image of WordPress logo hacked

WordPress Security, Malware, Bad Plugins and Careless Theme Designers

According to Gizmodo, a Russian malware bug called SoakSoak has hit 100,000 WordPress sites in one day. It infects the sites with malware, which they then spread to visitors. It’s just one example of what happens when you practice lousy WordPress security.

Google has shut down over 11,000 infected domains, but that’s a drop in the bucket.

How did this happen? More importantly, what can you do to up your WordPress security and keep it from happening to your site?

Plugin Vulnerability

The point of entry is a WordPress plugin called Slider Revolution. In September, 2014, a vulnerability was identified. According to internet security firm Sucuri, the Firefox and Internet Explorer browsers are particularly vulnerable. (Use Chrome, people!)

Note, this is not a WordPress vulnerability, although the attack is on WordPress sites.

Why, if it’s well publicized, is it likely to grow?

I’m glad you asked. . .

Themes that Bundle Plugins Without Telling You

Slider Revolution has had problems for a long time. It’s a popular plugin, but in September, 2014, a vulnerability was found and publicized by Sucuri.

The Code Canyon website, part of the Evato Marketplace, sells the plugin.

The developers quickly released a patch, but many sites running the plugin were never notified of the security issue or the availability of an update.

That’s because many themes sold through Theme Forest, another part of the Envato Marketplace, incorporated the plugin.

Envato disabled sales of affected themes, but that didn’t help sites already using them.

Here’s where the problem comes in: buyers of those themes were never notified and didn’t know they should upgrade right away. In fact, because of the way the plugin was incorporated into the themes, many of them have no way to upgrade the plugin directly. Instead, they need to rely on patches from the theme developer.

And some of the developers don’t release upgrades, or don’t notify their buyers that an upgrade is available.

If you’re using a theme you purchased from Theme Forest, go here to see a list of affected themes.

This is Why I Recommend Only Themes from Trusted Designers

Both of my go-to theme designers, StudioPress and Elegant Themes, are concerned with security. Concerned enough, in fact, that they hire companies like Sucuri to audit their themes to make sure they’re safe for you to use.

Obviously, they can’t control the plugins you add, but you can be confident that the theme itself has been thoroughly vetted to keep internet bad guys at bay.

Do they charge more than you’d pay for some of these bargain themes? Yes. Is the extra price worth it? Absolutely!

Bottom line: buy your WordPress themes from reputable designers. It’s like the difference between going to a local craftsman for your dining table and chairs instead of picking them up at Target. There are plenty of excellent theme designers out there. I believe strongly in the excellence of my two choices, and I actively promote them (and get paid a small commission if you purchase one through a link on this site). There are others worth trusting your business to.

When buying a theme, purchase from a designer who sells on his or her own website, don’t go to a marketplace or mall site. The designer who’s also the seller has more at stake, and will work harder to gain and keep your trust.

Choose your WordPress theme wisely. Your business success may depend on it.