It seems a new virus known as “Handsome Toaster” is doing its best to penetrate websites across the globe. This morning we awoke to an email notification that someone based in Russia had logged in to a client website.

Immediately, we logged in and changed all admin passwords, then proceeded to investigate.

Thankfully, we had installed Stream on the clients’ website, kind of like a “black box”, which records all activity that occurs in the backend of the site.

Literally an hour prior, a login had taken place from an unknown IP address (which matched a Russian location), and proceeded to do the following:

• Added “handsome_toaster.zip” to Media library
• Installed plugin: Goodwin LLC 1.5.15
• Deleted “handsome_toaster.zip”

We navigated to the plugins page and confirmed that an unknown plugin called “Goodwin LLC” was now on the site, but not enabled.

Rather than deleting it immediately, we went into the control panel and within the file manager, drilled down to the plugins folder. Within that, we could see a Handsome Toaster folder, which was installed that same day.

Thankfully we have now deleted the folder and all its contents – which has also removed the Goodwin LLC plugin from the backend of the site. A full virus scan has detected no issues, so thankfully it seems we caught it quick enough to prevent it from actually doing damage.

That being said, you could never be too cautious, so we have also changed the cPanel passwords and will continue to check Stream records over the coming days for any abnormal activity.

Another new virus appearing this week

We also became privy to another potential malicious attack after receiving an automated notification that a new admin had been added to 3 client websites.

The new admin user had the same email address in each case, plugins@wordpress.com. This was likely used to make website owners think it was a legitimate user, necessary to manage plugins. But it was obvious to our security team that this wasn’t the case, so we immediately deleted it and changed all other admin passwords.

What should I do if I think my site has been hacked?

We have already written a comprehensive blog post on what to do if your website is hacked.
But in short, we recommend the following actions:

• Reach out immediately to your web support (if you have one).
• Run a site scan using WordFence + Sucuri + Google safe browse
• Check your Stream activity to see what’s recently been done
• Clean up any malicious codes found in files and databases
• Change all passwords and delete any unnecessary users

Moving forward, it’s also important to ensure:

• All software is regularly updated when a new version comes out.
• WordFence is installed and appropriately configured.
• Your website is hosted on a reliable server with strong security measures.
• Your site is backed up on a daily basis, not just on the hosting but a third party server.

To get support for your website ongoing, check out our Website Care Plans.