BabaYaga Malware

How to Find out if Your WordPress Site is Infected With BabaYaga Malware

What is BabaYaga Malware?

BabaYaga Malware is the latest WordPress malware causing a stir. It is believed to be run by Russian speaking hackers and named after a mythical Slavic creature. It is a sophisticated piece of malware that attacks other malware.

BabaYaga malware is embedded within websites via two modules. One module being a backdoor module that creates and maintains access and also performs the infection. The spam code injects the spam and generates the spammers’ revenue.

Spam content is inserted to load pages with a large number of keywords with the aim of attracting search engine traffic to those pages. These pages then redirect visitors to affiliate marketing links that make the hacker a profit.

What sets BabaYaga apart from other malware is the recent updates it has received. The malware contains code that removes other malware from the site it has infected; this is to ensure that they are only compromising error-free sites. Furthermore, the malware can not only update WordPress but also re-install which makes it self-preserving. Plus, it automatically downloads the latest version of itself.

Although BabaYaga is mainly a WordPress malware, it can also infect Joomla and Drupal sites as well as generic PHP sites.

3 Ways to Detect BabaYaga Malware

BabaYaga is an extremely difficult malware to detect. We firstly recommend asking your host to do a full virus scan of your website. If they are unwilling to assist, then here are three ways to detect BabaYaga Malware:

  1. Log in to Google Analytics. Pay attention to where your site traffic is coming from and if you notice a significant amount of traffic from unusual services and to unusual pages may suggest the site is infected with BabaYaga
  2. See if your server is contacting the following IPs: or, if it is it is a good indication there is BabaYaga malware on your WordPress site
  3. Go to Google and type in “site:” and this will show all of the pages on your site if you recognise pages you didn’t create it then your WordPress site is possibly infected with BabaYaga.

What to do if your WordPress site has BabaYaga Malware

If you believe that your WordPress site has been hacked by BabaYaga malware we suggest that you take action immediately. You will need to de-hack your site as soon as possible. You can also upload a clean backup of the site.

CuroHosting offer a free website de-hack which you can find more information about here.

If you have not been hacked by BabaYaga we recommend taking preventative action to ensure a hack does not occur. This can be done by limiting the amount of login attempts allowed on your site, for example.