Using special JavaScript injection on Word Press sites with weaker controls, over 2,000 infections were noted in following article.  Website ADMINS should strengthen security and users should exercise caution even when visiting legitimate sites that might seem safe. 

https://arstechnica.com/information-technology/2018/01/more-than-2000-wordpress-websites-are-infected-with-a-keylogger/

More than 2,000 websites running the open source WordPress content management system are infected with malware, researchers warned late last week. The malware in question logs passwords and just about anything else an administrator or visitor types.

The keylogger is part of a malicious package that also installs an in-browser cryptocurrency miner that’s surreptitiously run on the computers of people visiting the infected sites. Data provided here, here, and here by website search service PublicWWW showed that, as of Monday afternoon, the package was running on 2,092 sites.

Website security firm Sucuri said this is the same malicious code it found running on almost 5,500 WordPress sites in December. “Unfortunately for unsuspecting users and owners of the infected websites, the keylogger behaves the same way as in previous campaigns,” Sucuri researcher Denis Sinegubko wrote in a blog post. “The script sends data entered on every website form (including the login form) to the hackers via the WebSocket protocol.”

The attack works by injecting a variety of scripts into WordPress websites. Besides logging keystrokes typed into any input field, the scripts load other code that causes site visitors to run JavaScript from Coinhive that uses visitors’ computers to mine the cryptocurrency Monero with no warning.