WordPress Security Bulletin - Follow-up

Wed, 26 Feb 2014

This is a follow-up to our WordPress Security Bulletin from a few days ago.

Again, if you do not have a WordPress website hosted by Virtual Creations, you can disregard this message.  If you do not know whether your website is a WordPress website or not, please contact your website developer and ask them.

We have had to suspend 5 hosting accounts in the past few days because those accounts were found to be sending out spam from our server.  It's more than likely that at least some of those accounts were compromised by the recent hacking attacks.  Here's how to ensure that this doesn't happen to you next...

Our resident WordPress expert has discovered an excellent WordPress plug-in for (a) detecting and removing malware from your hosting account, and (b) preventing your account from being hacked in ways similar to the recent attacks.  In short, it's a must-have plug-in for your WordPress website.  It's called "Anti Malware (Get off Malicious Scripts).  You can read about it here:  http://gotmls.net

To install this plug-in, do the following (or get your website developer to do it):

  1. Log into your WordPress website
  2. In the left margin, click on "Plugins"
  3. Click the "Add new" button in the top-left corner of that page
  4. Search for "anti malware" in the box on that page
  5. It should turn up as the top search result.  Click the "Install now" link
  6. Once it's installed, click the "Activate plugin" link
  7. You are returned to the "Plugins" page.  Find the new plugin in the list, and click the "Run Quick Scan" link under it
  8. The scan will run, and hopefully not find anything.  If it DOES find something, follow the recommended steps to remove it, and then let me know, so that I can check if our server has been impacted by the malware.
  9. On the scan results page, there's a box on the right-hand side to allow you to register to receive updates to the malware definitions.  I strongly recommend that you take this extra step.  Up-to-date definiitions are very important.
Then, every couple of weeks, when you log into WordPress to do your regular routine maintenance of ensuring that WordPress and all its plugins and themes are up-to-date, you would do one more step:  Run the Anti Malware quick scan.

Naturally, if you do not have the technical expertise to perform the steps above, you can ask your website developer to do it for you.  If you do not have a support contract with them, then they may well charge you for this extra service.

I encourage all WordPress website owners to attend to this ASAP.  If you don't, you run the risk that yours will be the next website suspended.