WordPress Security: 2015 in Review

Anoth­er day, anoth­er year and 2015 is draw­ing to a close. It’s been an inter­est­ing year with Don­ald Trump mak­ing waves in the pres­i­den­tial elec­tions, and fin­ish­ing off with Steve Har­vey crown­ing the wrong Miss Uni­verse! 2015 is a year to remem­ber. In the midst of the hol­i­day cheer, it’s also the time to reflect back on the past year to learn and grow from our mis­takes.

By mis­takes, we mean laps­es in your Word­Press secu­ri­ty — not on how you need to start hit­ting gym! With Word­Press attacks on the rise, it’s more impor­tant than ever to keep your site safe and beware of some com­mon pit­falls. Only last month, data secu­ri­ty firm Imper­va con­firmed in their WAAR Report 2015 that Word­Press has been the vic­tim 3.5 times more than oth­er Con­tent Man­age­ment Sys­tems.

Word­Fence has released the results of their first annu­al Word­Press Secu­ri­ty Sur­vey. A large sam­ple of 7,375 Word­Press users took part in the sur­vey reveal­ing data of secu­ri­ty behav­iour of Word­Press users, from those with lit­tle to no expe­ri­ence to total experts.

Of the respon­dents, 38.9% admit­ted to being a vic­tim of a Word­Press attack in the past year. It appears that a major­i­ty of the vic­tims were not proac­tive­ly scan­ning their site for virus­es but rather stum­bled upon it. Over 35% of the sam­ple said that they were alert­ed to their site being com­pro­mised while vis­it­ing their site. Around 27% said that their host­ing provider took their site offline and 26% were con­tact­ed by a cus­tomer.

Although more than half of Word­Press users find their income great­ly affect­ed when their site goes com­pro­mised, it appears from the sur­vey results that expert users were far more con­cerned about site secu­ri­ty than advanced and inter­me­di­ate users.

Plu­g­ins often make it to the news for cre­at­ing vul­ner­a­bil­i­ties in the site’s defense sys­tem, yet inter­est­ing­ly the sur­vey found that the most used plu­g­in type installed was a secu­ri­ty plu­g­in. It was close­ly fol­lowed by con­tact form, SEO and anti-spam plu­g­ins.

As a site own­er, it’s your respon­si­bil­i­ty to keep your site well pro­tect­ed. Use these 4 sim­ple ways to pro­tect your site from ever get­ting com­pro­mised.

Mer­ry Christ­mas and a Hap­py New Year from every­body at WPSOS! See you next year ;)

GoDaddy and SiteLock Partner to Add Security to Small Business WordPress Sites

It seems like very week there are new reports of secu­ri­ty attacks on Word­Press sites, and accord­ing to recent reports the num­bers are just get­ting high­er. GoDad­dy, the high­ly pop­u­lar domain reg­is­trar and web host­ing com­pa­ny, has decid­ed to add extra secu­ri­ty to Word­Press sites owned by small busi­ness own­ers. The com­pa­ny has part­nered with Site­Lock, a web­site secu­ri­ty provider, to reduce secu­ri­ty vul­ner­a­bil­i­ties and attacks.

The two com­pa­nies which have been work­ing togeth­er since April 2014, have announced a new plu­g­in keep­ing web devel­op­ers and design­ers in mind. With just one click, busi­ness­es will be able to access and under­stand their web­site secu­ri­ty sit­u­a­tion. With­out hav­ing to leave your web­site, the plu­g­in gives you an at-a-glance view of secu­ri­ty scan results with­in the Word­Press dash­board.

“This brought their secu­ri­ty infor­ma­tion to the fore­front in Word­Press so they can man­age their port­fo­lio of web­sites with­out hav­ing to ever leave the Word­Press site,” Site­Lock Pres­i­dent Feath­er said. “They can scan to make sure it’s free of mal­ware and can do all this with­in one inter­face. It’s a pow­er­ful tool for them because it enables them to do it in real time as they’re work­ing and adding fea­tures to their site.”

Oth­er fea­tures include secu­ri­ty scans on Word­Press pages in draft mode and real-time updates to resolve threats with min­i­mal laten­cy between the time they are iden­ti­fied and resolved. The plu­g­in can also rec­og­nize spe­cif­ic vul­ner­a­bil­i­ties and quick­ly resolve them on its own.

Tom Serani, Site­Lock Exec­u­tive Vice Pres­i­dent of Busi­ness Devel­op­ment, said, “As the host­ing space con­tin­ues to evolve, we want­ed to offer a strate­gic solu­tion through a trust­ed small busi­ness advi­sor and part­ner like GoDad­dy. We worked togeth­er to make it easy for cus­tomers to seam­less­ly inte­grate secu­ri­ty into their sites.”

Users can use one set of log-in cre­den­tials through the plu­g­in to access and man­age both their GoDad­dy account and Site­Lock infor­ma­tion.

WP Engine Suffers Security Breach

WP Engine has suf­fered a major secu­ri­ty breach it forc­ing to reset over 30,000 cus­tomers’ pass­words. On Tues­day, the Word­Press host­ing out­fit con­fessed to the hack attack. It post­ed rec­om­men­da­tions on reset­ting pass­words with updat­ed step-by-step links on how to do it.

WP Engine is a Host­ed ser­vice provider, which man­ages Word­Press host­ing for mis­sion crit­i­cal sites around the world. Set up by Word­Press to bet­ter sup­port the giant web pub­lish­ing plat­form, it had stayed clear of any secu­ri­ty vul­ner­a­bil­i­ties — unlike Word­Press and its themes- up till now.

In an urgent secu­ri­ty noti­fi­ca­tion on its site, WP Engine announced the secu­ri­ty breach. They said, “At WP Engine we are com­mit­ted to pro­vid­ing robust secu­ri­ty. We are writ­ing today to let you know that we learned of an expo­sure involv­ing some of our cus­tomers’ cre­den­tials. Out of an abun­dance of cau­tion, we are proac­tive­ly tak­ing secu­ri­ty mea­sures across our entire cus­tomer base.”

“We have begun an inves­ti­ga­tion, how­ev­er there is imme­di­ate action we are tak­ing. Addi­tion­al­ly, there is action that requires your imme­di­ate atten­tion” said the WP Engine Team, refer­ring to the reset­ting of pass­words. “While we have no evi­dence that the infor­ma­tion was used inap­pro­pri­ate­ly, as a pre­cau­tion, we are inval­i­dat­ing the fol­low­ing five pass­words asso­ci­at­ed with your WP Engine account. This means you will need to reset each of them.”

The firm imme­di­ate­ly reached out to its clients inform­ing them of the attack and on how to guard their accounts. Users with an account at WP Engine should change their pass­word and keep a watch­ful eye over email com­ings and goings, as well as, their finan­cial trans­ac­tions.

WP Engine apol­o­gized for the attack, “We apol­o­gize for any incon­ve­nience this event may have caused. We are tak­ing this expo­sure as an oppor­tu­ni­ty to review and enhance our secu­ri­ty, and remain com­mit­ted to strong inter­nal secu­ri­ty prac­tices and process­es.”

Breaking News: Reader’s Digest and other WordPress sites are compromised

A large num­ber of Inter­net users have been infect­ed via the Angler exploit kit, after vis­it­ing com­pro­mised sites in the past week. The hack­ing cam­paign has been pushed from many Word­Press sites, most notably that of Read­er’s Digest — the pop­u­lar, month­ly fam­i­ly mag­a­zine.

Accord­ing to secu­ri­ty blog, Mal­ware­bytes, the attack con­sists of com­pro­mised Word­Press sites inject­ed with mali­cious script that launch­es anoth­er URL whose final pur­pose is to load the Angler exploit kit. Own­ers of attacked Word­Press sites should remem­ber that although the inject­ed scripts and URL’s fol­low the same pat­tern, they vary over time.

In the ini­tial inves­ti­ga­tion by Mal­ware­byte, it was found that the Necurs back­door tro­jan is loaded on the com­put­er of vis­i­tors to the infect­ed sites, deliv­ered by the Bedep tro­jan via the uploaded Angler Exploiter Kit. If you have vis­it­ed Read­er’s Digest or any oth­er com­pro­mised site, run a secu­ri­ty scan on your com­put­er.

But if you are one of the infect­ed sites, then don’t hes­i­tate in con­tact­ing us. It is our spe­cial­ty to clean up all mal­ware and hack­er attacks on Word­Press sites. We have a high­ly expe­ri­enced team who have seen all kinds of virus­es and mal­ware, and effec­tive­ly dealt with them.

In an email to SCMagazine on Tues­day, Read­er’s Digest spokesper­son Pauli Cohen said, “We became aware of the mal­ware attack last week and have been work­ing with our secu­ri­ty provider, tech­nol­o­gy part­ners and plat­form provider to inves­ti­gate the issue and per­form exten­sive secu­ri­ty checks on our web­site. At this point, we are address­ing all known vul­ner­a­bil­i­ties of the site. We take secu­ri­ty very seri­ous­ly and are tak­ing every step to ensure the integri­ty of our site.”

Although it is our spe­cial­ty to help restore secu­ri­ty to hacked Word­Press sites, we believe it is always impor­tant to guard your­self against an attack in the first place. Get­ting your site back up and run­ning is no prob­lem for us. How­ev­er once you’ve real­ized that your site has been hacked, then give us a call at +1 (650) 600‑1970 as soon as pos­si­ble to mit­i­gate the dam­age.

Imperva WAAR Report 2015: WordPress attacks highest of all CMS’s

Secu­ri­ty attacks on web­sites and blogs are high­er than ever before. Accord­ing to Imper­va’s new Web Appli­ca­tion Attacks Report, Con­tent Man­age­ment Sys­tems (CMS’s) were attacked three times more often than oth­er Web appli­ca­tions. The data secu­ri­ty firm con­firmed that Word­Press has unfor­tu­nate­ly been the vic­tim 3.5 times more than the oth­ers.

It comes as no sur­prise that Word­Press is the most attacked CMS. Not only is the most pop­u­lar ser­vice but new data from W3Techs, which mea­sures both usage and mar­ket share, report­ed last week that Word­Press accounts for a quar­ter of the web. They said,“WordPress is used by 58.7% of all the web­sites whose con­tent man­age­ment sys­tem we know. This is 25.0% of all web­sites.”

As 2015 draws to a close, Word­Press has tak­en a real beat­ing this year with an increase in brute-force attacks. Hack­ers and mal­ware are doing a lot of dam­age by tak­ing advan­tages of vul­ner­a­bil­i­ties caused by weak­ness­es in the 30,000+ plu­g­ins on Word­Press.

Imper­va’s report said,“CMS frame­works are most­ly open source, with com­mu­ni­ties of devel­op­ers con­tin­u­ous­ly gen­er­at­ing sequences of plu­g­ins and add-ons, with­out con­cert­ed focus towards secu­ri­ty. This devel­op­er mod­el con­stant­ly increas­es the vul­ner­a­bil­i­ties in CMS appli­ca­tions, espe­cial­ly for Word­Press which is also PHP based.”

Non-CMS appli­ca­tions were less sus­cep­ti­ble to remote com­mand exe­cu­tion (RCE) attacks than CMs’s accord­ing to the report’s find­ings. Fur­ther­more, the report found that Word­Press is five times like­li­er than oth­er CMS’s to be hit by remote file inclu­sion (RFI) attacks.

Some of the trends dis­cov­ered in Imper­va’s annu­als report were con­tin­u­ing from last year’s report, such as increased SQL Injec­tion (SQLi) and Cross-Site-Script­ing (XSS) attacks and more attacks on Word­Press. A new­com­er this year is the mega trend of Shell­shock Remote Code Exe­cu­tion (RCE) attacks, scan­ning web appli­ca­tions on an equal basis.

The report said, “We con­clude that the increas­ing avail­abil­i­ty of web attack tools and services—with com­pu­ta­tion­al pow­er becom­ing less expen­sive and ubiquitous—are dri­ving the new wave of vol­u­met­ric mali­cious attacks. The evo­lu­tion of attacks against web appli­ca­tions has con­tin­ued with increased sophis­ti­ca­tion, mag­ni­tude, and veloc­i­ty. How­ev­er, there is hope thanks to the grow­ing effec­tive­ness of rep­u­ta­tion-based detec­tion mech­a­nisms, and their abil­i­ty to iden­ti­fy attacks by track­ing pre­vi­ous­ly iden­ti­fied mali­cious activ­i­ty to its ori­gins.”


4 Simple Ways to Protect your WordPress Site from Viruses, Malware and Hackers

Almost all of our clients have been tar­get­ed by a mali­cious attack on their Word­Press site. When they first come to us, they are in utter pan­ic, stressed and quite con­fused on what to do. Only after we do our job and restore their site to its for­mer virus-free glo­ry, does col­or return to their face and they begin to calm down.

It pains us to see our clients go through so much wor­ry, when they could have avoid­ed the dis­as­ter by tak­ing only a few pre­ven­ta­tive steps. You can save your­self from a major fias­co if fol­low some of the steps we’ve out­lined below to help pro­tect your Word­Press site from virus­es, mal­ware and hack­er attacks:

1. Update your site’s theme & plu­g­ins

Updates for Word­Press and its plu­g­ins are fre­quent­ly released by their offi­cial teams. These updates con­tain fix­es for fresh­ly dis­cov­ered secu­ri­ty loop­holes to pre­vent pos­si­ble attacks. So make sure you reg­u­lar­ly update your site.


2. Back­up

An extreme­ly impor­tant task in man­ag­ing your site is reg­u­lar­ly back­ing it up, espe­cial­ly before mak­ing new changes. You can use a plu­g­in or do it man­u­al­ly. So if your site does unfor­tu­nate­ly get com­pro­mised, then with the help of your back­up files you can switch hosts and be back up and run­ning in no time.


3. Change the login and pass­word from admin

By default the user­name for Word­Press is admin. Cre­ate a unique user­name which isn’t too obvi­ous nor easy to guess; includ­ing num­bers would be good. The same goes for the pass­word. Set a long pass­word with a mix of upper and low­er keys, num­bers and sym­bols.


4. Hide or secure wp-config.php 

The wp-config.php file holds all sen­si­tive data and the con­fig­u­ra­tion of your web­site, and is quite vul­ner­a­ble to attacks. You can secure it by adding the fol­low­ing code to the .htacess file in the root direc­to­ry — chang­ing the cod­ing denies any­one access to the file:

# pro­tect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all

You can also have it moved to the root direc­to­ry — your_host/wp-config.php — from its default loca­tion at host/wordpress/wp-config.php for added pro­tec­tion.

Preventing Microsoft Word Macro Viruses

Although our focus is on Word­Press… we often get ques­tions from our clients about non-Word­Press virus and hack issues.

Here are some thoughts on com­mon ques­tions we get about MS Word virus­es.

Microsoft Word mal­ware rarely makes the news these days but unfor­tu­nate­ly it exists. Word files received from oth­er com­put­ers or a net­work car­ry a risk. Just because you have an anti-virus pro­gram installed on your com­put­er does­n’t mean you’re a 100% safe. They can’t do any­thing until an update comes with a patch to fix the prob­lem.

To pro­tect your­self from a Word macro virus you first need to know what is.

What is a Word Macro Virus?

Word has a pow­er­ful fea­ture which lets you cre­ate Visu­al Basic for Appli­ca­tions (VBA) pro­grams– also known as macros. Macro virus­es use this fea­ture to copy the virus’s code to oth­er files. VBA pro­grams are stored in the Word doc­u­ment and tem­plate files.

The virus dupli­cates the code auto­mat­i­cal­ly to anoth­er file, usu­al­ly Normal.dot, which is what Word loads with every file. So when­ev­er you open or close the Word file or Microsoft Word itself, the virus copies itself.

Microsoft Word Macro Virus


  • Doc­u­ment all files in the Word file’s start­up fold­er and macros (if you don’t know how to find Word’s start­up fold­er, use this quick tuto­r­i­al). Write down the list of files and macros some­where or take a screen­shot and save it in a mem­o­rable place on your hard dri­ve.
  • If you think you’ve caught a macro virus, then you can then check for virus­es man­u­al­ly. Go to Tools> Macro> Macros in Word’s menu and a list of macros will be dis­played. Com­pare these against the list you cre­at­ed ear­li­er. Pay extra atten­tion to any macros named AutoEx­ec, AutoOpen, Auto­Close, File­Ex­it, File­New, FileOpen, File­Save, File­SaveAs, and Tools­Macro.
  • In Word 97, you need to man­u­al­ly enable virus pro­tec­tion against macros. In the Word menu, go to Tools> Options, click on the Gen­er­al tab, and check the box for Macro virus pro­tec­tion (it might already by checked).
  • In Word 2000, you can set the secu­ri­ty set­ting by going to Tools> Macro> Secu­ri­ty and set­ting the secu­ri­ty lev­el to medi­um. It will auto­mat­i­cal­ly warn you if you are open­ing a file that con­tains a macro.

Malware & Virus Cleanup: Why?

One of the most impor­tant aspects of what WPSOS does is to clean up mal­ware, virus­es, and hacked web­sites.

In case you’re won­der­ing why we do this, it’s because we’re com­mit­ted to our mis­sion: to remove all Word­Press mal­ware and virus­es from Word­Press web­sites.

It is a tall order — but some­one needs to do it. If not, the bad guys win.

In oth­er words: this is more than a job or a com­pa­ny for us. It is a call­ing. Good vs evil. We are ded­i­cat­ing our­selves to the good guys win­ning.

What is so bad about mal­ware, virus­es, and hack­ers? A few things.

First, they put soft­ware on your serv­er with­out your per­mis­sion. Any­thing on your serv­er should have your per­mis­sion!

Sec­ond­ly, almost always, these are used for nefar­i­ous pur­pos­es — such as, send­ing out spam.

Third, since Google among oth­ers tracks how healthy your serv­er is, if it is doing some­thing bad such as send­ing out spam, Google will pun­ish your serv­er. Hence the famous “This site may be hacked” warn­ing on some search results.

Fourth, the hacks could lead to you los­ing infor­ma­tion on your serv­er.

Con­clu­sion: for not only prac­ti­cal rea­sons, but for pro­found­ly moral ones — it is your serv­er so you should do what you want with it! — we are lead­ing the fight against the bad guys.

I feel like some inspi­ra­tional music should be play­ing in the back­ground while you are read­ing this!


Security Warning: Increased Brute Force Login Attempts

There’s been a lot of noise in the Word­Press secu­ri­ty com­mu­ni­ty the last days about the increased XML-RPC attacks. Here at WPSOS we’ve noticed the same and can con­firm the var­i­ous reports on it.

How­ev­er, we’ve also noticed an increase in brute force login attempts. These are robot­ic algo­rithms that every x sec­onds guess a user­name (often ‘admin’ or just the user­name that post­ed a blog post) and then cycles through com­mon pass­words (“12345678”, “asdf1234”, etc) until it even­tu­al­ly gets a hit… or is banned.

Although Word­Press itself is tak­ing var­i­ous mea­sures to try to lim­it this — the lat­est ver­sion, for exam­ple, forces the cre­ation of sub­stan­tial­ly hard­er to guess pass­words — the hack­ers are often one step ahead.

The brute force attacks are get­ting increas­ing­ly bru­tal. We’d def­i­nite­ly rec­om­mend stronger mea­sures to pro­tect your login pages.

But what mea­sures in par­tic­u­lar?

Our two favorite meth­ods are:

  • Use the .htac­cess file to pro­tect the login pages
  • Change the URL of the login pages

This is in addi­tion to — obvi­ous­ly — the more basic anti-brute force pro­tec­tions that are essen­tial: long, com­plex, unique pass­words that you don’t write on paper or email or share open­ly with any­one and don’t re-use, for exam­ple.

But more on that com­mon sense in anoth­er post. As they say: com­mon sense isn’t that com­mon!


WordPress Plugin: Stop Gravity Forms From Disappearing

Stop Grav­i­ty Forms From Dis­ap­pear­ing is a sim­ple plu­g­in for ensur­ing that Grav­i­ty Forms nev­er dis­ap­pear.

The plu­g­in solves the prob­lem of Grav­i­ty Forms just not dis­play­ing on your page.

It’s a com­mon issue with Grav­i­ty Forms: all is con­fig­ured, every­thing is ready, the form pub­lished… but it does­n’t appear on the page. It’s just blank.

Note that this issue is most like­ly caused in case your used theme or anoth­er plu­g­in is caus­ing a JavaScript error, and the best way to resolve this issue is to fix the JavaScript errors. (See the com­ments below to see what Grav­i­ty For­m’s sug­ges­tion is to fix the issue.)

Stop Grav­i­ty Forms From Dis­ap­pear­ing forces the form to be dis­played.

The instal­la­tion and use is very straight­for­ward. You should:

1. Upload the fold­er ‘stop-grav­i­ty-forms-from-dis­ap­pear­ing’ to the ‘/wp-con­tent/­plu­g­in­s/’ direc­to­ry
2. Acti­vate the plu­g­in through the ‘Plu­g­ins’ menu in Word­Press

If you have any sug­ges­tions, please let us know! You can con­tact us via http://wpsos.io/.