Criminal cryptocurrency miners are exploiting whatever platform they can find to do illicit mining. Kasperksy found 1.65 million computers infected with mining malware in the first eight months of 2017, a huge increase over 2016. Any and all platforms are being attacked. 25% of all websites run WordPress, so WordPress is an obvious target.
I’ve noticed a pronounced increase in my client’s WordPress sites being probed for vulnerabilities, with attempted logins, hunting for config files and vulnerabilities, etc. It’s not a small increase, it is several times normal. This is almost certainly due to cryptocurrency miners trying to break into the sites to install mining malware, often for Zcash and Monero because they are extremely anonymous and thus favored for hiding money more than Bitcoin is.
Personal computers can also be compromised.
Does your computer seem to running much slower than usual? If so, someone may be using your computer’s processing power to mine bitcoins.
This is precisely what bitcoin mining viruses do, yet many of them can be detected with antivirus programs. Malwarebytes is highly recommended for this purpose. Whether your antivirus program is Malwarebytes which we recommend or something else, running a scan every so often will allay infection concerns.
All the WordPress sites I manage have multiple levels of protection. You have to be proactive. Keep WordPress and all plugins and themes updated. Monitor the site on a regular basis. Anything less is asking for trouble. These attacks are done by professional criminals. Let me know if I can help protect your WordPress site too. Yes, it’s a jungle out there.
IBM’s Dave McMillen told Bleeping Computer via email that attackers used “a wide range of exploits […] to first compromise […] CMS platforms (WordPress and Joomla and JBoss server) prior to launching the subsequent CMDi [command injection] attack,” that installed the cryptocurrency mining tool.
“These [mining] tools were hidden within fake image files, a technique known as steganography, hosted on compromised web servers running Joomla or WordPress, or stored on compromised JBoss Application Servers,” McMillen says.
The expert says attackers usually downloaded a customized version of a legitimate mining tool named Minerd, or a Linux port named kworker.