A new malware infection is affecting WordPress sites on a massive scale. Popular security service Securi made the following comments:
This infection is aimed at websites built on the popular WordPress CMS.
It is targeting sites with outdated (vulnerable) plugins or weak admin passwords.
Malware is highly obfuscated and attempts to inject SPAM to the hacked website.
You will notice the infection on your site should you start seeing mysterious errors being displayed on your page such as the following:
Parse error: syntax error, unexpected ‘)’ in xxxxx
There is also a possibility of seeing a blank white screen too (if you have php errors disabled).
Unfortunately if you are affected by this issue, the only known solution is to restore your website from a previous backup. If you do not have a previous backup available for your site you should try contacting your web host who should be able to provide you with a recent backup for your website files.
At this stage it seems that data stored in your database has not been affected by the issue, so it may only be necessary to restore your website files.
How to Avoid These Type of Problems
The best way to avoid (or at least minimise) being affected by this type of Malware is to always ensure you are running the latest software for your website. This includes your framework and your plugins. CMS frameworks like WordPress provide updates that are easy to install with just the click of a button. The same is applicable for most ‘pluggable’ functionality too.
It’s important to note that plugin and framework updates are not foolproof and may impact your site’s usability, functionality and/or performance. In most cases updates can be applied with minimal risk, however, there are times where you may experience issues.
In addition to ensuring your site is kept up to date with the latest software, it’s also extremely important to ensure you are using strong passwords to minimise the possibility of hackers compromising your site by guessing your password. This is an example of a strong password (Randomly generated using LastPass password generator):
A password of this strength will take a standard desktop PC approx. 425 quintillion years to compromise (howsecureismypassword.net), and honestly, who has that sort of time? With services like LastPass, that allow you to manage all your passwords, it’s possible to use complex passwords such as the one above without having to remember it.
Need Professional Assistance?
If you are looking for a professional management service for your WordPress site, please reach out to arrange an initial consultation.
Find out more by going here: http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html