visitors may still see an infected version for a while after you’ve cleaned it. Giving your users a heads-up isn’t just the ethical thing to do, it demonstrates to them that their security is a priority.

Read more on the Wordfence blog.