Being in cybersecurity, we’re currently investigating and testing out all WordPress plugins that implement browser-based cryptocurrency mining. At the time we posted this review, no WordPress plugins are currently doing it right or asking permission.
While not something that we recommend, if it’s done in an opt-in manner, where the site visitor is notified first, and no mining occurs without user permission, that is legitimate.
However that’s not what this plugin does. This plugin’s implementation is malware. It is a stealth miner, or cryptojacker, because it effectively hijacks the user’s browser for mining and will spike their CPU usage.
Potential users need to be aware that this plugin’s current implementation of JavaScript-based crypto-mining is considered malware by most users, web hosts, cloud security services (WAFs), and anti-virus apps.
There are a rash of these types of stealth miner scripts popping up on sites, and the risks they pose to site owners and visitors are not acceptable.
Most people do not want to have their browsers hijacked for mining cryptocurrency, especially without warning or option to opt-out.
Cloudflare, and many other cloud security WAFs and web hosts are kicking off users who run these types of scripts because they are considered malware when there is no transparency to the site visitor.
Google is even planning on adding code to Chrome to block mining scripts like this.
We recommend that all WordPress site owners avoid this type of script/plugin. Users can protect themselves by using browser anti-mining plugins, and strong antivirus. Most ad blockers don’t stop most in-browser cryptominers (yet)…many are working on adding this. Users need a specific browser add-on for cryptominers like “No Coin” and “minerBlock”, etc. Might want to use a couple as no single one blocks all of them.