This post to Twitter was eerily familiar:
Suffering from a weird virus at our #wordpress site. No problems with direct links, but all change when posted on social media….
Just a few weeks ago, a client e-mailed me about an issue with a site that had been launched only hours before he noticed a problem. When we started the project, I let him know he could expect better search engine placement once the new site had been indexed, and I guess he began checking as soon as the site went live. (Instantly ranking high is not realistic, just so you know!)
While the site had indeed been indexed right away and was appearing in search results, clicking through from Google generated a barrage of spam sites, or a warning from the installed antivirus application, depending upon the PC used to view the site.
What happened? Isn’t WordPress secure?
Before adding human error or lack of knowledge to the equation, WordPress is very secure. An attack from a hacker via the web is less likely than an attack introduced via an infected PC used by a legitimate administrator to update the WordPress site. The latter, in fact, is what happened to my client.
The virus added malicious code into WordPress files that was only triggered when someone visited from Google. In the case of my Twitter friend, it was triggered when visitors clicked on links to his site that had been posted on Facebook and Twitter. If someone simply accessed the site directly – as most administrators do – they wouldn’t notice anything was amiss. Unfortunately, depending on the virus, many of those redirected to rogue sites may have their computers infected before the virus is identified and removed.
How can I keep my WordPress site from being hacked?
I’m a WordPress expert, not a white hat hacker, so don’t assume this is all you ever need to know. But the tips below are your first line of defense. Make sure you:
- Don’t allow ‘admin’ as a user name in your WordPress site. Pick something difficult to guess. If someone has your user name, they’re halfway to gaining access to your site.
- Choose strong passwords that are extremely difficult to guess. Yes, I know this makes them hard for you to remember, but you can use a password app to store them if you need to.
- Don’t use cheap shared hosting; instead, choose managed WordPress hosting from a company with a solid track record. More about why this is important here: Why web hosting companies can get away with murder
- Always update all plugins and themes, even if they’re inactive. Updates aren’t just to add new features. They often fix critical security vulnerabilities. Here’s how to update WordPress and its plugins without the freakout.
- Make sure you have strong, up-to-date antivirus protection on your computer and any other computer that will be used to access your site. Yes, even if it’s a Mac.
- Set up malware scans for your WordPress site that continuously monitor your files for suspicious changes. Wordfence is a great option and even its free level will keep the nasties out (although you should not enable its Live Traffic feature; it’s unnecessary for protection and likely to slow your site performance).
- Set up automatic backups so you can more quickly recover from a data disaster like a virus attack.
- Don’t assume you’re a little guy/girl no hacker would want to bother with. Hackers and spammers use automated scans to find vulnerable sites. They don’t care whether you’re popular or not – only that they can get in via a vulnerable hosting arrangement, plugin or theme.
If you think you’ve been attacked…
A savvy person may be able to handle identifying and cleaning up a virus without paying for outside help. This article from web hosting provider Media Temple outlines the steps you should take.
But honestly, this is not the place to cheap out. If you’re not 100% confident that you can find and eliminate the virus, seek help immediately. The last thing you need on top of a virus attack is to have your reputation ruined by having your site labeled an attack site by search engines.
Also, please be very careful about where you go for help. The client whose site was attacked had hired computer help from an overseas ‘expert’ who actually infected his computer. He thought he was getting a deal on tech support, but wound up paying for it dearly.
I noticed recently that Wordfence offers a reasonably-priced cleanup service. Sucuri is another trusted security-focused outfit offering WordPress website cleanup service. If you don’t have a web pro you can trust, I’d pick one of these two options and let them get on it right away.