Uncategorized

BuiltWith data currently shows that 80+ million customers use SSL by Default. Is your website using HTTPS by default? If not, you could lose visitors and hurt your bottom line.

HTTPS, or hypertext transport protocol secure, is how information is securely transmitted on the internet. Enabling HTTPS on your WordPress website is a must for organizations that value data security and want their websites to rank on Google.

In this article, we’ll guide you on how to force redirect HTTP to HTTPS on WordPress for Apache and NGINX web servers. You can achieve this by editing the .htaccess file or, if you prefer a more convenient approach, by automation. To keep things brief, we’ll assume that you already have an SSL/TLS certificate installed on your website. (If not, check out these articles to learn how to get an HTTPS certificate and how to install a Comodo SSL certificate on your website.)

How to Force Redirect HTTPS on WordPress (on an Apache Web Server)

The .htaccess file is a directory configuration file for your Apache web server. It allows you to make changes without editing your server’s main configuration files and settings. 

To locate the .htaccess file in your WordPress installation, follow these steps:

• Access your website’s root folder, commonly referred to as public_html or sometimes www.
• Look for the .htaccess file in this directory. Note that it is a hidden file, so you may need to enable the visibility of hidden files in your file manager or file transfer protocol (FTP) client.
• Once you’ve located the .htaccess file, open it using a code editor of your choice.

Before we learn to edit the .htaccess file, you’ll need to choose from the available methods to access this file.

3 Ways to Access Your Server’s .htaccess File

You can access and edit the .htaccess (in the root folder) using your cPanel, FTP, or a simple plugin. Let’s quickly explore all three methods in the following steps: 

Method #1. Locate the File Using cPanel 

To access the .htaccess file using cPanel, log in to your account and select File Manager (as shown below). 

From there, navigate to the public_html folder, where you can locate the .htaccess file and make the necessary edits.

If, for some reason, you’re not seeing the .htaccess file, it may be that you have certain files hidden by default. To view these files, select Settings in the top-right corner of your screen. Check to see if the option Show Hidden Files (dotfiles) is selected. If not, select it and hit Save. This will refresh your File Manager window and you should now see the .htaccess file available.

Method #2. Locate the Directory-Level File Using FTP

If you prefer to use FTP, you can download the file to your computer via a program like Filezilla and edit it with a code editor. Simply upload the edited file to overwrite the existing one.

Method #3. Locate Using a Plugin

While we don’t suggest using plugins unnecessarily, there are cases where a lightweight plugin can be useful. If you’d rather to edit the .htaccess file with a plugin, you can do so using a plugin like Htaccess Editor by WebFactory.

The process of using a plugin is easy — simply download and install the plugin on your dashboard, activate it, and go to Settings > WP Htaccess Editor to edit the code.

You can then add your code and click Save Changes to apply the changes. Once finished, you can easily uninstall the plugin or leave it installed for any future .htaccess edits you may wish to make.

Step-By-Step Instructions: How to Force HTTPS on WordPress By Editing Your .htaccess File

Now that you have located the .htaccess file using one of the above methods, it’s time to change the code so WordPress will force a redirect to HTTPS.

To modify the .htaccess file with the appropriate code, follow these steps:

• Open the .htaccess file in the root directory of your WordPress installation. This file is typically found in the public_html folder or in one labeled www.
• Insert the necessary commands. Insert the following code at the beginning of the .htaccess file above “# BEGIN WordPress”:

Rewrite Engine On
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

The command will look like this:

# Force HTTPS on all pages
<IfModule mod_rewrite.c>
RewriteEngine

The 2024 SonicWall Cyber Threat Report unveils that malware attacks are up 11% (YOY) to a whopping 6.06 billion, continuing an upward trend that was noted in its 2023 report. Here’s a beginner’s look at how to figure out if your WordPress site is infected with malware. 

Malware infections are a significant concern for website owners, and WordPress sites are no exception. Although WordPress attempts to diligently address core software security issues via updates, plugin and theme developers can’t always guarantee the same level of diligence. This creates a potential vulnerability that malicious actors can exploit, resulting in malware infections on WordPress sites.

There are plenty of ways that websites can get infected — infected plugins and themes, compromised shared hosting servers, etc. We won’t get into all of that here, though… our focus is to help you figure out whether your WordPress site is infected with malware, and what to do if it is.  

This article will explore WordPress infections, exploring their common forms and informing you about how to effectively scan for malware infections online.

8 Common Malware Infections That May Be Lurking on Your WordPress Site

With its ability to power 43.2% of websites, WordPress has become one of the world’s most popular content management systems (CMS). From small businesses to significant organizations, millions of people rely on it to manage their online presence. 

However, like any platform, WordPress is not immune to malware infections. To protect their websites against these threats, owners must educate themselves on the types of WordPress malware that can be used to wreak havoc. By learning how to detect and mitigate individual types of malware, and recognizing the harmful effects malware has on their website and visitors, owners can take the necessary steps to keep their platforms safe and secure.

1. SEO Spam Malware

SEO spam malware is malicious software that infects websites with the aim of creating spam links or content that benefits the search engine optimization of other sites. This technique, also known as “spamdexing,” manipulates search engine rankings by injecting or altering website content. It often involves redirecting website traffic to harmful destinations.

In WordPress, too, this can severely damage a site’s reputation and search engine rankings, potentially leading to blacklisting.  

What to Look For on Your WordPress Site

Regularly check your website’s content and link insertions within posts and pages for signs of SEO spam. Here’s an example of a Pharma Hack, which discreetly inserts unauthorized links into posts or comments to exploit a site’s search engine ranking for malicious purposes:

<a href='http://malicious-site.com' rel="nofollow">Buy Medication</a>

Code caption: An example HTML link to a malicious site inserted with a “nofollow” attribute. While using the nofollow attribute discourages the spam site’s search ranking, it doesn’t stop its malicious intent. A common SEO practice that can be misused.

Of course, be sure to not just delete URLs willy-nilly. Take the time to research each instance; this way, you don’t delete something you shouldn’t and wind up accidentally breaking your website.

SEO Spam Malware Mitigation Measures

To mitigate the threat of SEO spam malware:

• Consistently audit your site for unexpected content changes,
• Employ web application firewalls to detect and block SEO spam injections, and
• Use plugins to monitor and clean up SEO spam.

Related article: My Website is Redirecting to Spam: How to Diagnose & Remediate the Issue

2. Adware

Adware is malicious software designed to display advertisements on your screen, usually within a web browser. Although not always harmful, adware can be a frustrating disturbance. On WordPress websites, adware can manifest as intrusive advertisements, unexpected redirections to ad-heavy pages, or even malicious ads that pose additional security risks.

Often, adware is a client-side concern, affecting the browsers or devices of the user visiting your site. However, in some cases, it can also be something hidden within the third-party plugins and tools you use on your WordPress site.

What to Look For on Your WordPress Site

Regularly inspect external scripts and ad widgets in your website’s header, footer, or widget areas for any URL insertions you don’t recognize. For example, keep an eye out for code insertions like this that link to unauthorized websites:

window.open('http://ad-site.com');

Code caption: JavaScript command for opening a new browser window or tab, pointing to a specified URL.

Adware may infiltrate WordPress through questionable or compromised third-party tools or hosting, resulting in bothersome pop-ups or redirects to phishing sites. So, if you notice any of these issues, it’s a big red flag and means it’s time to start digging.

Adware Mitigation Measures

Combat adware by carrying out the following:

• Running daily website security scans to search for malware that may be injecting ad link redirects,
• Maintaining up-to-date website security software,
• Evaluating plugins for malicious redirects within scripts

Implement Threat Measures with SiteLock

Safeguard your WordPress website using the solution chosen by 12+ million consumers.

Start Protecting Your Site

 

3. Viruses

A computer virus is malicious software that replicates itself by modifying other programs. WordPress website viruses infect clean, legitimate files and spread throughout the system, causing damage to its functionality and performance.

Infections that occur through compromised core files, themes, or plugins lead to issues such as corrupted files, website crashes, and potential harm to site visitors.

The SoakSoak virus is a notorious example impacting numerous websites. This virus exploits a vulnerability in the Slider Revolution plugin by injecting harmful JavaScript into the wp-includes/template-loader.php file.

What to Look For on Your WordPress Site

WordPress administrators must regularly monitor WordPress core files, themes, and plugins for unauthorized modifications. Here’s one such example:

<?php if(isset($_GET['infect'])) { /* malicious code */ } ?>

Code caption: PHP checks for a specific GET parameter to conditionally execute a malicious code block. This enables targeted actions based on URL parameters.

WordPress Website Virus Mitigation Measures

To prevent virus-related issues from impacting your website:

• Keep all site components (plugins, themes, WordPress versions, etc.) updated,
• Run regular (ideally, daily) website antivirus scans,
• Employ website security services and solutions, including a web application firewall, and
• Ensure strong access controls to mitigate the risk of viral infections on your WordPress site.

Related article: How to Secure Your WordPress Website from Hackers

4. Trojans

Trojans are a type of malware that cyber thieves and hackers often use to gain access to users’ systems. Unlike viruses, trojans don’t replicate themselves. Instead, they masquerade as benign software or files, tricking users into installing them.

This deceptive software can be harmful. That’s why it’s essential to be cautious when downloading and installing any software from the internet.

(NOTE: It’s always best to use software and scripts that are digitally signed using a publicly trusted code signing certificate. This process asserts your verified digital identity up front and protects your product’s integrity, thereby creating digital trust in your software and brand.)

What to Look For on Your WordPress Site

Within the WordPress ecosystem, trojans can infiltrate through dubious themes or plugins, providing attackers with unauthorized access and the means to steal data.

Keep an eye out for any unusual code that links off to a website you don’t recognize. For example:

<?php

Web security is a pressing concern as approximately30,000 websites are hacked daily, with more than 43% of websites use WordPress as its content management system (CMS).

As a web security company, clients often ask us how to check if your WordPress site has been hacked. As a business or website owner, you must be aware of the potential hacking risks on your WordPress