There have been over 5,000 WordPress sites that have been infected with malicious script that logs keystrokes and sometimes loads an in-browser cryto-currency miner.
The malicious script is being loaded from the “cloudflare.solutions” domain, which IS NOT affiliated with Cloudflare in any way, and logs anything that users type inside form fields as soon as the user switches away from an input field.
The script is loaded on both a site’s frontend and backend, meaning it can also log usernames and passwords when logging into a site’s admin panel.
On most WordPress sites that have been infected for the user it will only effect user data in the comments field. However for e-commerce sites that have been infected this could also lead to a breach of user personal information as well as credit card information.
Sucuri experts recommend the following advice for owners who spot the script.
As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts. Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack). Don’t forget to check your site for other infections too.
For our clients at Higher Images we are not utilizing the cloudflare.solutions CDN and also we are running Wordfence, Securi and iThemes security to protect this type of hack. For our clients if you have any questions please call us at the office.