WordPress Ransomware – What It is & How To Prevent It?

Updated on

What is WordPress Ransomware & How it targets websites

WordPress Ransomware – Targeting & Prevention

What would you do if criminals blocked your professional WordPress site and infect it with a ransomware? This is exactly what happens to a business every 40 seconds.

All these WordPress Ransomware attempts do not work well, but on an average, they cost the company about $ 133,000.

Can your business or customer afford this kind of loss? Most cannot.

Unfortunately, ransomware attacks are up than before in 2019 and are likely to increase in 2020, that means your small business WordPress site is in danger. In this post, you will know more about WordPress ransomware, How ransomware targets WordPress sites? How to remove ransomware from WordPress & steps to prevent it?

What is Ransomware?

Ransomware is a form of malware that usually enters a computer system via malicious code inserted into an email or video content as an attachment. Once the attachment is open, the code locks the files, block access to legitimate owner and other authorized users. This is usually followed by a request for money to eliminate the virus or receive a key to return to the country. This is done under the threat of erasing entire databases or publicly disclosing the stolen information.

In terms of Ransomware, the coder of malicious programs has long been concerned with email, but video, especially those shared via social media, is a more and more threatening vector. The video is very popular, with over 4x as many people expressing the desire to watch a video rather than reading a product. With most poorly protected media players and users who are not on high alert to this method of ransomware introduction, we have a problem looming.

This type of attack already costs businesses about $75 billion a year, not to mention the almost irreversible effects of reputational damage and loss of consumer confidence. Most companies do not even report such attacks out of fear, and almost none of the culprits are caught.

ransomware attack working

Recent Spike in ransomware attacks

Recent Spike in ransomware attacks

common types of files targeted by ransomware

Distribution Of Ransomware

Distribution Of Ransomware

What Is WordPress Ransomware?

how ransomware targets wordpress sites

WordPress is one of the most popular content management systems on the Web, with almost a third of its power on the Internet. Although it still has the reputation of being a blogging platform, it is also becoming a powerful force in e-commerce.

Ransomware provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.

According to Zdnet, Over 500 websites have been compromised and thousands of attempts have been made to drop ransomware, phishing links and other malicious content. The compromised WordPress sites were using outdated CMS themes or server-side software.

Once the ransomware is uploaded by an attacker, it compromises a WordPress website & makes it vulnerable. It provides the attacker with an initial interface that looks like this:

wordpress ransomware-initial-interface

This interface provides both encryption and decryption functionality to an attacker. The attacker then chooses a complex key, enters it into the “KEY ENC/DEC” field and hits submit.

Unfortunately, popularity makes you a prime target for every new cyber attack.

The majority of WP sites are owned by small and medium-sized enterprises (SMEs). This is another factor in the number of attacks. In fact, a cyber security report by Symantec Corp shows that cyber attacks on SME websites have more than doubled in five years; they now make up 43% of all hacked websites.

How ransomware targets WordPress sites?

The fact is that most small business owners are not aware of the precariousness of their websites. Those who know the danger often do not have the budget for advanced security.

Nobody really believes that this can happen to them as long as visitors do not tire of falling on a buggy (or hacked) site. An eCommerce business that has grown in business with positive online reviews can be destroyed just as quickly when one- and two-star ratings start flooding their pages.

Avoid this type of review refusal by understanding the most common reasons –

  • Absence of daily security audits
  • Insufficient training and awareness of employees in cybersecurity
  • Lack of access control, which determines which users can use which data
  • Obsolete Cyber ​​Security Software and Applications
  • No uniform cybersecurity policy

Is your website at risk?

Although WordPress is the most used blogging and e-commerce platform, it’s not just a numbers game when it comes to targeting WP websites. However, the popularity of the platform makes it an attractive target. The attacks come mostly from phishing attempts and other online scams.

Also ReadRemove “This Site May Be Hacked” From WordPress in Google

If the ransom is paid, is the problem solved?

Although the file to which the website redirects includes a section to decrypt the files when entering a password, this is not the case.

The file does not include a decryption logic, so it will not work, even if the ransom has been paid and a key has been obtained. It is a hoax.

While it is true that this Ransomware variant provides the necessary tools to the attacker to encrypt the files using a password, it does not work in reverse.

Even if the attacker provides the decryption key, it will have to be the user himself who has to decrypt each file and knowledge and experience with PHP is needed to use the key and recover the encrypted files.

So it is highly recommended not to pay any ransom.

Common Ransomware attacks on WordPress.

The most common cyber attacks are phishing schemes, adware and credit card skimmers. Ransomware like EV ransomware, WannaCry, Crosshairs are a growing threat.

B0r0nt0k –

This ransomware is a file-locking virus. This virus encrypts the files on the linux server and marks them with .rontok file extension. This is, indeed, a serious cyber infection that affects not just your data but it goes one step ahead and makes changes to –

  •      Modified startup settings
  •      Added registry entries
  •      Added files or programs
  •      Disabled functions or applications

Read more – B0r0nt0k Ransomware – What is it & How To Remove It?

EV ransomware Ransomware

A new ransomware variant called EV ransomware specifically targets the vulnerabilities of WP websites. This attack looks for weaknesses and downloads the virus once it has compromised the WP website. Once the EV ransomware software is introduced, it is able to encrypt the site’s files, locking the administrators until the site owner pays.

When an attacker discovers a weakness in your system, perhaps due to an outdated plug-in or other common input methods, such as attachments to an email, it releases a file that begins an encryption process.

During the encryption process of the ransomware EV, it crafted two files in the installation folder:

  • Ev.php – This is the user interface that allows users to enter the decryption key supplied by the hackers. This is a scam as the decryption engine does not work. Victims should not contact hackers or pay the ransomware fee in any case .
  • .htaccess – Used to redirect all queries in the EV.php file that shows the EV ransomware note.

That is why EV ransomware is quite inefficient in getting ransom payments from victims. The same applies to similar ones aimed at servers.

This ransomware only points to WordPress servers. The reason is that it was easier for the attacker to find vulnerabilities among those who use WordPress. This is because of the large market share.

You’ll know that your WP website has been compromised when you try to access your admin panel and encounter an interface that looks like this:

Example of EV Ransomware on WordPress Here is what you will see in WordPress if you are a victim of EV ransomware.

This file contains a directory intended to allow a site owner to decode encryption and unlock his site files once the ransom has been paid and the key obtained. The problem with this particular attack is that there is no decryption key.

Experts advise victims of an EV ransomware attack not to pay the ransom as there is often no way to unlock your encrypted files later. Paying the attacker will simply result in the loss of your money without remedy to the attack.

This may seem hopeless, but there is a way out of the infection if you have been infected, provided you have had the foresight to follow WordPress maintenance checklist and perform regular backups of your site. Most dedicated and cloud-based hosts perform daily backups and have multiple layers of redundancy.

WannaCry WordPress ransomware

The year 2017, will go down in history for being one of the most problematic in terms of Internet security.

The fault of this is Ransomware and its best-known variant WannaCry.

Now a variant of Ransomware has been detected that points directly to the websites that have WordPress installed, which, due to its popularity, can lead to severe problems for thousands of users.

At the same time, a monetary ransom is requested from the user to decrypt the files and re-access them, but the payment required does not in any way ensure that the files will be recovered again.

If a backup copy stored on another device is not available, it is impossible to recover the encrypted files.

From that moment, many other Ransomware variations were detected, with Petya being another of the variants that caused the most problems.

Nothing seems to indicate that these types of attacks will not continue to appear in the future, if not quite the opposite.

WordPress in Ransomware Crosshairs

WordPress is the most popular CMS in the world, this makes it in the spotlight of all kinds of attacks.

Recently, Wordfence guys have detected a variant of Ransomware created to attack WordPress installations.

The basic procedure is the same, to infect and encrypt the files and then request a monetary ransom from the website administrators.

Once WordPress is infected and Ransomware has done its job, the user will see a screen similar to this when trying to access their website:

WordPress Ransomware Decrypted

Actually, this version does not encrypt all types of files, extensions like .php, .png, .htaccess, index.php are not encrypted, but the rest of the files are, they are also deleted and replaced by another one with the same name but with the extension .EV, which is the encrypted file.

This interface provides both the encryption and decryption functionality to an attacker. The attacker then chooses a complex key, enters it into the “KEY ENC/DEC” field and hits submit.

The site is then encrypted. The result looks like this:

WordPress Ransomware decrypted


This ransomware being used in the wild to target WordPress websitesThe earliest variant of this ransomware appeared in May of last year on Github. Version 2 of the ransomware is what attackers are currently using.

The authors of this ransomware on Github are bug7sec, an Indonesian group. The source code uses Indonesian words which confirms their identity. – Source (wordfence)

Common files encrypted with Ransomware

The type of encryption is complex, so it is virtually impossible to decrypt them without the corresponding key.

The ransomware will not encrypt files that have the following extensions:

  • * .php *
  • * .png *
  • * 404.php *
  • * .htaccess *
  • * .lndex.php *
  • * DyzW4re.php *
  • * Index.php *
  • * .htaDyzW4re *
  • * .lol.php *

For each directory that processes the ransomware, it will send an email to «htaccess12@gmail.com» that informs the recipient about the hostname and the key used to perform the encryption.

All affected files are deleted and another file takes its place with the same name, but with the extension  “.EV”. This new file is encrypted.

To get that key, an amount of money in Bitcoin is requested as a ransom.

Also ReadWordPress Theme Security – How to Ensure Safety Of Your Theme

WordPress Ransomware Prevention

Even if you are lucky enough to have a backup to restore your files, you are wasting time and maybe even companies trying to regain access to your site. It is also possible that you have tarnished your reputation and who knows what other shenanigans have occurred in the meantime.

The best way to avoid all the hassle, embarrassment and possible financial loss is to prevent criminals from accessing your WP website.

Ransomware for WordPress can Evolve

Security experts warn that this version of Ransomware for WordPress can evolve.

At the moment, it seems unfinished but they do not rule out that in the future, it is fully working and may be able to attack databases and all kinds of files.

Nor do they rule out that the system is able to decrypt the files with the key provided to stimulate the payment of the sites that are infected.

Nor do they rule out that it can affect other types of facilities such as PrestaShop or Joomla, so it is highly recommended to take measures even if WordPress is not being used.

Too many website owners are aware of the threats, but do not take them seriously enough and do not consider yourself a likely target of hackers. Wait until after an attack is too late, even if you have a mitigation plan in place. With Ransomware, it’s time to act before you’re touched.  

To be able to inject malicious code into WordPress and the Ransomware can encrypt the files, you need a gateway.

The entrance doors are usually the installations of WordPress without updating plugins or themes, so it is highly recommended to always be updated with its latest version and scan your wordpress theme for malware beforehand.

Installing an updated Security plugin is also an excellent option to protect WordPress from this and other types of similar attacks.

In case of becoming infected, the problem can be solved by replacing the encrypted files from a backup. Still, if the backup is hosted on the same server where WordPress is installed, likely, it will also end up being encrypted and it would be impossible to recover the files.

It is highly recommended to make regular backup copies of any WordPress installation and download them locally or upload them to an external server such as Dropbox, OneDrive or Google Drive to be able to recover them in case of disaster.

Here are a few things you should do right now to keep your site secure:

Download only from official platforms

The open-source nature of WP does not make it a bad platform, but it makes it easy to insert malicious code into thousands of third-party applications. If you are going to install new plugins, be sure to download them from a reputable source – such as the WordPress Plugin Directory – which checks for vulnerabilities in their software and applications before they are published and shares user reviews of software. 

Check your sources

You should never open an email or attachment that seems suspicious. Go with your guts. However, those in business often receive unsolicited emails from foreigners, and some are transmitted by people we know.

At least 20% of suspicious domains are less than a week old. You can view any website by submitting the URL in the search box of Whois. This will tell you the real name and location of the owner of the website, the list of the duration of activity of his domain and any other domain belonging to this person.

Also ReadHow To Remove Malware From WordPress Site

Update and backup WordPress as a part of daily maintenance

These are two maintenance tasks that should be taken into account, but too many website owners are neglecting this. Fortunately, reputable software vendors and developers are keeping it up-to-date by posting security patches and updates as soon as a problem is reported to protect individuals and businesses from newly discovered vulnerabilities.

If you cannot change your settings to update your plug-ins and software version automatically, be sure to check for latest version updates and install them as soon as they are available. Regular WordPress database backups that are stored separately can save your important data if someone hijacks your files. Also Read – Export WordPress Database Via PhpMyadmin

Use secure emails from trusted providers

Free email accounts are available almost everywhere. Companies such as Gmail and Microsoft give them the ability to integrate users into their ecosystem, offering everything from hosting platforms to domain registries.

  • And while Gmail has exceptional security, it is neither really anonymous nor secure. For truly secure messaging services, look for third-party options using AES, RSA, or OpenPGP protocols like ProtonMail, or SCRYPTmail.
  • For them, email is not an afterthought or a compliment. This is their only activity and should at least be considered part of a comprehensive security strategy to avoid malware such as Ransomware.

It’s true that a dedicated email service can contribute to your growing number of subscriptions (a pocket problem caused by too many subscriptions), but its cost is less than ten dollars a month. To make spam ransomware, consider this as money well spent.

Install SSL Certificates

Before going ahead, let us get to know what is an SSL certificate? To popularize, it is an element that is given by authorities recognized by trusted browsers (Chrome, Firefox, Edge, IE, etc.), which will allow the website to communicate with the site visitor encryption. Thus, if a person tries to listen to or change what is said between you and the website it will not be possible for him.

As a website owner, you need to be part of this community struggling to make the Web even more secure from ransomware.

For those who do not have an SSL certificate yet, you have to get in touch with the company hosting your site. They will tell you how to install the SSL certificate on your site.

Change The WordPress Database Prefix

Leaving the prefix of your MySQL database on its default value of wp_ is a security risk for your WordPress installation. With WordPress, a good security practice is to use a database prefix different from the default prefix. This complicates the task of possible ransomware.

The default prefix for WordPress is “wp_”. It can be changed during the installation of WordPress or later. Brozzme DB Prefix is a one-click tool that can allow you to change it – just make sure you backup everything first, in case anything goes wrong.

Also ReadOptimize & Repair WordPress Database – Fix Corrupted Tables

Turn Off File Editing

If hackers managed to gain access to your admin dashboard, they will be able to edit any file of your WordPress installation.

Therefore, setting strong access security is the first line of defense. However, by turning off file editing, hackers won’t be able to modify any of your files, even if they gain access to your dashboard.

This is done by restricting the theme-editor.php file completely and removing the Theme Editing option from the CMS.

define('DISALLOW_FILE_EDIT', true);

The previous line defines WordPress constant (DISALLOW_FILE_EDIT) that when set to true prevents the ‘Editor’ menu from appearing in ‘Appearance’ and the ‘Edit’ link below the name of the plugins in the panel for administration.

WordPress plugins to Protect Against WordPress Ransomware

If you have a WordPress website for your small business, and you have not already learned about security and security plugins, your time is now. This is an essential part of maintaining your website. If you want to stay safe from Ransomware then you must learn about WordPress security plugins to keep your website safe.

Anti-Malware Security and Brute-Force Firewall, also known in the WordPress community as GOTMLS, is respected for its powerful malware scanner. This is a plugin that might be more suitable for tech-savvy users. With GOTMLS, you will detect most types of malicious code or threats. In addition to the scanner, this plugin includes a firewall to help block vulnerabilities.

All In One WP Security & Firewall is designed with many of the same features. Why All in One Security & Firewall? Some web hosting and plugin configurations can not handle other plugins but can be fully compatible with All In One. Our suggestion is to install and test each plugin to see what is best for you. In the end, the important thing is to choose a WordPress security plugin that really works!

WP Hacked Help Can protect your site against Ransomware threats.

Hire best WordPress security service for regular maintenance of your site.  We can help you to update any security patches as soon as they are released and also ensure that regular backups of your site is taken at regular intervals so that we can retrieve the site post cleanup.

In the two years since the discovery of EV ransomware, millions of new variants, as well as various spam and phishing schemes, have been created. Although, we can never protect ourselves 100% from breaches and computer theft, increased awareness of your staff and vendors, in addition to deploying current security best practices, will give you the best chance of stopping attacks.

Do not wait until your WordPress website is locked to do something against the threat of Ransomware. Scan website using WP Hacked Help, today to create an action plan to prevent attacks on your website and livelihood.

scan wordpress siteThe computer ransomware is only a means for criminals, who seek to reach the maximum number of WordPress sites possible. To avoid infection with malware, ransomware and all types of Trojans, experts recommend using some antivirus and taking care of the security of the equipment, avoiding downloading unknown files and browsing secure sites. Scanning is highly recommended if you want to check whether or not the website is infected with ransomware or any other kind of hack such as WordPress malware redirect, Japanese keyword hack, pharma hack, brute force attack etc. Our scanner scans your site across 100’s of wordpress vulnerabilities.

Get in touch with our WordPress experts – Contact Us Here.