4 Simple Ways to Protect your WordPress Site from Viruses, Malware and Hackers

Almost all of our clients have been targeted by a malicious attack on their WordPress site. When they first come to us, they are in utter panic, stressed and quite confused on what to do. Only after we do our job and restore their site to its former virus-free glory, does color return to their face and they begin to calm down.

It pains us to see our clients go through so much worry, when they could have avoided the disaster by taking only a few preventative steps. You can save yourself from a major fiasco if follow some of the steps we’ve outlined below to help protect your WordPress site from viruses, malware and hacker attacks:

1. Update your site’s theme & plugins

Updates for WordPress and its plugins are frequently released by their official teams. These updates contain fixes for freshly discovered security loopholes to prevent possible attacks. So make sure you regularly update your site.


2. Backup

An extremely important task in managing your site is regularly backing it up, especially before making new changes. You can use a plugin or do it manually. So if your site does unfortunately get compromised, then with the help of your backup files you can switch hosts and be back up and running in no time.


3. Change the login and password from admin

By default the username for WordPress is admin. Create a unique username which isn’t too obvious nor easy to guess; including numbers would be good. The same goes for the password. Set a long password with a mix of upper and lower keys, numbers and symbols.


4. Hide or secure wp-config.php 

The wp-config.php file holds all sensitive data and the configuration of your website, and is quite vulnerable to attacks. You can secure it by adding the following code to the .htacess file in the root directory — changing the coding denies anyone access to the file:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

You can also have it moved to the root directory — your_host/wp-config.php — from its default location at host/wordpress/wp-config.php for added protection.

Preventing Microsoft Word Macro Viruses

Although our focus is on WordPress… we often get questions from our clients about non-WordPress virus and hack issues.

Here are some thoughts on common questions we get about MS Word viruses.

Microsoft Word malware rarely makes the news these days but unfortunately it exists. Word files received from other computers or a network carry a risk. Just because you have an anti-virus program installed on your computer doesn’t mean you’re a 100% safe. They can’t do anything until an update comes with a patch to fix the problem.

To protect yourself from a Word macro virus you first need to know what is.

What is a Word Macro Virus?

Word has a powerful feature which lets you create Visual Basic for Applications (VBA) programs– also known as macros. Macro viruses use this feature to copy the virus’s code to other files. VBA programs are stored in the Word document and template files.

The virus duplicates the code automatically to another file, usually Normal.dot, which is what Word loads with every file. So whenever you open or close the Word file or Microsoft Word itself, the virus copies itself.

Microsoft Word Macro Virus


  • Document all files in the Word file’s startup folder and macros (if you don’t know how to find Word’s startup folder, use this quick tutorial). Write down the list of files and macros somewhere or take a screenshot and save it in a memorable place on your hard drive.
  • If you think you’ve caught a macro virus, then you can then check for viruses manually. Go to Tools> Macro> Macros in Word’s menu and a list of macros will be displayed. Compare these against the list you created earlier. Pay extra attention to any macros named AutoExec, AutoOpen, AutoClose, FileExit, FileNew, FileOpen, FileSave, FileSaveAs, and ToolsMacro.
  • In Word 97, you need to manually enable virus protection against macros. In the Word menu, go to Tools> Options, click on the General tab, and check the box for Macro virus protection (it might already by checked).
  • In Word 2000, you can set the security setting by going to Tools> Macro> Security and setting the security level to medium. It will automatically warn you if you are opening a file that contains a macro.

Malware & Virus Cleanup: Why?

One of the most important aspects of what WPSOS does is to clean up malware, viruses, and hacked websites.

In case you’re wondering why we do this, it’s because we’re committed to our mission: to remove all WordPress malware and viruses from WordPress websites.

It is a tall order — but someone needs to do it. If not, the bad guys win.

In other words: this is more than a job or a company for us. It is a calling. Good vs evil. We are dedicating ourselves to the good guys winning.

What is so bad about malware, viruses, and hackers? A few things.

First, they put software on your server without your permission. Anything on your server should have your permission!

Secondly, almost always, these are used for nefarious purposes — such as, sending out spam.

Third, since Google among others tracks how healthy your server is, if it is doing something bad such as sending out spam, Google will punish your server. Hence the famous “This site may be hacked” warning on some search results.

Fourth, the hacks could lead to you losing information on your server.

Conclusion: for not only practical reasons, but for profoundly moral ones — it is your server so you should do what you want with it! — we are leading the fight against the bad guys.

I feel like some inspirational music should be playing in the background while you are reading this!


Security Warning: Increased Brute Force Login Attempts

There’s been a lot of noise in the WordPress security community the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can confirm the various reports on it.

However, we’ve also noticed an increase in brute force login attempts. These are robotic algorithms that every x seconds guess a username (often ‘admin’ or just the username that posted a blog post) and then cycles through common passwords (“12345678”, “asdf1234”, etc) until it eventually gets a hit… or is banned.

Although WordPress itself is taking various measures to try to limit this — the latest version, for example, forces the creation of substantially harder to guess passwords — the hackers are often one step ahead. 

The brute force attacks are getting increasingly brutal. We’d definitely recommend stronger measures to protect your login pages.

But what measures in particular?

Our two favorite methods are:

  • Use the .htaccess file to protect the login pages
  • Change the URL of the login pages

This is in addition to — obviously — the more basic anti-brute force protections that are essential: long, complex, unique passwords that you don’t write on paper or email or share openly with anyone and don’t re-use, for example. 

But more on that common sense in another post. As they say: common sense isn’t that common!


WordPress Emergency Support — Here We Are!

If you need WordPress tech support in an emergency, if a crises arises and you need your WordPress fixed as soon as you can snap your fingers — here we are!

Well, slightly longer than “snapping your fingers” — but not much.

We pride ourselves not only on our high quality (plus reasonable cost) but, above all, our speed. We’re obsessed. Middle of the night? There. The wee hours before sunrise? We’re there. Some crazy timezone on the other side of the world you’re in? We’re doubly there.

Of course, we can’t promise 24/7 solutions because we’re brutally honest: sometimes, we just can’t solve the problem that quickly. Sometimes, uninstalling this, re-installing that, changing this whole other thing around, just takes time.

Time, and a lot of coffee!

Here’s one tip. Call us any time — but if we don’t answer, it doesn’t mean we’re sleeping. We’re likely focused and it’s 3am here and Miina’s trying to solve this problem, Jesmin another problem, Kristi a third problem — and so we don’t even have the virtual phone turned on! Just leave a message or send us an email. When we come up to breathe soon, we’ll call you back or send you a note.

There’s an obvious question: “don’t you ever sleep?”.

Well, glad you asked! A few things. First, we drink a lot of coffee. Secondly, we do sneak in naps. Third — more seriously (although the coffee point was indeed serious!) — this is an advantage we have to being partially distributed. Although our home base is in Palo Alto, in Silicon Valley, few of us are based on in Tallinn, Estonia — which positions us perfectly so that, at most times, someone is likely focusing.

Conclusion: you need a WordPress fix in a pinch. Well, here we are. Just call. Or email.


How Come WordPress Isn’t More Secure?

A question we get a lot is, Why Isn’t WordPress more secure?

Excellent questions. We used to wonder this ourselves, when we got started!

A few reasons:

First, due to historical legacy reasons. WordPress was built the way it was built, using great technology of the time. PHP was the coolest thing ever! Perhaps today, it is easier to build a safer system from scratch, but it wasn’t when it was first developed. Technologies change, but software remains in the language it was written.

Secondly, there is a trade-off between “flexibility / easy of development” and “security.” Said differently: What makes WordPress so amazing is that it is sooooo easy to work with: you can quickly, trivially, change the source, change a design, add a widget — do almost anything. We love it because, it lets us make any changes we want without much effort. But with great power comes great responsibility: the ease of development has its cost, and that cost is in security (and performance — but that’s a topic for another day). To implement so many ideal security measures would slow down the core dev… and no one wants that. Well, “no one” except for us!

Third, shockingly, many of the security measure are controversial. Incredible to believe, I know! Take, for example, banning IP addresses that hit too many 404‑s. Let me explain. A common tactic to break into a site is to just try lots and lots of URLs, that contain plugins with known vulnerabilities, to see if the user happens to have it or not. If they do — hack! If they don’t — a “file not found” (404) error. But there’s a downside to this: logging every 404, could bloat the database to be huge — thus slowing down the site. Plus, during stages like developing the site, the developers often to to URLs that may not exist — thus accidentally locking themselves out. (No, that’s never happened to me, no, never, and especially not two days ago, which served as the inspiration for this blog post — no, of course not, this is merely hypothetical.) As a result, the core WordPress development team has made a trade-off on purpose: lets leave WordPress with the minimum configurations possible, and then let each site administrator decide for himself which trade-off‑s he/she’s willing to make. As a man who loves flexibility, I support this philosophy.

These are the three core reasons. Perhaps there are more, but it’s too early in the morning for me to think of now!

Any questions? Bueller, Bueller? Just ask!


Client Questions: Where Are Your Developers?

A common question clients and potential clients ask us is, where are your developers?

Excellent question: many people prefer working with people in a similar time-zone, or who speak the same language — or who are next door, so they can go knock on the door and have a coffee (or beat them over the head!).

Answer: the co-founders split between two offices, in Palo Alto and in Tallinn, Estonia. We’re a small team, so when we say “office”, think about 6 people sitting around at table — not the Googleplex. (Yet!). Most of our supporting development team is in Estonia.

Estonia is an interesting and unique place. The birthplace of Skype, it’s also a core European country — but it’s always been a bit on the outskirts. Their language just isn’t related to any other known language (except Finnish and Hungarian, oddly enough) — and the culture is one of Nordic, northern European professionality, seriousness, and problem-solving. 

But the best part of working with Estonians is this: their almost-native command of the English language. The education and entire culture there is, effectively, bilingual in Estonian and English. As a result, the communication is as smooth as our team is professional.

But with the other part of our team in Palo Alto, we have a strong American face as well. Half the team is American, and we understand deeply both the American culture, and the unique dynamics of the tech space and Silicon Valley.

Have any questions? Just ask — we love to talk!

WordPress Plugin: Add or Remove Www

The WordPress plugin Add or Remove Www seeks to solve a common problem: preventing redirects from a www- version to a non-www version of a site — or vice-versa.

Add or Remove Www lets you easily configure your WordPress site to always (or never) use the www. subdomain in all links of the posts and pages.

It’s common that you’ll create a content link or include an image, linking to http://YourSiteNameHereForExample.com/imageExample.jpg — but your server then redirects that to http://www.YourSiteNameHereForExample.com/imageExample.jpg . That adds in an extra server request and delay to the user.

Instead of going through every image and link, one by one, making sure they’re all consistent, Add or Remove Www changes the links.

Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving activating the plugin and choosing the suitable option.

We plan on adding more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io.

The installation and use is very straightforward. You should:

1. Upload the folder ‘add-or-remove-www‘ to the ‘/wp-content/plugins/‘ directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Add Or Remove Www’

As of version 1.0, you can choose between two options: using the URLs with or without www. The option affects all the post and page URLs, including image URLs.
Note: the version 1.0 does NOT change all the previously existing URLs, it affects all the content and image URLs that are saved/modified after saving the option.

WordPress Plugin: Tweak Hidden Options

Tweak Hidden Options is a safe and easy-to-use way to modify various WordPress options that WordPress doesn’t link to from the standard WordPress interface.

All options are provided in safe select-down options, without any user-input data, so that it is perfectly safe for any user to use.

We plan on adding many more options to be edited — if you have any other suggestions, please let us know! You can contact us via http://wpsos.io/

The installation and use is very straightforward. You should:

1. Upload the folder ‘tweak-hidden-options‘ to the ‘/wp-content/plugins/‘ directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress
3. From the ‘Settings’ menu, there should be a new option, called ‘Tweak Hidden Options’

Version 1.0 supports the following options:

* comment_order,
* gzipcompression,
* image_default_align,
* image_default_size,
* image_default_link_type.

Note: changing the image options has effect only on images uploaded afterwards.