Yikes: WordPress virus attacks

This post to Twitter was eerily familiar:

Suffering from a weird virus at our #wordpress site. No problems with direct links, but all change when posted on social media….

Just a few weeks ago, a client e-mailed me about an issue with a site that had been launched only hours before he noticed a problem. When we started the project, I let him know he could expect better search engine placement once the new site had been indexed, and I guess he began checking as soon as the site went live. (Instantly ranking high is not realistic, just so you know!)

While the site had indeed been indexed right away and was appearing in search results, clicking through from Google generated a barrage of spam sites, or a warning from the installed antivirus application, depending upon the PC used to view the site.

What happened? Is WordPress unsecure?

The answer to the last question is no – WordPress is not inherently unsecure. In fact, before adding human error or lack of knowledge to the equation, WordPress is very secure. An attack from a hacker via the web is less likely than an attack introduced via an infected PC used by a legitimate administrator to update the WordPress site. The latter, in fact, is what happened to my client.

The virus added malicious code into WordPress files that was only triggered when someone visited from Google. In the case of my Twitter friend, it was triggered when visitors clicked on links to his site that had been posted on Facebook and Twitter. If someone simply accessed the site directly – as most administrators do – they wouldn’t notice anything was amiss. Unfortunately, depending on the virus, many of those redirected to rogue sites may have their computers infected before the virus is identified and removed.

How can I keep my WordPress site from being hacked?

I’m not a security expert and these tips shouldn’t be construed as comprehensive advice. But they are your first line of defense, so make sure you:

  • Never accept the default ‘admin’ user name when setting up a new WordPress site. Pick something difficult to guess. If someone has your user name, they’re halfway to gaining access to your site.
  • Choose strong passwords that are extremely difficult to guess. Yes, I know this makes them hard for you to remember, but you can use a password app to store them if you need to.
  • Make sure you have strong, up-to-date antivirus protection on your computer and any other computer that will be used to access your site. Yes, even if it’s a Mac.
  • Ask your web developer to set up a malware scan on your WordPress site that will continuously monitor your files for suspicious changes.
  • Ask your web developer to set up an automatic backup system so that you can more quickly recover from a data disaster like a virus attack.

If you think you’ve been attacked…

A savvy person may be able to handle identifying and cleaning up a virus without hiring outside help. This article from web hosting provider Media Temple outlines the steps you should take.

If you’re not 100% confident that you can find and eliminate the virus, seek help from a web developer immediately. The last thing you want on top of a virus attack is to have your reputation ruined by having your site labeled an attack site by search engines, so time is of the essence.