Keylogger found on nearly 5,500 Infected WordPress websites




Nearly 5,500 WordPress sites are infected with a malicious script that logs keystrokes and sometimes loads an in-browser cryptocurrency miner.

The malicious script is being loaded from the domain, which is not related to the real Cloudflare, and logs anything that users type inside form fields as soon as the user switches away from an input field.

The script is loaded on both a site's frontend and backend, which means that it can log username and password when logging into the admin panel of the site.




The script is dangerous when running on the frontend because on most WordPress sites the only place it could steal user data is from comment fields, and some WordPress sites are configured to work as online stores as well. In these cases, hackers can steal credit card data and other personal users information.

These attacks are not new, and Sucuri cybersecurity firm has detected three different malicious scripts hosted on the domain.

The first attack was spotted in April, then hackers used a malicious JavaScript file. In November, the same hacker group changed the tactics and was loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive cryptocurrency miner. By November 22, this campaign was spotted on the 1833 site.

In the last series of attacks, hackers have retained the cryptojacking script, but have also added the keylogger.

The script is active on nearly 5,500 WordPress sites

According to PublicWWW, this malicious version of the script is currently active on 5,496 sites.

The two malicious scripts that are known to load the keylogger are:

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1.0.0/reconnecting-websocket.js' >< /script >

< script type='text/javascript' src='hxxp://cloudflare[.]solutions/ajax/libs/cors/cors.js' >< /script >

The stolen data is sent to wss://cloudflare[.]solutions:8085/.

If your site is infected, be aware that the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.

Since it's a keylogger, in fact, all WordPress passwords are compromised, so the next mandatory step of the cleanup is changing the passwords.

Would you like to comment on this article?


Latest news


Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.


Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.


Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!