Protect Your WordPress Site Against the SoakSoak Virus

Andrea Ferguson

President at AndiSites Inc.
Andi is founder and President of AndiSites Inc. She writes about website design and development, best practices, and random stuff her busy brain thinks would be useful.
Andrea Ferguson

The bad guys are at it again. The latest malware campaign from is causing Google to blacklist thousands of domains as vulnerable WordPress websites become infected (and often reinfected as website owners try to clean the hacked files in their installation).

The virus takes advantage of a previously-announced vulnerability in the popular RevSlider WordPress plugin.  Even if your site doesn’t include that plugin (check your Plugins list to be sure), it could still be infected if it shares server space with other sites that do include it.  Low-cost hosting is shared hosting, so unless you have a dedicated server, it’s likely that this concern applies to you if you have a WordPress site.


“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,” wrote Sucuri’s Daniel Cid. “Some website owners don’t even know they have it as it’s been packaged and bundled into their themes.”

Cid added that even when website owners try to clean the two affected files in their WordPress installation, they may be swiftly reinfected. “This campaign is also making use of a number of new backdoor payloads, some are being injected into images to further assist evasion and others are being used to inject new administrator users into the WordPress installs, giving them even more control long term,” he wrote. “Some users are clearing infections and getting reinfected within minutes and the reason is because of the complex nature of the payloads and improper cleaning efforts.”


If you have a WordPress website, contact your host immediately and make sure that they are protecting your site. Our partner host, SiteGround, scanned all sites even before the attack became public and sent out emails notifying vulnerable sites and giving them exact steps for removal and recovery.  They also use mod_security to block vulnerabilities from exploits.  If you’re not with SiteGround, make sure your host is taking similar steps.

For further protection, be sure that you’re keeping WordPress and plugins update regularly, that you have adequate backups, and that your site is regularly scanned for malware using a tool such as

If you’re an AndiSites Support Plan client, no worries at all–we’re taking care of all this for you already.

If you have any questions about SoakSoak or any other website issues, please contact us. We’re always happy to help.


Back to Blog