Dutch IT company
The Fox IT CryptoPHP white paper is very technical and covers attack vector points for WordPress,
Let me
It concerns something called “Nulled Scripts”. Some of you may not have come across this terminology before.
What Are Nulled Scripts
Nulled scripts are bits of code, such a WordPress plugin or WordPress theme, which have their copy protection removed.
Many non-GPL “pro” plugins and themes come with a serial key which gives access to the paid features or entitles you to free upgrades.
Nulled scripts have these protections removed so that it will work for free. It is outright theft of course or put another way pirated software.
There are many sites offering nulled (PHP) scripts as well as
Please do not use them. Here’s why.
CryptoPHP Infection
The guys at
It’s not new that many “free” WordPress plugins and scripts can contain malware if not downloaded from a verified source such as WordPress.org, Theme Forest, WooThemes or the like.
This particular infection is more devious that previous malware in that it encrypts data before sending it back to
For a seasoned PHP developer, spotting the infection is rather easy.
include('assets/images/social.png');
Any developer will look at that and immediately be suspicious – why is an image being included in the PHP script? That’s way not right!
The include() function is used for loading external PHP scripts. Bingo!
You’ve guessed that social.png isn’t really an image and you’re right. It’s some PHP code disguised as an image file.
This nasty little script can even avoid detection as many malware scanning
We use WordFence as our go-to security plugin for all WordPress sites. The newest version of the plugin automatically checks all include() statements for suspicious files and there is also an option to scan image files like they are PHP code.
What Does The Malware Script Do?
Remember that this security issue doesn’t just affect WordPress. It also affects Joomla, Drupal and possibly other CMSs which use add-on modules to extend functionality.
The white paper shows how to identify the script so you can check all your WordPress installations today.
We urge that you do check all your sites for this now. Never download “free” themes or plugins from unknown/community unverified sites and lastly share this amongst your friends and colleagues to make the web a more secure place.
If you want to super secure your WordPress website have a read of our WordPress Security Best Practices post.