Outdated WordPress Sites Succumb To Shade Ransomware Attack

Outdated WordPress Sites Succumb To Shade Ransomware Attack

Online security is an enormously important topic for website owners, regardless of the choice of platform.  However, WordPress owners in particular must remain vigilant about the security of their websites if they want to stay one step ahead of hackers, keen to exploit every possible vulnerability.  We have previously discussed tips you can use to secure your company’s webpage on WordPress, including using two-factor authentication in addition to a complicated password and an SSL certificate.  Today, however, website owners need to go further to protect their websites and the details of their customers and subscribers.

We’ve talked before about the importance of keeping your core WordPress installation up-to-date, along with your themes and plug-ins.  While the WordPress core will keep itself updated, plug-ins and themes must be updated manually or by using a third-party plug-in like Advanced Automatic Update.  While this can be achieved in a matter of seconds, it does require ongoing vigilance – something that a growing number of WordPress website owners have neglected.  As you’ll soon discover, many of these people are now greatly regretting their actions.

The latest hacking epidemic is seeing WordPress and Joomla websites attacked and compromised by hackers who know how to take advantage of hidden HTTP directories to hide and distribute their malware in plain sight.  While not all details of this most recent hacking attack are completely known at this stage, it is thought that the hackers are specifically targeting websites with outdated plug-ins and themes.

The attacked WordPress sites have been identified as those built on versions 4.8.9 to 5.1.1.  You may remember that 5.1.1 was the latest WordPress release from 12 March this year, until a beta version of WordPress 5.2 was released on 27 March.

The hackers are gaining access to a hidden yet well-known HTTP directory to hide phishing pages and malware within a website’s file structure.  This hidden HTTP directory is typically one used to verify a domain’s ownership. Once this has occurred, the directory sits out of sight from website administrators.


While a number of different phishing pages and malware have been discovered within these hidden directories, the most common – and potentially most dangerous – is ransomware known as Troldesh or Shade.  After the hacker has successfully hidden the malicious software within the directory, emails are generated and sent to the website’s mailing list, containing a link to a specially-created HTML redirector page.  The emails appear legitimate, having genuinely originated from the compromised website and directing users to a redirector page hosted within the website itself. From there, users are prompted to download a zip file which contains the dangerous ransomware in the form of a JavaScript file.

So far, more than 500 websites are known to have fallen victim to this latest WordPress attack, and there is a very good chance that many more websites will succumb before the problem is completely identified and resolved.

As a WordPress website owner, please take this news has a timely reminder to ensure your plug-ins and themes are completely updated to the latest version. If you’re concerned that your WordPress site may have been compromised, you’ll need to act fast to solve the problem.  There are plenty of places you can go when you need WordPress help, or feel free to contact us with any questions or concerns relating to our premium WordPress themes or other products, or about WordPress in general.

We're part of the Asquared WordPress Agency. All rights reserved.