Website Design, Strategy, Social Networking, SEO, Susan Pomeroy, Ph.D.

The Easy Way to Keep Random Hackers from Destroying Your WordPress Site

by Susan Pomeroy

Outwit Wordpress Hackers

Yesterday, I agreed to have a look at a site that was acting strangely. Turns out, it had been hacked.

“Why would someone hack such an innocent site?” the owner asked. “I wonder if it’s a sign that I should not be on the Internet.”

My heart went out to her, and to everyone who’s struggling with how to make good web choices. But I think the answer is to be more on the Internet! For as we now know, to keep a WordPress site safe, it must be updated regularly. For personal reasons, she’d neglected her site for some time.

Hackers triumph by exploiting vulnerabilities in older software.  As the WordPress ecosystem evolves, these vulnerabilities are found and removed. That’s why updates are crucial.

But why would anyone care about this innocent little website?

Money. Sure, there’s pure malice, and probably the intoxication of power. But most hacks make money for someone. How? By implanting invisible (to the casual browser) links, hijacking or redirecting site content, and redirecting search results.

To show you this works, here are three of the most recent and common WordPress hacks and what they do.

Pharma Hack

The so-called “Pharma Hack” came to light during the spring and summer of 2010. It implants instructions that do nothing visible to the average user, only to people searching Google for a particular site. Those expecting to find the site listed in Google instead see ads for select pharmaceuticals (you know the ones). In the words of Chris Pearson, founder of the Thesis theme, and Pharma Hack victim,

The WordPress pharma hack quietly exploits your highest-ranking and most valuable pages by overriding the title tag and by inserting spammy links into the page content. Interestingly, the modified title tag and spammy links are only visible to search engines.

TinyMCE Hack

This one has been around for quite awhile. It burrows into a deeply buried file in a WordPress installation and implants some code that generates lists of bogus links on virtually every page on a site. I have come across lists of thousands of spam links. These links are cloaked from view by the casual site visitor.  To spot them, you need to view a page’s source code with your browser, then examine every single file in your WordPress installation for improper code.

Timthumb Hack

In August of 2011, a widely used image-resizing plugin was hacked to place ads—hidden, and not—on sites. This was a “zero day” attack… no one was aware before the attack that this vulnerability existed. Safe, rewritten code was immediately made available, but not before hundreds of sites had been affected.

How can you tell if your site’s been hacked?

  • Your Google results have been hijacked
  • Your site is behaving bizarrely, even though you’ve turned off all your plugins just to make sure you don’t have a plugin conflict
  • You click on a link in your site and end up somewhere else
  • Your site shows you text, images, plays music, etc that you didn’t put there
  • If you “View Source” in your browser for a page on your site, you see links to unfamiliar sites

Many of these invasions don’t register at all on Google’s malware checker. But there’s a plugin called Exploit Scanner that can help confirm your suspicions.

What can you do if your site gets hacked?

There’s the easy, but expensive route: hire an expert to analyze the hack and clean/remove/restore the offending files and database entries.

There’s the inexpensive, hair-tearing, time-consuming way: do your own research. You can find thousands of pages of instruction on how to deal with a hacked site.

Ideally, you can take the easy, inexpensive route: restore your whole site from a clean backup.

How to keep your site from getting hacked in the first place?

There are reams of material on “hardening” (protecting) your WordPress site. But taking the three steps below will both discourage many hacking attempts, and protect you should any succeed.

1. Update your plugins and WordPress core files regularly.

2. Make regular backups (preferably before you do any updating) of all your site components (MySQL database, PHP files, plugins, themes, custom programming)

3. Implement the five simple measures here.

Is WordPress just too vulnerable?

Not according to the experts. WordPress is no more vulnerable to hacking than any other widely used content management (or for that matter operating) system.

Unlike old-fashioned static html websites, WordPress is part of a dynamic, ever-changing ecosystem that is continuously evolving towards greater complexity and power. The same programming that makes a WordPress site so easy to use and so wonderfully  manageable, also makes it (or any other CMS) far more attractive to hackers.

As components proliferate, it’s inevitable that unexpected vulnerabilities arise which create opportunities for incremental financial gain by embedding foreign or bogus links within legitimate content. Where there is money to be made, unscrupulous individuals take advantage. After all, if you left your car neglected on the street for months… in most neighborhoods, it would be broken into or worse. It’s exactly the same with your WordPress site.

 Don’t flee the amazing connectivity of the Internet. Don’t give up on the incredible power and versatility of WordPress.

 Just… keep your site updated, make sure it’s backed up, and use it to help you go about your business!


Website so out of date you're embarrassed?
Get a custom WordPress site designed for your business... for as little as $65 per month.


Don't buy, rent your web site.
Click here to learn more.

Martin Malden

In addition to the preventative measures you’ve outlined above, I also suggest people should make sure their computer is both free of malware and protected with a proper Internet Security package (not just the free anti-virus app), and use SFTP rather than FTP.

If your computer has had a key logger installed all your passwords will be sent back to the miscreant and then all your security measures will be for nought.

Thanks for the article!

BTW – I love what you’ve done with Thesis, it looks great!



Susan Pomeroy

Thanks, Martin, using SFTP (Secure FTP) to transfer files is a great point.

Comments on this entry are closed.

Previous post:

Next post: