Hidden Malware – What Every WordPress Website Owner Needs to Know to Safeguard Their Site and Website Visitors

Computer - Website Hacking

Very soon after publishing my last post entitled “Whose Watching Out for Hacking and Performance Issues on Your WordPress Website?,” I received an inquiry from a commercial carpet company who was looking for some help with their website and marketing. Fortunately, I had Malwarebytes app installed on my chrome browser. As soon as I clicked his website link, I got the all too ominous warning, “Malwarebytes Browser Guard blocked this website because it may contain malware activity. We strongly recommend you do not continue.” Because I did have very good virus protection on my computer, I proceeded to the website where my Anti-virus software immediately quarantined 6 trojan threats. I asked my senior developer to confirm that the site was infected which he did.

A major problem with WordPress is caused by website owners failing to keep their websites up to date. Hosting companies are not responsible for management of the website including updates. Hackers and spammers take advantage of vulnerabilities in WordPress websites where they can inject their malicious code and/or capture data that gives them control of traffic.

The Server’s Failure to Detect Malware

The business owner assured me that his site was being managed by a company that was responsible for updates and security. The site was being hosted on a very popular server exclusively providing hosting for WordPress websites. The client immediately notified his website management company who obtained a scan from the server to verify the presence of malicious code on the website. They emailed him a server report documenting that the site was clean of any viruses or malware.

I was all too familiar with the company hosting his website. They had an excellent reputation, good security features, and reasonable prices. It was obvious to me and my senior developer that the software on the hosting company server was not detecting the malware. We knew that this was putting the website at risk for blacklisting by Google and website visitors at risk for infecting their computers.

The owner had very little confidence in the company he had trusted with his website. He was anxious for us to investigate the problem and resolve it. Upon our request, he provided us with access to his website server where we were able to analyze and identify the source of several threats that were present in the website theme and multiple plugins. In the case of this project, the client’s website was hacked even though all the software was up to date.

During a support call with the hosting provider, I was told that there is no security at the website level. All security was at the main server level that supported all websites. It was obvious that this created a potentially unsafe situation for hosted websites and traffic to the websites in their shared hosting environment.

What Can Happen When WordPress Websites Are Not Kept Up to Date

WordPress is a content management system consisting of multiple types of software – all of which needs to be kept up to date for security and performance reasons. Besides WordPress software and the database, the site includes one or more themes and multiple plugins. Any of this software can become compromised.

WordPress is constantly looking for vulnerabilities in their software and corrects them in updates that often occur frequently. Most theme and plugin developers will also issue an update when they identify vulnerabilities or when WordPress updates impact their software. Some themes and plugins will include an update link in the WordPress admin, making the updating process relatively easy. But not all themes and plugins include this option.

Many paid themes and plugins charge an annual fee to offer the updates within WordPress. Here’s where the problem often originates. Failure to pay the annual subscription for updates will not remove the software from WordPress admin. There may be a warning message prompting renewal but this is no guarantee that the updates will be purchased and continued.

Old, outdated versions of WordPress, and/or themes and plugins are vulnerable to hacking and spamming. Although WordPress hacking is more likely to be detected and blacklisted by Google, this is not necessarily true, particularly when the source of infection is from themes and plugins. WordPress allows website owners to enable automatic updates for security and enhanced performance. Unfortunately, WordPress updates do not protect the website from vulnerabilities in other software. Even software that is up to date can be hacked, especially when security is missing at the website level.

Unfortunately, default settings on this hosting company’s server included automatic updates for WordPress with options to change to manual. Other website specific options allowed for automatic updates for themes and plugins. Although this didn’t contribute to the infection of this particular website, automatic updates is a major factor contributing to hacking and spamming – problems that are prevalent in WordPress due to its popularity.

Automatic Updates in WordPress and Performance Problems

Automatic updates for WordPress, themes, and plugins may seem like a good solution to keep a lot of outdated websites more secure. But they can create other problems. Conflicts in software from updates can go undetected and contribute to design and performance issues. Unless the web developer or customer checks the site manually after updates (for WordPress, themes, and plugins), there is no ability to detect problems that often occur.

How Good Managed Hosting Services Can Prevent These Problems

Even with the best security and manual updates by skilled developers who check the website for problems, there is no absolute guarantee that hacking and spamming won’t ever occur. But in a safe server environment with a secure firewall at the website level, most malware and other malicious activity can be prevented. Here’s what you should look for when selecting a company for managed hosting.

  • Server-side scanning of the website every 12 hours to detect malicious code and automate an alert when present.
  • Robust firewall for each website on the server that allows for whitelisting IP addresses and preventing access from those without that permission. The firewall should also include caching features to enhance the website’s speed and performance.
  • Whitelisting of IP addresses for everyone who is to have access to the website server.
  • Manual updates for WordPress, themes, and plugins. This also includes removal of unused themes that are automatically installed and pose a security risk.
  • A skilled developer team with a senior level developer who is responsible for update management, eliminating vulnerabilities, and correcting design and performance issues.
  • In the event of hacking and spamming, eliminating threats and getting blacklisting removed from Google after the site is clean.
  • Educating managed hosting clients about hosting and the importance of maintaining annual paid subscriptions for updates. A responsible company will notify clients prior to removing software that is not updated. The client should understand the impact of having this software disabled on functionality they may wish to continue.
  • Educating managed hosting clients about how to safeguard their computers and mobile devices from browsing unsafe websites and how to identify and avoid sites with malicious code.

Need Help with Managed Website Hosting?

Learn more about the managed business website hosting services that are offered by Webpuzzlemaster. If you already have a website, we can provide a free analysis to determine if it is a good fit for our server and managed hosting services. If you are seeking a redevelopment or new website, this is an optimal time to begin managed hosting for your project.

Request a Free Consultation

Whether you are a local business, entrepreneur, attorney, healthcare provider, or eCommerce merchant, we have digital marketing skills and strategies to help your business succeed. And if you’re looking for managed hosting to safeguard your most value market asset, complete our convenient consultation form to book an appointment. Our consultations are free and available through phone and screen sharing. Contact us now by clicking the button below.

Related Posts

Leave a comment

REQUEST A FREE CONSULTATION

Enter your details below to tell me how I might assist you.

*Full Name(Required)
Services of Interest(Required)

Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.