My WordPress site was attacked by SoakSoak Malware. There is a new user was created named as support_users_v-xxx with support @ wordpress.com. The xxx is some number from 100 to 999.Anyone knows whats happening and how to solve it
If you found a user name as following format support_users_v-xxx, then your site was affected by SoakSoak Malware via the RevSlider security hole. or you can check your site by following link
http://yourdomain.com/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php
If your website is vulnerable, it will show you the configuration file containing sensitive information about your website, including db username, password, salt and other things. Then you need to action as soon as possible.
The best way to clear your site and remove SoakSoak malware is replacing the infected WordPress files with the fresh clean original WordPress files. Also reinstall all plugins and restore your theme if you have backup.Also dont forget to update Login Credentials like database login,wordpress salted and etc..
WordPress hash online generator
if you dont have backup of theme, you can use security plugin like Wordfence Security.
How to avoid SoakSoak malwares in a WordPress website
- Keep WordPress, Plugins, Theme and Server upgraded
- Install security plugin like Sucuri Security, Wordfence Security – Auditing, Malware Scanner and Hardening
- Block direct PHP access to any file inside wp-includes,upload directory,wp-content or if they are browsable
- Always download plugins or themes only from WordPress.org or trusted sources.
- Install Limit invalid login plugin like Login LockDown.This will protect your WordPress login against bruteforcing attacks. Most WordPress websites are hacked by bruteforcing the login. Also, never use default admin username. Username “admin” is common and easy to guess.
- Use a web application firewall.
References
http://codex.wordpress.org/FAQ_My_site_was_hacked
Useful links
Website malware & blacklist scan (Sucuri)