How to Prevent Malware from Infecting Your WordPress Blog

Your blog is vulnerable to WordPress malware and cyber attacks. Cyber attacks are a fact of life for this generation. We will all be affected by malware at some point in our lives.

The truth is that cybercriminals are getting smarter and savvier from year-to-year. In the past decade, we have seen major data breaches and entire governments brought to a standstill from a cyber attack.

Malware is able to penetrate some of the world’s most secure systems and can cause serious damage to a business. The same could easily happen to your WordPress blog.

With the ever-present threat of WordPress malware, it is important that bloggers keep their blogs and websites secure to prevent damage.

*This post contains affiliate links. That means that if you make a purchase after clicking on a link I may earn a small commission at no extra cost to you. For more information, click here.

WordPress Malware, Ransomware, and Other Threats

2017 was an eye-opening year for malicious digital security threats across the world. A specific type of malware, known as ransomware spread worldwide in hours and held companies, large and small, hostage.

Ransomware is a type of malware that gains access to computers via a flaw in Windows and encrypts the data on that computer. An infected computer will have a pop-up that prevents you from accessing any of the encrypted files unless you pay a ransom.

The ransom varies and is almost always payable via bitcoin. Ransomware requires you to enter a code when the ransom is paid. This code identifies your computer and allows the hacker to decrypt your files.

Unlike malware of the past, ransomware does not require any action (such as opening an email) to infect computers. Instead, it uses software called EternalBlue to access weaknesses in the computer’s operating system and gain access to your files.

2017 Ransomware Attacks

2017 saw a drastic increase in ransomware attacks. Of those attacks, NotPetya and WannaCry were the most damaging. The attackers managed to close hospitals, transit systems, and bring entire governments and some of the world’s largest companies to a screeching halt.

NotPetya

The NotPetya attack first started affecting Ukraine computers. NotPetya encrypted the Ukranian government’s computers without warning. The ransomware attack completely shut down many offices and services provided by the government.

Initially, it was believed to be another Petya attack. After some ransoms were paid, it was clear that this was not Petya. It was something far more malicious and dangerous.

The encrypted files were decrypted and accessible after the ransom was paid during Petya attack. This was not the case with NotPetya. NotPetya encrypted every file on the affected computers. However, the files were not decrypted once the ransom was paid.

Companies and governments that were able to decrypt their files found that many were damaged beyond repair. This means that NotPetya was technically not ransomware, although it masked itself as such.

The main intent for NotPetya was far more malicious and unprecedented than any other ransomware attack. It was designed to destroy files and systems, not just extort bitcoin from companies.

While Ukranian officials claim the attack was initiated by Russia, that will likely never be proven. It does, however, make it clear of the direction that future malware and ransomware attacks are heading.

WannaCry

Another attack that took place in 2017 was called WannaCry. This attack was widespread and affected most of Europe. 75,000 computers were affected in 99 countries by this particular ransomware attack. Hospitals, government offices, and public transit were all impacted by WannaCry.

Although the U.S. was not among the hardest hit, several large companies, including FedEx, were impacted by the attack.

The Cost of Ransomware Attacks

These two attacks put lives at risks and invaded the privacy of companies and individuals indiscriminately. In Lithuania, a cosmetic surgery clinic didn’t pay the ransom.

As a result, 25,000 pictures from the practice’s computers were leaked by the hackers to extort money from the clinic. All of these files were personal and some included nude photographs of the clinic’s patients.

Doctors are responsible for patients’ privacy, so a leak like this one can easily destroy a doctor’s business. This also opened the individual patients to up to extortion attempts.

U.S. pharmaceutical company Merck was also hit very hard by NotPetya. They have reported their damages at $175M in costs, $135M loss in sales, and $240M in production losses due to the shut-down that occurred.

Ransomware and malware can be expensive for businesses or individual alike to recover. Unfortunately, not all can withstand the costs of the damages. These type of attacks are expected to gain popularity in the coming years. That means bloggers need to be vigilant in protecting their website and computers.

How WordPress Malware Can Affect Your Blog

Although you likely wouldn’t suffer a half billion dollar loss, there are a lot of serious problems malware can cause to bloggers. Malware can directly impact and even destroy your blogging business and reputation.

Years of work can be lost if one file gains access to your computer. Your blog can be impacted by WordPress malware in the following ways.

Your Blog Can Be Blacklisted

Imagine visiting a blog and receiving a big red screen saying “This Site Contains Malware” before you even reach the homepage. This screen is the result of the website being blacklisted by Google.

Would you continue to the website? I wouldn’t and neither would any other visitors. The risk is simply not worth reading your blog post.

Google blacklists 20,000 websites every week for malware. Sadly, this can happen to your blog without your knowledge. Google blacklists websites to protect consumers and its own reputation.

Pinterest can also block your pins from linking to your website for the same reason. If any of your pins are reported as inappropriate or a virus is possible, your Pinterest traffic will be stopped.

If you are a blogger, you understand what this would mean for your blog. It would absolutely destroy all of your hard work and you would lose your audience’s confidence.

Loss of Information

It takes the average professional blogger over 3 hours to craft a single blog post. That doesn’t include the time or money it takes to set up your website and market your business.

Without security in place to prevent an attack, your blog or computer could suffer irreparable damages. If your website is not backed up to a secure drive or location, you may have to start over from scratch.

Data Breaches

Do you sell items directly on your blog or offer premium memberships? If so, data could be compromised by a host of malware.

Data breaches can be minor or major. If credit card numbers, identifying information, and passwords are stored on your server or your computers, all of those can be leaked via spyware, bots, and other WordPress malware.

Data breaches can damage your business and open your business up to a host of liabilities. Keeping those accounts safe requires security protection and prevention.

Damage to Your Brand

Bloggers work the hardest at building their brand. Branding is important to any business, but if you want to succeed in a saturated market, branding is everything.

If your blog is hit with WordPress malware and it impacts your readers, audience, or access to your blog, you have a major problem. If you have a data breach, your subscribers or buyers will be much more reluctant to provide the same information to you after an attack.

Although all of the damages are bad, damage to your brand and its reputation are the most severe. You may never be able to fully recover from that kind of damage, even if you do start from scratch.

WordPress is Popular (and Vulnerable)

I remember in the late 1990s when having Internet Explorer on your computer opened you up to viruses. I remember installing Firefox on my computer for the first time during those days as it was deemed safer from attacks.

Using popular software comes with risks. Put yourself in a hacker or cyber thief’s shoes. If you were a hacker, what would you do? You would attack computers where you would get the most bang for your buck, right?

If 90% of websites use WordPress, why would you go after the other 10%? It simply doesn’t make sense. Your strike would be less successful and less profitable.

I’m not saying you should drop WordPress at all. I love this platform and I’m not going anywhere. The key is to make sure you keep your website up-to-date and have the proper security.

The following tips will help you to keep your blog safe when the next ransomware, malware, or spyware attack takes place.

How to Prevent WordPress Malware Infections

Prevention really is the best medicine. It is much easier to spend a few minutes each week reinforcing your website than it is to try to recover lost data. The best way to protect your blog is to prevent infections before they take place.

The following steps will help you protect your blog from infection and keep your WordPress site running smoothly.

Steps to Protect Your Blog

1. Choose a Reputable Hosting Service

Honestly, I am not sure how many web hosting services there are. Hundreds, maybe thousands? However, not all of those services are equal. Some companies are experienced, while others might be operating out of someone’s garage. Unless you do your research you won’t know the difference until it’s too late.

Choosing and reputable web hosting service is the most important part of starting a new blog. My web hosting service is HostGator, as I have mentioned before. This year they have been rated as one of the Best Web Hosting Services of 2018 by PC Magazine.

HostGator was founded in 2002 and is an awesome company and is still around 16 years later. That says a lot about the company.

I have yet to have any issues with HostGator and wouldn’t recommend it if I was not 100% pleased with my service. They provide me with a high-quality server and the tools to I need to manage and protect it. I feel protected as one of their customers.

If you decide to signup for HostGator, please sign up using the ad below. It gives you a 20% discount on your service and, in full disclosure, I will earn a small commission.  As I said before, I wouldn’t recommend it if I didn’t use the product myself. You can also view my disclaimer here for more information.

Other recommended web hosting services include BlueHost, SiteGround, DreamHost, and Hostwinds. I personally have no experience with any of these services. However, I have seen them recommended by other reputable bloggers.

I highly recommend that you do your research before you commit to any web hosting service, especially for a long-term commitment.

2. Add SSL Security to Protect User Information

SSL, which stands for Security Sockets Layer, encrypts the information transferred from one computer to the next during a transaction. SSL prevents cyber thieves and hackers from stealing user information. If you accept payments directly on your website or offer premium accounts or services, you need SSL.

Without SSL on your blog, spyware can easily collect customer information, login information, passwords, and payment information. This type of theft can easily destroy yours and your blog’s credibility. Don’t take the risk.

3. Update Plug-ins When a New Version is Available

Other than adding on a few new features, plug-ins require updates for security purposes. The more plug-ins you have on your blog, the more open doors there are to for hackers to access your blog. App updates keep those doors closed and your website secure.

Make it a habit to regularly check for plug-in updates. To do this in WordPress, click on “Plugins” in your dashboard sidebar, then click “Installed Plugins.” You will be taken to a list of all installed plugins on your blog.

Directly above the first plugin listed, you will see “All,” “Active,” “Inactive” and/or other links. When you have any updates, they will show up on this list. If “Updates” doesn’t appear, that means there aren’t any currently available.

If you need to update a plug-in, simply click on the “Update” link and follow the prompts (usually in red) on your screen.

You can also check each plug-in manually by looking directly under the title of the plug-in on the “Plug-ins” page.

If you install Wordfence or another website security plug-in, you can also elect to receive emails to tell you when new updates are available on your website. I highly recommend this as updates are something easy to overlook.

4. Uninstall Unused Plug-ins

As I stated before, every plug-in is an access point for a hacker. Uninstalling inactive plug-ins closes an access point. If you have not decided if you need a specific plug-in, keep it updated until you decide. This will also help reduce the risk of malware on your website.

5. Use an Anti-virus Plug-in

Your computer has security and so should your website. Install a web security plug-in, like Wordfence on your blog. Even free versions of anti-virus and firewall software are better than no protection at all.

Personally, I use Wordfence and am not affiliated with them in any way. I usually hear about new attacks from Wordfence long before the attacks are big news. WordPress provides me with email alerts, which keep me well informed.

When both the NotPetya and WannaCry ransomware attacks were taking place, I was notified very early on. Wordfence provided information that enabled me to protect my computer and blog from the attacks as they were happening.

In addition, Wordfence also provided protection from these attacks should my safeguards fail. I really am happy with their service and recommend it to everyone.

6. Back Up Your Blog Regularly

Unless you pay to have your website backed up by your hosting service or a third party, you are responsible for the information lost if something happens and your website crashes.

My blog is still quite small, so I have it on a shared server. What that means that my website’s files and information are on the same server as many other websites. While this saves me significant money on my hosting, it does open up my blog up to additional threats from other websites hosted on the same server.

Instead of paying a fee for backups, I have a plug-in, called UpdraftPlus, that backs up a copy of my website automatically to a secure cloud storage account. Cloud storage is much safer than the storage on your hard drive. Larger companies that offer cloud storage have awesome security and encryption, so your information isn’t going anywhere.

If the server’s hard drive ever failed for any reason, my website could easily be restored with minimal losses. It also prevents theft and damage to the copy, a risk from traditional storage methods. Cloud storage ensures my data stays safe at all times.

7. Stay on Top of New Threats

If your security plug-in(s) or firewall software alert you to a new or emerging threat, take it seriously and respond ASAP. One of the ways I protected my blog and computer from WannaCry was installing a patch on my laptop that operates on an older OS.

It seems like such a small thing to do, but this little security patch protected my computer at the very beginning of the cyber attack. My newer laptop operates on Windows 10, which automatically updates on its own. That means that most new Windows PCs will be protected automatically.

Check your emails regularly and if you hear about a potential attack, check online for advice about which steps you should take to secure your blog. Act quickly when these happen. Thousands of computers can be infected within minutes. That means each minute you wait creates a greater risk to your blog.

8. Scan Your Website Regularly

Scanning your website for malware and other security problems will ensure that you catch any threats quickly. This will help prevent damages and make it easier to recover from the infection.

Most security plug-ins also offer this feature. If a scan comes back with malware present on your website, take the necessary steps to remove the malware.

Some plug-ins may require you to upgrade to Pro or pay for a one-time virus removal. It is with the small amount of money to ensure that your website isn’t blacklisted and your followers aren’t at risk.

It also protects your reputation when you are proactive. If you discover a problem before it causes much damage, your visitors will likely never know it happened. No harm, no foul.

9. React Quickly to Potential Threats

If you are alerted to malicious software either via an app on your blog or email alert, address the issue immediately. The longer a trojan, virus, or other malware stays on your computer or blog, the more difficult it is to remove and the more data is compromised.

A virus continues to duplicate itself to infect more and more files. Often the intent is stealing data, but it could just destroy your files. The longer it is left alone, the more files it infects, just like a biological viral infection.

Not tackling malware like spyware or trojans also allows more data to be collected. Customer accounts, personal information, and even credit card information are at a greater risk of theft every minute the malware is present. The longer the malware is there, the more information it can get.

In the case of ransomware, the malware doesn’t need your help at all. It is able to seek connections and gaps in security without assistance. This allows it to spread quickly through entire networks, causing more damage quickly.

Regardless of the type of malware, catching it at the beginning minimizes the damage. I can’t stress this enough. The longer you put it off, the worse the damage will be.

Your Blog’s Fate is in Your Hands

Now that you know what to do and how to do it, get to work! It is critical to your blog’s success that you take WordPress malware and cybersecurity threats seriously.

Before you go, make sure to sign up for the newsletter below to stay informed about future posts.

Until next time, stay safe my friend.