The WordPress (WP) platform is open source, meaning that anyone can contribute content to it. Unfortunately, this also means that the platform is a common target for hackers.
In a sobering analysis of searchable WP themes, Chip Bennett found that only 4 out of 30 themes were truly WP legitimate (i.e., contained the WP trademark) and free of spamware/malware/trademark violations. The remaining 26 themes contained spam/SEO links and malicious encoding, among other troubling indicators.
The best way for attacks to happen is through code add-ons such as plugins and themes. Such elements are easy to create by even novice developers- and then outfit with malicious code that accesses your admin area, phishes for passwords and other sensitive information, obtains backlinks from your site, adds advertisements and banners, creates redirects to spam sites/links, or just shuts down your entire website.
You might assume that any plugin or theme added to the WP database is checked for malware by site administrators. For any new piece of code, this is indeed the case.
However, these checks don’t happen when an already approved plugin/theme is updated. So, what’s to stop an industrious hacker from initially contributing a useful WP plugin/theme, and then updating that plugin/theme with malicious code?
In short, nothing.
It’s up to you to take the necessary precautions to ensure that your website or blog isn’t compromised by malware, worms, trojans, etc. that are potentially lurking in your WP downloads. Luckily, there are many online resources that are available- and quite often, they’re free too.
Here are some steps you can take to protect your WP site from hacks and malware attacks:
1. Install a firewall.
A firewall is defined as a security feature that monitors, reports and filters traffic between a secure network, such as your website, and an outside network, such as the Internet. The filtering process is created over time (i.e., “hardening) as the user sets up security rules for the firewall to follow.
There are several excellent (and free) firewall software programs. Wordfence Security is one such program- this plugin not only scans your basic WP files, but it maintains a log of your website’s code changes and offers suggestions on how you can harden your site to make it more secure.
Shield WordPress Security is another free firewall program that you can use to harden your site and specifically block IP addresses of spammers and hackers.
2. Scan your site periodically.
Hackers will typically not announce their ‘burglarizing’ activities- instead, you’ll eventually notice that certain online features of your website/blog are non-functional, or that your site has been blacklisted from search engines due to its spamming of other sites.
You should perform periodic scans of your website to determine if it’s been compromised. To this end, there is Sucuri, which offers both a free and paid version of its WP security scanner.
The free version of the scanner is run remotely- you type in the URL of your website and Sucuri checks for threats and questionable activities.
In the paid version of the scanner, Sucuri monitors your website 24/7 and blocks IPs that are trying to compromise your website. They’ll also help clean up your site of malware.
3. Backup your site just in case.
As your website develops and traffic to it increases, something bad may inevitably happen. To safeguard yourself from the total loss of your website/blog, you should perform a weekly (or even daily) website backup. To this end, you can use CodeGuard, a backup service that saves your site information and notifies you of any changes to content/code. A basic plan for one website is just $5/month.
If you’re looking for a completely free software program, you can’t go wrong with BackUpWordPress. Keep in mind that this plugin requires a PHP version of 5.3.2. Once you install this program, you can schedule it to backup your site whenever you wish.
4. Perform due diligence before installing free software.
On WordPress.org, there are numerous WP plugins, themes, add-ons, that all sound great- at least in theory. However, before you go about installing anything on your site, read up on the software to learn how it’s performed for other users. Search for online reviews and even perform Boolean searches on the software along with terms like “virus” or “malware.”
For example, the Wordfence plugin has over 2,500 5-star reviews. Furthermore, the company that offers this plugin has a separate website that features its staff, blog and contact information. It’s doubtful that you’ll install Wordfence on your site and find yourself saddled with a virus.
Conversely, don’t install any software that you just happen to locate through an online search- no matter how well it ranks in the results. Be careful with any software that is advertised through Google AdWords ads- hackers often use this medium to appear at the top of the search results page and thus fool unsuspecting webmasters/bloggers.
The Bottom Line: Be Prepared
While WP is a wonderful landscape filled with free and open-source software, it also harbors some danger. However, you’ll drastically reduce your website’s risk of being infected with malicious code, malware and/or viruses if you take the above noted precautions to heart and don’t download apps and programs without inspecting them first.