If you need help with malware, order that service here. If you’re looking for information, read on:
Do any of the following scenarios sound familiar to you? If so, I think we can find an answer.
1. My readers have let me know that when they click on my site they get a message saying I have a virus. What can I do?
2. What’s wrong? Does this mean I have a virus?!?!
3. Google has blasted my site with the big red warning screen – I’m panicking!! What do I do?
4. How can this happen!?!?
WordPress Security vs. The Bad Guys
Imagine a huge plate of spaghetti noodles piled high on a serving platter. For our illustration that will represent the internet.
“Malware” is simply anything that does harm to your particular noodle.
Malware is not looking for your noodle in particular. It is simply looking for any website with a vulnerability.
My point is that it isn’t personal – this is not a targeted attack destined to do your noodle damage, although it can feel like it.
Is WordPress Secure?
If a celebrity gets a cold we all need to know about it. If you or I catch a cold, it isn’t really news worthy. Somehow, the more popular you are, the more gratifying it is to find your weaknesses. The same is true for WordPress – it is insanely popular. So there are some who find it somehow entertaining to challenge the security of it.
On the flipside, because it is so huge, and because WordPress is ‘open source’, it’s backed by 100’s of developers and 1,000’s of contributors all making it better and more secure by the day.
Literally – by the day. It’s mind-boggling.
So is it secure? I see it like a race. Just as fast as the evil minions can come up with malware, WordPress is fighting to become impenetrable. And yes, I’m betting on WordPress and a few best practices: see below.
Back Doors: escaping unscathed
Have you seen the movies with the teenage boy climbing out the top floor window of his girlfriend’s bedroom? It’s dark. A twig snaps. Shortly after, Daddy comes out the front door with a shot gun? We route for the fellow to escape unharmed and true love to prevail. I always picture this scenario when talking about Back Doors. Except we’re not letting an unsung hero escape our bedroom window, we’re letting a virus out and leaving an opening for him later.
Back doors – these are the pieces of code that leave little holes for the malware to come back later. Its essential you get these out of your website.
Best Practices for WordPress Security
Items for your geeky brother/sister/husband/wife: Make sure your computer is secure (use anti-virus software, use 2 if possible). Make sure your network is secure (use a firewall).
Items for you: Passwords need to be changed and random: admin users, FTP users, MYSQL users.
Make sure all your passwords are randomly generated.
Since starting this business almost 10 years ago, I have seen thousands of passwords. Have you heard that most people use passwords like their names, children’s names, birthdays, and words like “adm1n” and “passw0rd”? Let me confirm that that statement is 100% correct! You would not believe the number of insecure passwords I’m given on a daily basis.
Items you might want help with: Make sure your WordPress, Plugins, and Themes are all updated and from reputable sources (use as few as possible). See our WordPress Upgrade Page for details.
78% of malware cases can be attributed to outdated WordPress or plugins! (source)
#1 Tip for WordPress Security
Let us monitor, upgrade, backup and secure your site. Plus have a geeky girlfriend available any time you need answers! Check out our full VIP service here.
Further reading:
Great post, I’m glad there are people blogging about Malware and Injections through WordPress in order to get the word out. WordPress, out of the box, really isn’t secure. However that doesn’t mean that you shouldn’t be using it.
I personally love building in WordPress because of the amount of people we can reach with our services, like many others. WordPress is a huge community – however with that being said there are a large percentage of users that unfortunately do not have any security or know what to do when being attacked.
Sucuri is great for cleaning out malware and infectious servers. $90 is very inexpensive once you’re infected, however just the pain of having to deal with hiring someone can be nerve wrecking.
We’ve come out (about to launch in a day) a great WordPress Security plugin that can prevent a lot of hackers and bots from taking over someone’s site. We all know there are many preventative measures that we can take to protect our sites, but many users simply don’t know or can’t afford to hire someone to do this for them.
Being able to change your database table prefix on the fly, change your admin username, create a custom login URL (that disables the default wp-admin & wp-login.php URL’s), enable HTTP Authentication and so much more.
You can get more info at http:// lockerpress.com
Thank you for your comment! the link has been removed. but we can copy/paste it! I’ll look into your lockerpress plugin – sounds good!
Great post… and a good list of things to do to secure your wordpress…
We had some issues ourselves on our sites, and in the end we compiled an extensive checklist of items you need to do to secure your wordpress site…
It should be good for relatively non-technical wordpress users too…
And it can be downloaded for free from our site http://www. wpsecuritychecklist.com
Maybe your readers can benefit from the checklist too…
Thank you for the checklist – I’ll definitely check that out!
I have WP site owners come to us frequently. As your source states, most of these are due to outdated WP installations.
A major issue is plugins. I have see several plugins that include other code. While the plugin author may update their code, they do not update the include code. This was certainly the case with the Timthumb hack (http://www. wpbeginner .com /wp-tutorials/how-to-fix-and-cleanup-the-timthumb-hack-in-wordpress/).
One tip I offer here (http: //www.rackaid .com/ resources/wordpress-tips/) is to pick popular plugins that are updated regularly. Don’t use obscure plugins that do not have regular updates. Doing this and keeping your WP up to date will save a lot of trouble.
If you have multiple WP installs, check out http:// www. managewp.com/
Lastly, I am experimenting with WPScan – a WP specific security scanner – and will post results to our blog.
I think:
– Running WP under mod_ruid, fast-cgi, SuPHP to assure the WP install runs under the user ID
– Using good passwords
– Keeping things updated
– WPscans regularly or after any plugin/coding/theme changes
– W3TC for performance
These list really lays a great foundation for a operating WP.
Thank you – the additional things – wpscans (we use managewp for all our clients, and Sucuri has a server side plugin that I recommend now). The links have been removed, but we’ll copy/paste them!