WordPress Security: 2015 in Review

Another day, another year and 2015 is drawing to a close. It’s been an interesting year with Donald Trump making waves in the presidential elections, and finishing off with Steve Harvey crowning the wrong Miss Universe! 2015 is a year to remember. In the midst of the holiday cheer, it’s also the time to reflect back on the past year to learn and grow from our mistakes.

By mistakes, we mean lapses in your WordPress security — not on how you need to start hitting gym! With WordPress attacks on the rise, it’s more important than ever to keep your site safe and beware of some common pitfalls. Only last month, data security firm Imperva confirmed in their WAAR Report 2015 that WordPress has been the victim 3.5 times more than other Content Management Systems.

WordFence has released the results of their first annual WordPress Security Survey. A large sample of 7,375 WordPress users took part in the survey revealing data of security behaviour of WordPress users, from those with little to no experience to total experts.

Of the respondents, 38.9% admitted to being a victim of a WordPress attack in the past year. It appears that a majority of the victims were not proactively scanning their site for viruses but rather stumbled upon it. Over 35% of the sample said that they were alerted to their site being compromised while visiting their site. Around 27% said that their hosting provider took their site offline and 26% were contacted by a customer.

Although more than half of WordPress users find their income greatly affected when their site goes compromised, it appears from the survey results that expert users were far more concerned about site security than advanced and intermediate users.

Plugins often make it to the news for creating vulnerabilities in the site’s defense system, yet interestingly the survey found that the most used plugin type installed was a security plugin. It was closely followed by contact form, SEO and anti-spam plugins.

As a site owner, it’s your responsibility to keep your site well protected. Use these 4 simple ways to protect your site from ever getting compromised.

Merry Christmas and a Happy New Year from everybody at WPSOS! See you next year ;)

GoDaddy and SiteLock Partner to Add Security to Small Business WordPress Sites

It seems like very week there are new reports of security attacks on WordPress sites, and according to recent reports the numbers are just getting higher. GoDaddy, the highly popular domain registrar and web hosting company, has decided to add extra security to WordPress sites owned by small business owners. The company has partnered with SiteLock, a website security provider, to reduce security vulnerabilities and attacks.

The two companies which have been working together since April 2014, have announced a new plugin keeping web developers and designers in mind. With just one click, businesses will be able to access and understand their website security situation. Without having to leave your website, the plugin gives you an at-a-glance view of security scan results within the WordPress dashboard.

“This brought their security information to the forefront in WordPress so they can manage their portfolio of websites without having to ever leave the WordPress site,” SiteLock President Feather said. “They can scan to make sure it’s free of malware and can do all this within one interface. It’s a powerful tool for them because it enables them to do it in real time as they’re working and adding features to their site.”

Other features include security scans on WordPress pages in draft mode and real-time updates to resolve threats with minimal latency between the time they are identified and resolved. The plugin can also recognize specific vulnerabilities and quickly resolve them on its own.

Tom Serani, SiteLock Executive Vice President of Business Development, said, “As the hosting space continues to evolve, we wanted to offer a strategic solution through a trusted small business advisor and partner like GoDaddy. We worked together to make it easy for customers to seamlessly integrate security into their sites.”

Users can use one set of log-in credentials through the plugin to access and manage both their GoDaddy account and SiteLock information.

WP Engine Suffers Security Breach

WP Engine has suffered a major security breach it forcing to reset over 30,000 customers’ passwords. On Tuesday, the WordPress hosting outfit confessed to the hack attack. It posted recommendations on resetting passwords with updated step-by-step links on how to do it.

WP Engine is a Hosted service provider, which manages WordPress hosting for mission critical sites around the world. Set up by WordPress to better support the giant web publishing platform, it had stayed clear of any security vulnerabilities — unlike WordPress and its themes- up till now.

In an urgent security notification on its site, WP Engine announced the security breach. They said, “At WP Engine we are committed to providing robust security. We are writing today to let you know that we learned of an exposure involving some of our customers’ credentials. Out of an abundance of caution, we are proactively taking security measures across our entire customer base.”

“We have begun an investigation, however there is immediate action we are taking. Additionally, there is action that requires your immediate attention” said the WP Engine Team, referring to the resetting of passwords. “While we have no evidence that the information was used inappropriately, as a precaution, we are invalidating the following five passwords associated with your WP Engine account. This means you will need to reset each of them.”

The firm immediately reached out to its clients informing them of the attack and on how to guard their accounts. Users with an account at WP Engine should change their password and keep a watchful eye over email comings and goings, as well as, their financial transactions.

WP Engine apologized for the attack, “We apologize for any inconvenience this event may have caused. We are taking this exposure as an opportunity to review and enhance our security, and remain committed to strong internal security practices and processes.”

Breaking News: Reader’s Digest and other WordPress sites are compromised

A large number of Internet users have been infected via the Angler exploit kit, after visiting compromised sites in the past week. The hacking campaign has been pushed from many WordPress sites, most notably that of Reader’s Digest — the popular, monthly family magazine.

According to security blog, Malwarebytes, the attack consists of compromised WordPress sites injected with malicious script that launches another URL whose final purpose is to load the Angler exploit kit. Owners of attacked WordPress sites should remember that although the injected scripts and URL’s follow the same pattern, they vary over time.

In the initial investigation by Malwarebyte, it was found that the Necurs backdoor trojan is loaded on the computer of visitors to the infected sites, delivered by the Bedep trojan via the uploaded Angler Exploiter Kit. If you have visited Reader’s Digest or any other compromised site, run a security scan on your computer.

But if you are one of the infected sites, then don’t hesitate in contacting us. It is our specialty to clean up all malware and hacker attacks on WordPress sites. We have a highly experienced team who have seen all kinds of viruses and malware, and effectively dealt with them.

In an email to SCMagazine on Tuesday, Reader’s Digest spokesperson Pauli Cohen said, “We became aware of the malware attack last week and have been working with our security provider, technology partners and platform provider to investigate the issue and perform extensive security checks on our website. At this point, we are addressing all known vulnerabilities of the site. We take security very seriously and are taking every step to ensure the integrity of our site.”

Although it is our specialty to help restore security to hacked WordPress sites, we believe it is always important to guard yourself against an attack in the first place. Getting your site back up and running is no problem for us. However once you’ve realized that your site has been hacked, then give us a call at +1 (650) 600‑1970 as soon as possible to mitigate the damage.

Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Security attacks on websites and blogs are higher than ever before. According to Imperva’s new Web Application Attacks Report, Content Management Systems (CMS’s) were attacked three times more often than other Web applications. The data security firm confirmed that WordPress has unfortunately been the victim 3.5 times more than the others.

It comes as no surprise that WordPress is the most attacked CMS. Not only is the most popular service but new data from W3Techs, which measures both usage and market share, reported last week that WordPress accounts for a quarter of the web. They said,“WordPress is used by 58.7% of all the websites whose content management system we know. This is 25.0% of all websites.”

As 2015 draws to a close, WordPress has taken a real beating this year with an increase in brute-force attacks. Hackers and malware are doing a lot of damage by taking advantages of vulnerabilities caused by weaknesses in the 30,000+ plugins on WordPress.

Imperva’s report said,“CMS frameworks are mostly open source, with communities of developers continuously generating sequences of plugins and add-ons, without concerted focus towards security. This developer model constantly increases the vulnerabilities in CMS applications, especially for WordPress which is also PHP based.”

Non-CMS applications were less susceptible to remote command execution (RCE) attacks than CMs’s according to the report’s findings. Furthermore, the report found that WordPress is five times likelier than other CMS’s to be hit by remote file inclusion (RFI) attacks.

Some of the trends discovered in Imperva’s annuals report were continuing from last year’s report, such as increased SQL Injection (SQLi) and Cross-Site-Scripting (XSS) attacks and more attacks on WordPress. A newcomer this year is the mega trend of Shellshock Remote Code Execution (RCE) attacks, scanning web applications on an equal basis.

The report said, “We conclude that the increasing availability of web attack tools and services — with computational power becoming less expensive and ubiquitous — are driving the new wave of volumetric malicious attacks. The evolution of attacks against web applications has continued with increased sophistication, magnitude, and velocity. However, there is hope thanks to the growing effectiveness of reputation-based detection mechanisms, and their ability to identify attacks by tracking previously identified malicious activity to its origins.”


4 Simple Ways to Protect your WordPress Site from Viruses, Malware and Hackers

Almost all of our clients have been targeted by a malicious attack on their WordPress site. When they first come to us, they are in utter panic, stressed and quite confused on what to do. Only after we do our job and restore their site to its former virus-free glory, does color return to their face and they begin to calm down.

It pains us to see our clients go through so much worry, when they could have avoided the disaster by taking only a few preventative steps. You can save yourself from a major fiasco if follow some of the steps we’ve outlined below to help protect your WordPress site from viruses, malware and hacker attacks:

1. Update your site’s theme & plugins

Updates for WordPress and its plugins are frequently released by their official teams. These updates contain fixes for freshly discovered security loopholes to prevent possible attacks. So make sure you regularly update your site.


2. Backup

An extremely important task in managing your site is regularly backing it up, especially before making new changes. You can use a plugin or do it manually. So if your site does unfortunately get compromised, then with the help of your backup files you can switch hosts and be back up and running in no time.


3. Change the login and password from admin

By default the username for WordPress is admin. Create a unique username which isn’t too obvious nor easy to guess; including numbers would be good. The same goes for the password. Set a long password with a mix of upper and lower keys, numbers and symbols.


4. Hide or secure wp-config.php 

The wp-config.php file holds all sensitive data and the configuration of your website, and is quite vulnerable to attacks. You can secure it by adding the following code to the .htacess file in the root directory — changing the coding denies anyone access to the file:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

You can also have it moved to the root directory — your_host/wp-config.php — from its default location at host/wordpress/wp-config.php for added protection.

Preventing Microsoft Word Macro Viruses

Although our focus is on WordPress… we often get questions from our clients about non-WordPress virus and hack issues.

Here are some thoughts on common questions we get about MS Word viruses.

Microsoft Word malware rarely makes the news these days but unfortunately it exists. Word files received from other computers or a network carry a risk. Just because you have an anti-virus program installed on your computer doesn’t mean you’re a 100% safe. They can’t do anything until an update comes with a patch to fix the problem.

To protect yourself from a Word macro virus you first need to know what is.

What is a Word Macro Virus?

Word has a powerful feature which lets you create Visual Basic for Applications (VBA) programs– also known as macros. Macro viruses use this feature to copy the virus’s code to other files. VBA programs are stored in the Word document and template files.

The virus duplicates the code automatically to another file, usually Normal.dot, which is what Word loads with every file. So whenever you open or close the Word file or Microsoft Word itself, the virus copies itself.

Microsoft Word Macro Virus


  • Document all files in the Word file’s startup folder and macros (if you don’t know how to find Word’s startup folder, use this quick tutorial). Write down the list of files and macros somewhere or take a screenshot and save it in a memorable place on your hard drive.
  • If you think you’ve caught a macro virus, then you can then check for viruses manually. Go to Tools> Macro> Macros in Word’s menu and a list of macros will be displayed. Compare these against the list you created earlier. Pay extra attention to any macros named AutoExec, AutoOpen, AutoClose, FileExit, FileNew, FileOpen, FileSave, FileSaveAs, and ToolsMacro.
  • In Word 97, you need to manually enable virus protection against macros. In the Word menu, go to Tools> Options, click on the General tab, and check the box for Macro virus protection (it might already by checked).
  • In Word 2000, you can set the security setting by going to Tools> Macro> Security and setting the security level to medium. It will automatically warn you if you are opening a file that contains a macro.

Malware & Virus Cleanup: Why?

One of the most important aspects of what WPSOS does is to clean up malware, viruses, and hacked websites.

In case you’re wondering why we do this, it’s because we’re committed to our mission: to remove all WordPress malware and viruses from WordPress websites.

It is a tall order — but someone needs to do it. If not, the bad guys win.

In other words: this is more than a job or a company for us. It is a calling. Good vs evil. We are dedicating ourselves to the good guys winning.

What is so bad about malware, viruses, and hackers? A few things.

First, they put software on your server without your permission. Anything on your server should have your permission!

Secondly, almost always, these are used for nefarious purposes — such as, sending out spam.

Third, since Google among others tracks how healthy your server is, if it is doing something bad such as sending out spam, Google will punish your server. Hence the famous “This site may be hacked” warning on some search results.

Fourth, the hacks could lead to you losing information on your server.

Conclusion: for not only practical reasons, but for profoundly moral ones — it is your server so you should do what you want with it! — we are leading the fight against the bad guys.

I feel like some inspirational music should be playing in the background while you are reading this!


Security Warning: Increased Brute Force Login Attempts

There’s been a lot of noise in the WordPress security community the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can confirm the various reports on it.

However, we’ve also noticed an increase in brute force login attempts. These are robotic algorithms that every x seconds guess a username (often ‘admin’ or just the username that posted a blog post) and then cycles through common passwords (“12345678”, “asdf1234”, etc) until it eventually gets a hit… or is banned.

Although WordPress itself is taking various measures to try to limit this — the latest version, for example, forces the creation of substantially harder to guess passwords — the hackers are often one step ahead. 

The brute force attacks are getting increasingly brutal. We’d definitely recommend stronger measures to protect your login pages.

But what measures in particular?

Our two favorite methods are:

  • Use the .htaccess file to protect the login pages
  • Change the URL of the login pages

This is in addition to — obviously — the more basic anti-brute force protections that are essential: long, complex, unique passwords that you don’t write on paper or email or share openly with anyone and don’t re-use, for example. 

But more on that common sense in another post. As they say: common sense isn’t that common!


WordPress Plugin: Stop Gravity Forms From Disappearing

Stop Gravity Forms From Disappearing is a simple plugin for ensuring that Gravity Forms never disappear.

The plugin solves the problem of Gravity Forms just not displaying on your page.

It’s a common issue with Gravity Forms: all is configured, everything is ready, the form published… but it doesn’t appear on the page. It’s just blank.

Note that this issue is most likely caused in case your used theme or another plugin is causing a JavaScript error, and the best way to resolve this issue is to fix the JavaScript errors. (See the comments below to see what Gravity Form’s suggestion is to fix the issue.)

Stop Gravity Forms From Disappearing forces the form to be displayed.

The installation and use is very straightforward. You should:

1. Upload the folder ‘stop-gravity-forms-from-disappearing’ to the ‘/wp-content/plugins/’ directory
2. Activate the plugin through the ‘Plugins’ menu in WordPress

If you have any suggestions, please let us know! You can contact us via http://wpsos.io/.