Preventing Microsoft Word Macro Viruses

Although our focus is on Word­Press… we often get ques­tions from our clients about non-Word­Press virus and hack issues.

Here are some thoughts on com­mon ques­tions we get about MS Word virus­es.

Microsoft Word mal­ware rarely makes the news these days but unfor­tu­nate­ly it exists. Word files received from oth­er com­put­ers or a net­work car­ry a risk. Just because you have an anti-virus pro­gram installed on your com­put­er does­n’t mean you’re a 100% safe. They can’t do any­thing until an update comes with a patch to fix the prob­lem.

To pro­tect your­self from a Word macro virus you first need to know what is.

What is a Word Macro Virus?

Word has a pow­er­ful fea­ture which lets you cre­ate Visu­al Basic for Appli­ca­tions (VBA) pro­grams– also known as macros. Macro virus­es use this fea­ture to copy the virus’s code to oth­er files. VBA pro­grams are stored in the Word doc­u­ment and tem­plate files.

The virus dupli­cates the code auto­mat­i­cal­ly to anoth­er file, usu­al­ly, which is what Word loads with every file. So when­ev­er you open or close the Word file or Microsoft Word itself, the virus copies itself.

Microsoft Word Macro Virus


  • Doc­u­ment all files in the Word file’s start­up fold­er and macros (if you don’t know how to find Word’s start­up fold­er, use this quick tuto­r­i­al). Write down the list of files and macros some­where or take a screen­shot and save it in a mem­o­rable place on your hard dri­ve.
  • If you think you’ve caught a macro virus, then you can then check for virus­es man­u­al­ly. Go to Tools> Macro> Macros in Word’s menu and a list of macros will be dis­played. Com­pare these against the list you cre­at­ed ear­li­er. Pay extra atten­tion to any macros named AutoEx­ec, AutoOpen, Auto­Close, File­Ex­it, File­New, FileOpen, File­Save, File­SaveAs, and Tools­Macro.
  • In Word 97, you need to man­u­al­ly enable virus pro­tec­tion against macros. In the Word menu, go to Tools> Options, click on the Gen­er­al tab, and check the box for Macro virus pro­tec­tion (it might already by checked).
  • In Word 2000, you can set the secu­ri­ty set­ting by going to Tools> Macro> Secu­ri­ty and set­ting the secu­ri­ty lev­el to medi­um. It will auto­mat­i­cal­ly warn you if you are open­ing a file that con­tains a macro.

Malware & Virus Cleanup: Why?

One of the most impor­tant aspects of what WPSOS does is to clean up mal­ware, virus­es, and hacked web­sites.

In case you’re won­der­ing why we do this, it’s because we’re com­mit­ted to our mis­sion: to remove all Word­Press mal­ware and virus­es from Word­Press web­sites.

It is a tall order — but some­one needs to do it. If not, the bad guys win.

In oth­er words: this is more than a job or a com­pa­ny for us. It is a call­ing. Good vs evil. We are ded­i­cat­ing our­selves to the good guys win­ning.

What is so bad about mal­ware, virus­es, and hack­ers? A few things.

First, they put soft­ware on your serv­er with­out your per­mis­sion. Any­thing on your serv­er should have your per­mis­sion!

Sec­ond­ly, almost always, these are used for nefar­i­ous pur­pos­es — such as, send­ing out spam.

Third, since Google among oth­ers tracks how healthy your serv­er is, if it is doing some­thing bad such as send­ing out spam, Google will pun­ish your serv­er. Hence the famous “This site may be hacked” warn­ing on some search results.

Fourth, the hacks could lead to you los­ing infor­ma­tion on your serv­er.

Con­clu­sion: for not only prac­ti­cal rea­sons, but for pro­found­ly moral ones — it is your serv­er so you should do what you want with it! — we are lead­ing the fight against the bad guys.

I feel like some inspi­ra­tional music should be play­ing in the back­ground while you are read­ing this!


Security Warning: Increased Brute Force Login Attempts

There’s been a lot of noise in the Word­Press secu­ri­ty com­mu­ni­ty the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can con­firm the var­i­ous reports on it.

How­ev­er, we’ve also noticed an increase in brute force login attempts. These are robot­ic algo­rithms that every x sec­onds guess a user­name (often ‘admin’ or just the user­name that post­ed a blog post) and then cycles through com­mon pass­words (“12345678”, “asdf1234”, etc) until it even­tu­al­ly gets a hit… or is banned.

Although Word­Press itself is tak­ing var­i­ous mea­sures to try to lim­it this — the lat­est ver­sion, for exam­ple, forces the cre­ation of sub­stan­tial­ly hard­er to guess pass­words — the hack­ers are often one step ahead.

The brute force attacks are get­ting increas­ing­ly bru­tal. We’d def­i­nite­ly rec­om­mend stronger mea­sures to pro­tect your login pages.

But what mea­sures in par­tic­u­lar?

Our two favorite meth­ods are:

  • Use the .htac­cess file to pro­tect the login pages
  • Change the URL of the login pages

This is in addi­tion to — obvi­ous­ly — the more basic anti-brute force pro­tec­tions that are essen­tial: long, com­plex, unique pass­words that you don’t write on paper or email or share open­ly with any­one and don’t re-use, for exam­ple.

But more on that com­mon sense in anoth­er post. As they say: com­mon sense isn’t that com­mon!


WordPress Plugin: Stop Gravity Forms From Disappearing

Stop Grav­i­ty Forms From Dis­ap­pear­ing is a sim­ple plu­g­in for ensur­ing that Grav­i­ty Forms nev­er dis­ap­pear.

The plu­g­in solves the prob­lem of Grav­i­ty Forms just not dis­play­ing on your page.

It’s a com­mon issue with Grav­i­ty Forms: all is con­fig­ured, every­thing is ready, the form pub­lished… but it does­n’t appear on the page. It’s just blank.

Note that this issue is most like­ly caused in case your used theme or anoth­er plu­g­in is caus­ing a JavaScript error, and the best way to resolve this issue is to fix the JavaScript errors. (See the com­ments below to see what Grav­i­ty For­m’s sug­ges­tion is to fix the issue.)

Stop Grav­i­ty Forms From Dis­ap­pear­ing forces the form to be dis­played.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘stop-grav­i­ty-forms-from-dis­ap­pear­ing’ to the ‘/wp-con­tent/­plu­g­in­s/’ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press

If you have any sug­ges­tions, please let us know! You can con­tact us via