WordPress, as a platform, is more secure than many others. However, there are always vulnerabilities in any service you use. The more popular a platform is, the more likely that people are going to try and crack its defenses.
When it comes to WordPress, malware is one of your biggest concerns as it can affect your website in a variety of ways. If you don’t know how it works, it can also be hard to protect your website against it. In this article, we’re going to talk more about malware and WordPress security. We’ll also discuss some of the most common types of WordPress malware and how they can affect you.
Let’s get to it!
The State of WordPress Security
WordPress is the most popular Content Management System (CMS) on the web. Popularity has many perks, but it also comes with a few downsides. For example, studies show that over 70% of WordPress websites are vulnerable to security breaches in one way or another.
However, the problem with WordPress doesn’t lie in faulty code or lousy security practices by its developers. In fact, the platform is remarkably secure. The real issue is that no two WordPress websites are the same.
In most cases, you’ll use a unique combination of themes, plugins, and custom code to power your WordPress website. Plugins and themes, in particular, are prone to security vulnerabilities, which is one of the reasons they require constant updates. If you fail to update your site’s components, you’re exposing the entire operation to breaches.
When you combine the vulnerabilities of third-party elements with user error, such as re-using passwords, not taking advantage of two-factor authentication, and more, you end up with a system with many attack vectors. This means you need to follow best practices if you want your website to remain secure. Here are some examples:
- Only use trustworthy plugins and themes. In most cases, you should avoid themes with few reviews and installations, as well as those that haven’t been updated for a while.
- Always update your site’s elements. Failing to update every aspect of your site exposes it to potential malware infections.
- Use a secure password. Use complex passwords that mix letters, numbers, and symbols if possible. We also recommend that you use a password manager to make your life much easier.
- Scan your website for malware. Just as you do with your computer, you should also scan your website for malware from time to time.
- Back up your site regularly. If something goes wrong, the easiest way to restore your website to a pristine state is through a recent backup.
Websites require protection and t can take a bit of work to follow good security practices. However, once you get accustomed to them, they’ll become second nature and worrying about WordPress malware should be a thing of the past.
An Introduction to Malware
Malware is a broad term that encompasses several types of malicious software. For example, viruses are a subset of malware that stands out due to their infectiousness and intent to spread to as many systems as possible. However, malware can also be malicious code used to infect a single system or application.
When it comes to websites, malware will usually try to take control of some key functionality. For example, the most aggressive kind of WordPress malware focuses on infecting the devices of those that visit a site. Others might just replace part of your content, or perform smaller changes that can go unnoticed unless you’re on the lookout for them.
Statistics show that about 1% of all websites are actively infected with malware at any time. However, in most cases malware won’t ‘break’ your website or render it inaccessible. This is because attackers need your website to work for them to accomplish whatever the malware’s goal is. That works in your favor as you have the power to fix things if your WordPress website is currently infected. Let’s now look at some of the ways such an infection might affect your site.
3 Ways Malware Can Affect Your WordPress Website
Malware is always evolving, so talking about specific types of malicious code is complicated. Instead, we’re going to focus on how malware most commonly affects your WordPress website and how you can protect it.
1. Damage Your Search Engine Optimization (SEO)
Most of us spend a lot of time working on our website’s SEO. In some cases, malware can undo a great deal of that effort by using your website to spam links to other domains.
This works by using malware that infects your site and replaces your outbound links so that they navigate to domains they want to boost. It’s a ‘blackhat’ approach to link building that may get those sites a quick boost, but it can also impact your SEO negatively. In some cases, malware can also set up dummy pages filled with keywords to attract visitors, which then lead them somewhere else. Both these practices are frowned upon by search engines, and the effects to your SEO can be long-lasting.
This type of attack can be hard to detect unless you inspect your outbound links periodically. Many websites contain hundreds, if not thousands, of external links throughout their articles. With that in mind, the smartest thing you can do is set up a tool such as Google Analytics, which enables you to monitor outbound links and see where your visitors are going. Using Google Analytics, you can also check out which keywords are leading users to your website.
If you start seeing keywords unrelated to your niche, that you didn’t put there, chances are there’s something funny going on with your site. In those cases, your best is to restore your website to a previous backup. You should also go ahead and change your WordPress password and update your SALT keys, in case your account has been compromised. Enabling two-factor authentication can’t hurt either to further protect your site.
2. Illegally Mine Cryptocurrency
Cryptocurrencies are a hot topic these days, and it’s not surprising that malware developers have also jumped onto the craze. You’ve probably heard about crypto lockers, which are one of the most popular types of malware nowadays. However, you might not know that some malware can infect your website and use your visitor’s browsers to mine cryptocurrency.
The good news is this type of attack is rather inefficient, in the sense it probably won’t impact the performance of your visitor’s devices significantly. However, there’s been a lot of backlash against sites found to have included this functionality without alerting visitors. That means you risk losing your user’s trust if they find out your website is using them to mine cryptocurrency, even if it was unintentional on your part.
When it comes to protecting your website against this type of malware, your best bet is to set up a comprehensive security plugin. For example, Sucuri Security can help protect you against malware that attempts to inject such code on your website:
Fortunately, since this type of attack is currently in the spotlight, security plugin developers are working hard to protect against them. As long as you are using one of the top WordPress security plugins, you should be safe.
If you want to go the extra mile, we also recommend setting up a security log tool. This type of plugin can help you keep track of when someone makes changes to your WordPress core files and other types of security events. If you keep an eye on your logs, you should be able to spot any security issues. This enables you to fix them long before they can have a significant impact on your website.
If there’s one thing worse than WordPress malware that adds spam links to your website, it’s infections that redirects visitors to other websites. There are several variants of this type of malware. In some cases, the malicious code may redirect users to an unsecured copy of your website, hoping to get their personal information. Other variants simply lead users towards other websites, as a way to get them more traffic.
In any case, search engines take this seriously and they may decide to display warnings when someone tries to access your website. Here’s such an example:
There are few things worse for organic traffic than having search engines warn visitors away from your site. When you run into an infection of this magnitude, your best approach is to restore your website to a previous backup you know to be clean. You should also check your site for vulnerabilities and reset your password.
Once that’s done, you’ll have to submit your site for review – at least with Google – so they can double-check your website is safe again. It can take a while until your website’s SEO ranking recovers after dealing with this type of malware, so be patient!
There are several types of malware, which means it can affect your WordPress website in a variety of ways. Most often, malware won’t crash your website entirely, but it will affect its functionality in more subtle, insidious ways. An infection can have long-lasting negative effects on your site, such as taking its SEO.
When it comes to WordPress malware, here are three of the most common types of infections you’ll run into:
- SEO spam: This type of malware fills your website with spam links to other pages.
- Cryptocurrency mining: This uses your visitors’ browsers to mine cryptocurrency.
- Unauthorized redirects: This points your visitors to an external or unsecured page.
Do you have any questions about how to avoid WordPress malware? Let’s talk about them in the comments section below!
Article thumbnail image by Jane Kelly / shutterstock.com
There is a 4th type of malware infection. We have seen websites turned into spam emailers. The company will get a notice that they have max’ed out the number of files on their hosting plan from the email bounce backs. We usually install Wordfence after a website clean-up with strict Firewall protection. The other way is to whitelist 2-3 IP addresses and deny all other traffic to the wp-login.php
Nicely balanced, sane piece. Thank you.
Fully managed WordPress hosting from a reputable company where they have a multiple layered security (typically 5-8 layers) plus, good hygiene on the part of the site owner/operator is a must for any site that doesn’t have a qualified administrator. As a security professional I can attest that more than 50% of the sites that we move to our servers have either active malware, malware remanent or serious security issues.
Folks are too used to these large mega hosts that really don’t offer good pro-active support and full-fledged security. They say they are fully managed but to scant little then soak you when you finally figure out you’ve been hacked. If you are serious about your site you need an administrator who will regularly review your security implementation and make all of the changes need to ensure maximum uptime.
Malware is a reality and dealing with it can get frustrating and expensive. Example, Bluehost just shut down a clients entire account because apparently all their sites were compromised and had been for a year. Bluehost offers a service that costs $300 plus a month from a third party vendor and my client was livid!
To users who are victims of malware and are being shut down by your host or being held hostage by expensive fixes and security plans, I will give you my go to fix contact. I know the terms of posts in here should not be promoting other businesses but I don’t make any money by doing this, and this service has saved me and my clients from certain doom and expensive fixes. Google “We Watch Your Website” it’s a business run by a great guy named Thomas J. Raef. I can’t stress how affordable it is to use his service, and how incredibly powerful his security software, patching and audits are.
For you guys who manage mom and pop blogs or enterprise sites on a VPS or shared host provider, Thomas has the best solution for you.
Also, keep your sites updated!