Is Your WordPress Website Secretly Harboring Malware?

Dealing with a malware injection on a WordPress website isn’t a picnic on the best of days. Dealing with one my first day after arriving in Maine; after a 993 mile drive in a packed Ford Focus with my 6 foot 2 son and a ticked off cat?  Well, let’s just say my first day in my new location was far from peachy.  Yet I’m willing to re-live it via this post in order to give you a heads up about WordPress and malware.  And stress yet again why you should never ignore the need for maintenance.

One of the services that I provide is WordPress Website Maintenance.  I’m sure there are times when one or more of my clients question the monthly cost. After all, it’s pretty much an invisible thing. It’s not like my website design services or even my graphics services where the clients can actually see the results of my work.  Sure, their website stays running smoothly, their WordPress core, themes and plugins are all up to date, but who really notices that?   They aren’t notified when I run security scans, nor are they aware of the monitoring I do regarding the uptime of their sites.  Yet it’s by far one of the most important services I provide.

Three weeks ago, day one in my new office in Maine, a security scan on one of my client’s websites came back with an issue.  A change had been made to a file and upon inspection it was a malware injection which would redirect clicks on links to the website to a different, unscrupulous, spammy site.  It was present in several key WordPress files, even though I had been vigilant in updating the WordPress core, the theme and the plugins.  Cleaning malware from your installation isn’t just removing the injected code, you have to play detective and find out which backdoor your hacker came through or they’ll just do it again and again and yes, again.  I determined two things.  First, the backdoor seemed to reside in a plugin that the author hadn’t updated in quite some time.  Second, once in, they had deposited php files in old image directories where most WordPress website owners were unlikely to notice them.

Because I was monitoring the website, I was able to deal with the added code quickly and get the site cleaned up before it became blacklisted on Google or other search engines.  My client, although certainly not thrilled to hear that her site had been targeted, was relieved to know that it had been noticed quickly and taken care of.  Those months of paying for maintenance services seemed a small price to pay considering what the outcome could have been.

It left me wondering how many WordPress websites were harboring the same type of malware, hiding away in old image directories.

Or how many WordPress website owners aren’t aware of how many attempts to log in to their sites happen each day. (Many of the sites I maintain see up to 5 or 6 attempts a day to log in with the username ‘admin’ among others)  They mistakenly think that because WordPress makes it relatively easy to create a website that it’s somehow bulletproof and doesn’t require a webmistress/webmaster to maintain it.

The truth is that your WordPress website could be coming under attack right now.  It could be harboring malicious php code that could result in your site being blacklisted or worse.  It’s not that WordPress isn’t secure.  It’s that WordPress users fail to see the importance of maintaining.  They don’t understand how important those updates are. In fact, many see them as irritating, never understanding that they are important for security. They don’t realize that not all of the plugins in the plugin directory are maintained and updated the way they should be.

What about you?


Tina Marie Hilton provides online technology services to forward thinking businesses. She writes on her Tips from T.Marie business blog to share insight and information with other small businesses and entrepreneurs. It also makes her feel like that certificate in creative writing isn't going to waste completely.