Keylogger Found on 5,500 WordPress Sites

Published by Ryan Miller on


A malicious script that is loaded from “” records keystrokes and sometimes loads an in-browser cryptocurrency miner. The “” domain is not part of the Cloudflare company, but the at-first-glance affiliation does give the malicious domain an air of legitimacy.

The script logs any data a user types into the form fields of a web page when the user switches away from the input field. The script goes as far as loading on a website’s backend allowing for the capture of administrator credentials when logging into the site’s administration panel. The most danger comes from when the script is loaded into the front end of the website where credit card numbers, addresses, phone numbers, and host of other sensitive information can be collected.

The majority of the scripts were placed because the website was compromised through other means, e.g., leaving a directory public then later using that directory for part of the website or a user with permissions they shouldn’t have and a weak password.

The attackers have been active since April and have used three different scripts. The first script was used in April when the attacker’s campaign began and contained Javascript that was embedded into banner ads. In November the attackers changed their technique to scripts masquerading as jQuery and Google Analytics Javascript files. The fake scripts were a copy of the Coinhive in-browser cryptocurrency miner.

The third script the attackers are using are a combination of the first two scripts, so they have a cryptocurrency miner and keylogger working concurrently. The third script has seen the widest distribution of infections totaling 5,496. Most of the infected websites rank outside of the Alexa Top 200,000.

If you believe your website might be infected, you should install Wordfence (free and paid version are available) and run a scan. If you already have a security solution and still believe you’re infected follow the instructions from the researchers that discovered the scripts below.

As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts. Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack). Don’t forget to check your site for other infections too.

Ryan Miller

Ryan Miller

A husband, a father of 3, my daughter's sounding board, writes on all topics of cybersecurity, an expert at dad humor, a security engineer, an analyst, a network administrator, and Desktop Support Tier I-III.

Leave a Reply