There’s some nasty WordPress malware circulating right now. I haven’t fallen victim to that one, but I caught the very early stages of infection myself all too recently. WordPress itself was just updated to close some vulnerabilities, but the biggest problem is the plugins. Unfortunately, the plugins are the main reason to run WordPress.
At my day job, I’ve had the pleasure of working with a very security-conscious webmaster for the last couple of months, and he and I talk about WordPress security frequently and look into what we, or anyone for that matter, can do to make the best of the situation. Here’s what he and I have found in the last week or so.
First, here’s advice from SANS on the plugins that bots are most frequently looking for. If the bad guys don’t know how to exploit it, they aren’t looking for it. So it’s best to try to avoid those particular plugins if at all possible.
Second, while WordPress updates itself, it doesn’t automatically update plugins–but there’s a plugin that will update your other plugins. The same author has a plugin that notifies you of known vulnerabilities in other plugins. Running both is a good idea. If a plugin has a vulnerability in the current version but no update, you need to do something. Remove it until an update appears. Look for another way to mitigate the vulnerability. Or replace it with an up-to-date plugin that provides the same functionality.
Looking for PHP malware
If you run Linux and have shell access, here’s how to look for PHP malware in your WordPress directory. If your site is slow all of a sudden, or you see white screens of death, those can indicate security problems. Always check for malware if those things happen.
And finally, you need to run a WordPress security plugin. Here are my tips for All-in-one WP Security, which is the one I prefer. The nearly ubiquitous Jetpack plugin gives you some security protection, but a dedicated security plugin helps more.