Malware and WordPress – Keeping It Clean

by Ben Gabler on

The term “malware” is a shortening and joining of the two words “malicious” and “software” and indicates that it is software that has been deliberately designed to cause damage, commit crimes or disrupt the normal functioning of a system. In the very early days of computers, malware was usually created as either a joke or as a way to gain reputation among other computer enthusiasts. While this is still the case the vast majority of modern malware is created by criminals who have enthusiastically embraced the internet as a medium to further their enterprises.

What Does Malware Do To WordPress?

There are a large variety of attacks against WordPress that use malware but they break down into the categories described in the following sections.

Malicious Redirects

A malicious redirect is where malware re-writes pages of your site that automatically redirect a visitor to a website of their choosing. The destination website may have more malware that it will attempt to infect the visitor, sell them something, or simply drive the criminal’s advertising revenue. This sort of infection is a fairly common objective for hackers when they compromise a WordPress instance. They are interested in your audience and manipulating them for gain rather than anything on the server itself.

Unauthorized Downloads

An unauthorized download occurs when a malware compromised WordPress site manipulates a visiting browser to download a malicious payload without the user being notified or alerted. This type of unauthorized download is often called a “drive-by download” because the user only has to casually visit or “drive-by” a malicious page to get compromised without clicking on anything.

The most common means for hackers to set this up is to leverage Java to download a malicious payload from a server under the control of the attacker. That payload will probe the user’s browser and host system in an attempt to discover a vulnerability that will allow the attacker to do anything from installing a virus in the operating system to displaying popups in their browser.


A software backdoor is a way for an attacker to create a secret and persistent entry into a system. In the case of WordPress, the malware will create a backdoor by registering a new, legitimate-sounding WordPress user account with administrator privileges. This is exactly what happened at the end of 2019 when several out-of-date plugins were being exploited in such a way that hackers could create admin accounts. These older versions of the plugins were installed over 30 million WordPress instances.

SEO Spam

That type of malware can be rather difficult spot if your WordPress instance is infected. This is because it doesn’t make any changes to the appearance of your site or redirect visitors anywhere. The hackers are targeting Google and other search engines and not the visitors. They will sometimes only serve the modified pages to search engine indexers and not to real people visiting your site making them even harder to detect.

This malware modifies the meta information of your web pages that search engines use when they show your site in their listings. The search engine will populate your ranking description with an advert for the hacker’s site instead of your site description.

Search engines will lower your site’s ranking if they index this sort of content on your site. Also, anyone searching for your site using a search engine will find very confusing information and will very likely not click through to your site.

Due to the type of products being pushed with this hack, it is sometimes referred to as a “Pharma Hack” or even a “Viagra Hack”!.

How Does Malware Get Into WordPress?

The following methods of placing malware onto a WordPress site are all commonly and actively in use for compromising sites.

Easter Eggs

This malware type is the least aggressive but can still present a serious security issue for your WordPress instance. In the world of software, an easter egg is a piece of code that has been hidden and often obfuscated (made hard to read) inside of a piece of software. The easter egg code will usually do something innocent such as show a message or display an image when certain unusual inputs are entered. Although sometimes it may do as much as allow you to play a flight simulator in Microsoft Excel 97!

Easter eggs are usually innocent and joking in their intent. After all, if they weren’t they would be a different category in this article! However, that doesn’t mean that they can’t do harm to your WordPress instance and negatively impact your clients. An easter egg is not usually intentionally included in a professional plugin or theme and so it represents a risk for being an unaudited piece of code that could easily have unintended and damaging consequences. Furthermore, the easter egg may display a strange or inappropriate message your site visitors that is confusing at best and at worst may drive your users away in fear that you have been compromised.

Outdated Software

This is by far and away the most exploited method of compromising a WordPress instance. The following is a list of all the classes of software that you must ensure are always up to date on your server:

  • Operating system
  • WordPress core installation
  • Themes
  • Plugins

You can read more about keeping WordPress up to date in our Stay Safe and Keep Your WordPress Up To Date article.

SQL Injection

An SQL injection attack is where a maliciously crafted web request either reads or manipulates the WordPress database. If this attack is successful then almost anything is possible from creating a new administrator login and stealing credit card details, to modifying the contents of pages. You can guard against this type of attack with a Web Application Firewall which is explained in the Rocket Protect Your WordPress Site With Effective Network Filtering guide.

File Uploads

WordPress has a special directory called /uploads/ e.g. that is the destination folder for files uploaded to your WordPress instance. If this directory left in an insecure state by the original installer or through careless system administration it becomes an easy location for hackers to place malware.

The files that are uploaded to /uploads/ may be intended to infect that same WordPress instance. This is very much the case if the execution of PHP is enabled for this directory. Alternatively, after the file is on your site the hacker can use it as a download location for attacks on other systems.

Compromised or Insecure Login Credentials

The usernames and passwords to your WordPress instance are the keys to the kingdom. You must keep these securely stored on any system where you save them. If a hacker gets a login to your WordPress site then they can load whatever malware they want. This level of access means that recovering is almost impossible and restoring from backups is the only option.

If you are not already, you should use a password manager for all your passwords. They allow you to create long, secure passwords as you don’t have to remember them. Wikipedia has a list of passwords managers here many of which are open source and free.

What can I do?

Keeping your WordPress instance secure can be a lot of work but these are the areas that you should concentrate your efforts.

Update Everything!

Seriously, if there is one thing that you take away from this article is that you must keep everything updates. You can find all about keeping WordPress and your server up to date with the WordPress Updatres guide.

Malware Scanning

Every one of the malware variants listed above all either put files on your WordPress site or modify it in some way. These changes can be detected by a malware scanner that works just like a virus scanner on your laptop. There are lots of free and paid options available as WordPress plugins but they all require work and management to maintain in an optimal configuration.

The Rocket Solution

A less involved solution is to make use of a managed hosting solution like Rocket hosting. When you order a WordPress instance from Rocket, no matter what tier, it will come with 24/7/365 security including comprehensive malware scanning. You don’t need to put your time into worrying about your malware scanner. Let the experts do that for you and instead put your time into making your WordPress site as awesome as you can imagine!

Stay Informed

The WordPress organization has several channels where they will post information about WordPress updates, security news, and other useful information. Choose the one that best fits into your digital life and keep an eye on your feed:

Stay Legal

Sometimes, especially when testing and development there is a temptation to go to some of the less legal corners of the internet and download a plugin or theme that usually costs money. Unfortunately, these plugins usually come with the added bonus of a backdoor and will infect your WordPress site. Even if you remove the plugin later the damage is done and will be very difficult and expensive to repair if you infected a production instance. Keep it legal and keep it secure.

Similar Posts