You may not always need professional services to remove WordPress malware. It's always a huge problem when a WordPress website gets hacked and loaded with a ton of malware and you may not have a budget to pay for WordPress malware removal services. Not only can it affect your SEO, but the malware will also tear your website apart with what looks to be unlimited pop-ups. I've seen times when malware will cause computer viruses to be downloaded to the computer of any visitor that goes to your website. This could be a reason why Google will penalize your website when its crawlers detect malware.
Here are a few reasons that can cause WordPress malware within your website.
Your hosting can play a major factor as well. If your hosting provider is not keeping your hosting packages such as PHP up to date, your site will be vulnerable. For this reason, we advise ensuring your web host is keeping your host packages up to date.
WordPress much like many other platforms is prone to hacks but what makes WordPress more vulnerable is the fact that it's extremely popular and plugins are not vetted for security or best practices.
Plugins and the WordPress development team release updates for a few reasons. They’ll send an update for additional features that have been added, bug fixes to current features, or more importantly security vulnerability fixes. If your WordPress installation is not being constantly updated, every update missed increases your risk of getting hacked.
You would be surprised that many of the symptoms are not apparent. A lot of the time, you may not even know your site has malware until something breaks. Maybe a page doesn't load properly or has a blank page. You may even start seeing weird PHP errors. If you're running the WooCommerce plugin, you may get complaints from your customers about credit card fraud.
The more visible symptom is Elements showing on your website that you did not create, or tons of pop ups.
The symptoms all depend on the type of malware and the intentions of the creator which can range from advertising by blasting every page with 100 pop-ups or credit card fraud.
Before one can fix a malware hack, one has to understand how it works. The fix will not work for everybody but it is definitely worth a try given the circumstances.
The reason why this may not work for everybody is that some malware has a way of duplicating itself and returning. Essential, the malware developer will create one file. This file we can call the "Master File". This master file is responsible for checking if the malware code snippet is still present in your file system. If you've ever wondered why malware keeps returning, this is why.
The malware developer will cleverly attach this file to either a PHP script that runs on a cron job or a PHP script that is used on typical tasks. For instance, every time a user creates a new post, the PHP script to create a new post would trigger the execution of that "Master File". Finding this master file is extremely tricky, the majority of the time we have to download the full file system to a local WordPress development environment and trace back from the modified WordPress core scripts that have the malware included.
This method is very time consuming and daunting so if this is the route you need to go, warm up a pot of coffee and get your favorite chair back massager because you will be there for a while.
There's a little twist to complex malware. A lot of the times, malware is designed to be untraceable. The best way to trace it back to the master file is to search through the file system and seek out the function that is in the malware code. Example: in the image below of a malware code snippet we can see that the "@include" function is used. We also see that whatever is creating this snippet, is commenting the code with "/*075c5*/". These 2 pieces of text are what I would use to search within the file system for the suspect, the "Master File".
Once the master file has been found, you can proceed to remove the code snippets out of the file system without having to worry about them returning.
We consider simple malware as one that does not have a master file as mentioned above. To fix simple malware it's as easy as removing the snippet similar to the above image.
To make things that much easier to manage and to add a bit of malware & security prevention. We recommend the plugin Wordfence. Wordfence will not only scan your system for modified WordPress core files but it allows you to scans for malware, and other security issues. You will also have the option to restore the core files and also delete malicious files.
For a full featured list of the Wordfence capabilities you can read more on Wordfence.com
With the increase of WordPress popularity, you can expect an increase in malicious developers creating malware. Keep the plugins in your website to a minimum, use security plugins like Wordfence, and stay on top of your hosting provider about keeping your hosting environment up to date.
Contact form 7 is a widely used contact form plugin. And why not? It free! More recently we've noticed an issue where Contact form 7 would report "THERE WAS AN ERROR TRYING TO SEND YOUR MESSAGE. PLEASE TRY AGAIN LATER" when a user entered the contact form information and click send. Even though the information is submitted, this error will cause users to try multiple times to submit through the form.
You would be surprised at how easy the fix is. The version of Contact Form 7 we're using is Version 5.1.1. What we've realized is that there was an issue with Google's Recaptcha. Although we already had the Recaptcha API information added, we decided to re-create the Google Recaptcha keys using version 3 of Google's Recaptcha. Once we re-added the keys,
This fix may not work for everybody but as simple as it is, it's worth a try.
We're proud to announce the recent partnership with X-Cart. X-Cart is a pioneer in the E-commerce industry. Their platform exceeds the expectations of stability, speed, efficiency, & ease of use.
We will be able to offer the ability to start a marketplace similar to Amazon on a very stable platform that has the capabilities to perform well under heavy conditions. We expect to fill the X-Cart marketplace with additional themes and high-quality extensions. Furthermore, we will be able to assist in the setup of the platform from start to finish.
For business owners, there's nothing more time consuming and aggravating than an e-commerce website that just won't stay running. X-Cart's long years of efficiency improvements have made them one of the most stable e-commerce platforms in the industry. The platform was founded in 2001, from that time the X-Cart team has worked on increasing the quality of an already high-quality platform.
The underlying framework of X-Cart is also a powerhouse. X-Cart was built on the Symphony framework which is also a pioneer in its own industry.
X-Cart has a conversion beast called X-payments. The X-payments system allows for your customers to save credit cards. For repeat customers, It takes away a few steps from the checkout process resulting in higher conversion rates. X-payments supports major credit card processing platforms to boot.
How often have you tried to find a mobile application for your e-commerce store? X-Cart solves this problem by also offering a mobile application to match your website which is competitively priced.
Compared to Magento, the underlying framework is extremely stable. Let's think about this for a second. The Symphony framework went through years of improvements to get to the stable state that they are and so has X-Cart. Magento has re-created their framework so technically, in my opinion, it would take a few years for the new Magento framework to be as stable and efficient as the Symphony framework & X-Cart. With a number of malicious attacks on e-commerce websites, stability is the most important.
Did You know?
If you're interested in learning more about building a marketplace click here
If you're interested in switching your current e-commerce platform to X-Cart, click here.
If you're like me, you prefer to keep things updated as often as possible. Besides, keeping things updated is a part of preventing security breaches and taking advantage of bug fixes. Unfortunately, this can cause a headache with Magento 2.
Magento 2 fails to load and reports 1 exception(s):Exception #0 (Exception): Deprecated Functionality: Function mcrypt_module_open() is deprecated.
This isn't really a fix but a work around. It appears the mcrypt extension has been deprecated in PHP 7.1. Unfortunately, it appears Magento 2 still utilizes functions derived from the extension. For the time being, you will need to revert to PHP 7.0.
If you would like to see any additional changes, check out the PHP 7.1 change log Here
The fix to this issue is because the form key validation is missing on check out. You can view the fix here How to fix Magento checkout after upgrading
This is part 1 of a series of steps that I take to speed up Magento. With these steps, I've managed to get a Magento website to load all elements in under 3 seconds. Visually, it appears to be less than 1 second. I've also chopped the loading speed of client websites in half. (Note: I don't use Varnish or any server side caching)With that said, every Magento installation is different therefore not all of these steps will work. Some may not work because of your hosting environment, your theme, the extensions you have installed, or whether modifications made were done within standard Magento practice. During this part of the tutorial series, we will be concentrating on administration settings.
During our optimization, we will be constantly checking our progress using GTmetrix. GTmetrix measures the speed of a website and allows you to see a graphical representation of your progress using a graph.
1 . Let's start with entering your website URL into GTmetrix. You'll want to see your progress so we need to get a Bench mark.
2. Log into your Magento administration panel and Navigate to System -> Configuration.
3. Next, you will want to navigate all the way to the bottom left and select the Developer menu.
5. If all is well with your functionality and layout test, Go ahead and retest your website in GTmetrix to visualize your improvement.
7. Rince & Repeat step 4. Run through all the tests that I mentioned.
Setting flat catalog product and flat catalog category can be very beneficial. I've seen noticeable speed differences with these 2 options set to "Yes". The downside to this setting is the extensions that your website has installed. Many extensions that rely on getting data through Magento's model do not accommodate for flat tables, therefore, will display blank information. Let's test it out, it worth a try.
1.While still in system configuration, navigate to Catalog.
2. Select the Frontend accordion menu item to open it. You will see the options "Use Flat Catalog Category" and "Use Flat Catalog Product". Set these options to "Yes" and Save Config.
3. I can't stress enough how much you should test your Magento website after this setting has been enabled. Test every crack and crevice of Magento. Run through Login, Registration, Checkout, adding to Newsletters, Adding to Compare, Check the page of each product type (Configurable, Simple, Bundled, etc.). If all is well, then you're Golden.
4. You may as well run another GTmetrix test to check your progress. By this time you should see even more of an improvement.
That's a wrap for Part 1... Part 2 will be coming soon.
Thank you for visiting my blog. First, I'd like to point out that this guide does not apply to cloud hosted websites such as Shopify or big commerce.
Expires headers tell the browser, which elements of a website to keep in the browser cache and for how long. Every time a website loads, it has to load all the elements that build or renders that web page from the server. With modern web development and design, these can be many elements and many of them can be large in size. With expires headers enabled, when a website is loaded in the browser, it pulls those elements from local browser storage instead of the server enabling that web page to load faster.
How it works is very straight forward. You specify the element, whether it's a jpg element or a CSS element. You then specify how long the browser should keep that element in the browser cache.
[alert type=''info"]Note: If you're designing a website with Expires headers enabled, use incognito or use a plugin to refresh your cache. You may see false positives in your design. [/alert]
Here's a sample script that you can use. When implementing this script, you will want to use a service like GTMetrix to test the results. What I will typically do is play with the cache lifetime for each "ExpiresByType" to see what works best.
## Add default Expires header
ExpiresDefault "access 1 month"
ExpiresByType image/x-icon "access 1 month"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/jpg "access 1 month"
ExpiresByType image/jpeg "access 1 month"
ExpiresByType image/gif "access 1 month"
ExpiresByType image/png "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType application/xhtml+xml "access 1 month"
I hope this helps someone. Thanks for reading.
After you've upgraded to Magento version 188.8.131.52 have you noticed that your check out just sits on billing information and doesn't proceed to the shipping options? Apparently, the Magento team discovered a security issue and added form key validation on check out.
Form keys help prevent Cross Site Request Forgery attacks on Magento forms. Cross Site Request Forgery is the attempt of submitting malicious form information from one website to another. (In lamen's terms) Form keys are a way for a website to validate that the form submission is being sent within itself. In the Magento world, in order to create any custom forms, they must have a form key. If not, the Magento action controller will not respond.
Well, there are 3 options to resolve this issue.
It's understandable that this will result in lost revenue. If you have to keep your online store running and cannot wait for a web developer to resolve the issue. Navigate to System -> Configuration. On the left column, scroll all the way down to Advanced -> Admin. In the collapse, select security and set "Enable Form Key Validation On Checkout" to No.
That should solve your issue. Please do leave a comment if you have any questions. Thanks
Utilizing expires headers is an important part of optimizing your website. At times it can be tricky. Apache2 configuration syntax is extremely particular. I've gathered a few items to check when you've experienced this issue.
When troubleshooting anything with Apache 2, your first step should be checking the apache error log. The Apache logs will let you know everything that is going on with your web server.
The location is
Within your default configuration file [code]/etc/apache2/sites-available[/code] or your .htaccess files. There may be references to an Apache module that does not exist.
You may be familiar with this code in .htaccess [code]<IfModule mod_rewrite.c>[/code]. This is a if statement that will ignore any trailing directives before the closing tag. This will prevent Apache from crashing if the module is not present. Many will add a .htaccess directive without the if statement resulting in a crash if the module isn't there.
Apache has a few files you should be checking.
apache2.conf which is located at [code]/etc/apache2[/code]
envvars configuration file which is located in the same place
Your configuration files located in [code]/etc/apache2/sites-available[/code]
[alert type=" info"] If you're not sure which one is available, you can run [code]apachectl -S[/code] on the command line[/alert]
That's about all I can think of when I troubleshoot Apache issues. Keep in mind, when troubleshooting Apache 2, your error logs are your best friend. If I'm missing something please let me know.
Recently I was optimizing a client website on a development server. Typically when optimizing I'll start with going through .htaccess and ensuring that it’s set up for the best web performance. I will typically spend the most time with Expires headers. Every website will respond to expires headers differently which is the reason why it takes up most of my time during .htaccess optimization. Either way, I updated expires header on the website and boom, 500 Internal server error.
Apache reports an internal server for many reasons. Syntax within in .htaccess is included in this list. After verifying that your expires syntax is correct there's one hidden syntax issue you may not have corrected. Many times when copying and pasting a piece code into .htaccess, you also copy hidden characters or blank spaces. Apache absolutely hates this. The blank spaces will typically be at the end of every line in the code you've added.
The fix is simple.
Within the htaccess file, place your cursor at the beginning of the last line in the code added.
Press delete. What should happen is your line is now at the end of the line above. If it's not, continue until it is.
Press Enter to place the line back into its original position.
I hope this helps!