ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Silder Revolution (not Wordfence) Hacked

<< < (3/3)

Updated original post with actual attack vector.

The web development company I work for has a client that got hit on Sunday. I discovered it, just as I was about to do some work on his site and couldn't log in.

A little more info on this...

Over 1200 themes sold on ThemeForest were vulnerable to this back in September, around 300 of which were never patched...and the users of the themes that were patched, most did not receive notification that they need to update their themes. (which is how our client got bit)

ThemeForest also gives away a theme or template every month, so any collectors out there most likely has at least 1 vulnerable theme in their collection that can not be updated (freebies don't come with updates).

You can find the list of vulnerable ThemeForest themes, here:

And this is only the ones they know about that had the vulnerable plugin integrated into it. If the designer never mentioned it in the theme's description, then it's most likely not on the list and the vulnerability status would be unknown.

And there could be more premium themes from other designers and theme shops that are vulnerable, as this premium plugin seems to be a very popular one that premium theme designers love integrating into their themes.

And this is why I hate premium themes and plugins. For most of them, there is little to no support for automatic update notification. You can end up with a ticking time bomb and never know it, till it's too late.

If these were a free plugin and themes from the official Wordpress repository, users would have been notified through their admin panel and/or email as soon as an update was available, with most of them being given the opportunity to fix the issue as far back as 3 months ago. And it's dead simple to update if it's from the click & it's done. With premium themes & plugins from ThemeForest, it might not be so simple, as they are not known for designers that follow best practices when it comes to keeping the theme or plugin separated from the site's content.

And if you get hit with this and have no idea how to clean up your site, it will cost you plenty to have someone do it for you. Securi charges $99 to clean up a site hit by this, and the company I work for charges even more. It could have been really bad for our client, who luckily only had 1 site hit, even though he has used the same vulnerable theme on a bunch of sites.

He found the problem using Wordfence

I found out where's the problem with Wordfence
--- End quote ---

If you are referring to


Those are not Wordfence files, if a plugin uses WP's Includes folder to insert js and php files I would not use it to start with...
-rgdot (December 14, 2014, 04:04 PM)
--- End quote ---

How are the updated one's not Wordfence's files if the fix is to re-download the archive?

I'm not sure... I wasn't affected.  I just figured someone might benefit from knowing in the case that their site was displaying the same symptoms.
-wraith808 (December 14, 2014, 04:08 PM)
--- End quote ---

Wordfence is a security plugin for Wordpress that can detect this malware. The fix is not to re-download the Wordfence's to download the Wordpress core files and reinstall it, overwriting the affected files. Then either update or remove the Revolution Slider plugin, or the premium theme that has it integrated into it.

Now this is a good starting point to finally replace WordPress by a static blog generator.
-Tuxman (December 15, 2014, 03:27 AM)
--- End quote ---

Totally not necessary, when the problem is not Wordpress itself, but an outdated 3rd party add-on. If we applied that kind of logic to OSs, we would have to get rid of them all, as there are exploitable outdated 3rd party apps available for all of them.


[0] Message Index

[*] Previous page

Go to full version