Malware and WordPress: What you need to know

Working in the web design industry for as long as we have, we’ve seen our fair share of mishaps, hacks, malware injections, etc. It can be devastating as a website owner to be trying to recover from a hacked website – especially when you’re making a living online. If you haven’t already noticed, this website is developed on WordPress (and it is our favourite CMS to develop with). However, when it comes to securing our sites and making sure we are ready for anything, we turn to a service called Code Garage.

We’ve invited owner, Peter Butler, to share a bit of information on on the topic of malware and WordPress. Peter runs a suite of services for WordPress site owners at CodeGarage.com – including a WordPress hack cleanup service, and a managed WordPress backup service.

If you have any questions for Peter or want to connect with him you can find him on twitter @peterbutler.

Enter Peter

Long gone are the days when not worrying about malware was an option for website owners and other web professionals. Malware is big business, and it’s potentially devastating to a site or business caught offguard. At the very least, everyone involved with the web professionally needs a basic understanding of this seedy dark side of the internet.

What is Malware?

In the context of this post, malware is any uninvited code on a web server. The goal of this unwanted code is varied – it could be to lure away traffic by redirecting visitors to another site, it could be trying to trick unsuspecting visitors into downloading adware or malicious key logger scripts, or it could even be used to spew political messages. Whatever the case, it’s not conducive to the normal flow of business.

How does it get on my site?

When first presented with the fact that they’ve been hacked, most site owners assume someone has somehow guessed their password. While this certainly does happen, in my experience, it doesnt happen very often. It’s generally much easier to find a vulnerable piece of code on a site, and exploit it in a way that eventually grants access to the files on a server. Last year, the very widely used TimThumb script was exploited in this way on thousands – perhaps millions of sites across the internet.

Because of widespread and relatively common attacks, people often assume that WordPress itself is insecure. The reality is quite different:  An up to date, vanilla version of WordPress is very, very rarely the source of a significant vulnerability leading to an intrusion. However – WordPress has a robust ecosystem of third party themes and plugins. These code packages, while generally developed with the best intentions, are often the source of significant vulnerabilities, and are most commonly to blame for hacked websites.

What can I do to stay safe?

The first, and most important thing to do is keep software up to date. WordPress routinely releases security updates that close up any vulnerabilities that are found. Plugins and themes do the same – when a vulnerability is found, the developer patches it, and releases an update. Staying up to date with these updates means you’ll only ever be vulnerable to attack between the time that a hacker finds a vulnerability and the developer is notified and releases an update.

There’s more that can be done, however:

1. Don’t use addon domains wherever possible. They open your site up to cross site contamination (where one site is hacked, and the hacker immediately has access to all of the other sites on the account).
2. Use as few plugins as possible. Plugins and themes are the most common sources of vulnerabilities – so the fewer on your server, the better. If you’re not sure if a plugin is necessary, err on the side of caution and get rid of it. If you really need it, you can always reinstall.
3. Delete any plugins/themes you’re not currently using. Even deactivated plugins/themes can be expoited by hackers. [Adam’s note: this is extremely important and one of the leading causes of hacks we see, since it’s so easy to forget about old, outdated themes and plugins!]
4. Backup. The reality is that you will likely face a hack at some point. Hacks often don’t generally damage site beyond repair, but there are occasions where that happens. Recognizing that your site is never truly safe also forces you to recognize that you need a good offsite backup system in place.