Phishing simulation Awareness training Data breach detection Pricing About Blog Resources Contact
Get started Log in

Malware skims data from WordPress and WooCommerce

New malware targets WordPress and WooCommerce sites, stealing credit card data and logins by mimicking Cloudflare on checkout pages.

25-06-2025 - 4 minute read. Posted in: cybercrime.

Malware skims data from WordPress and WooCommerce

New malware targets WordPress and WooCommerce checkouts

A newly discovered malware campaign is quietly stealing credit card details and login information from WordPress and WooCommerce websites. The attackers are using fake plugins and scripts that pretend to be from Cloudflare, a trusted internet security provider. The goal is to trick both website owners and customers — without anyone noticing.

Active since 2023, but only now detected

Researchers at Wordfence found that the malware has actually been active since September 2023. It has stayed hidden for a long time because it is carefully designed to blend in with normal website activity. Instead of causing visible problems, it works silently in the background, stealing sensitive information when people make purchases.

Focused on credit card and login theft

The malware mainly targets checkout pages, which are the final step in online shopping. It is designed for credit card skimming and credential theft, meaning it collects sensitive information like credit card numbers and login credentials as users enter them. The stolen data is then quietly sent to the attackers without raising suspicion.

What sets this campaign apart is its modular design. That means the attackers can change how the malware works depending on the website they infect. It also means they can continue improving or expanding the attack without needing to start over.

Similar threats have targeted WooCommerce and WordPress websites before. For example, the Massive WooCommerce breach exposed millions of customer records through vulnerabilities in the checkout process. Likewise, campaigns such as the Balada Injector malware demonstrate how attackers use fake plugins and hidden scripts to steal sensitive data without detection.

Pretending to be Cloudflare to stay hidden

To avoid suspicion, the malware pretends to be part of Cloudflare, a well-known security service. It uses file names like cloudflare.js to appear trustworthy. In reality, it has nothing to do with Cloudflare. This trick makes it harder for website owners to spot the threat.

The fake Cloudflare scripts are added to key parts of the website, especially checkout-related files. They are hidden in a way that makes them look like they belong there.

Installed through fake WordPress plugins

The attackers gain access by installing malicious plugins that look like normal WordPress tools. These could have names that suggest they improve performance or add features to the site. Once installed, the plugin adds harmful code to the website and can even create secret admin accounts to give attackers long-term control.

Researchers have seen plugin files with names like:

  • woocommerce-sms-gateway.zip

  • cloudflare.php

  • wp-optimiser.php

These files are not part of any official WordPress or WooCommerce features.

What website owners should do

If you run a WordPress or WooCommerce site, it’s important to take this threat seriously. Here’s what you can do:

  • Check all plugins and themes. If you don’t recognize one, remove it or investigate further.

  • Keep your WordPress site updated. That includes plugins, themes, and the WordPress core.

  • Use a trusted security plugin to scan for malware or unknown files.

  • Look for any strange admin users in your dashboard.

  • Pay attention to any new or unusual behavior on your checkout page.

Also, avoid downloading plugins or tools from unofficial sources. Always use the official WordPress plugin directory or known providers.

A growing threat to online stores

This malware campaign is part of a larger trend. Cybercriminals are getting smarter about how they attack websites. By focusing on checkout pages and pretending to be trusted services like Cloudflare, they increase the chances of success — and decrease the chance of being caught.

For online shops, especially those using WooCommerce, this kind of threat can have serious consequences. It puts both businesses and their customers at risk.

At Moxso, we help companies stay alert to these evolving threats. The best defense is staying informed, keeping systems up to date, and regularly checking for signs of suspicious activity.

Author Sarah Krarup

Sarah Krarup

Sarah studies innovation and entrepreneurship with a deep interest in IT and how cybersecurity impacts businesses and individuals. She has extensive experience in copywriting and is dedicated to making cybersecurity information accessible and engaging for everyone.

View all posts by Sarah Krarup

Similar posts

What is a data breach?
cybercrime

What is a data breach?

The risk of data breaches is growing rapidly and no business is too small or too big to be targeted. Learn how breaches happen and how to protect your data.

19-04-2022 · 8 min.
Cryptography: the language of the cyber world
awareness

Cryptography: the language of the cyber world

Cryptography has long been a good way to keep texts secret so that unauthorized people can't read them - here's how it works.

25-04-2023 · 9 min.
How does phishing as a service work?
phishing

How does phishing as a service work?

Phishing is a bigger threat than ever before, thanks in part to the rise of phishing as a service (PaaS). Read on and learn about this newer phenomenon.

24-08-2022 · 8 min.