WordPress may be a popular web hosting platform for SMBs, but it can also open them up to SEO malware. Yesterday, December 5, managed server hosting provider WiredTree issued a warning to its WordPress clients to be wary of SEO malware, which has been reported on the rise by Sucuri. These attacks are not only becoming more common but also more sophisticated.

SEO malware is malicious software that attempts to leverage the resources of a server or hosting account to benefit the search ranking of a third party. SEO malware may inject links into a site’s genuine content, add new pages, or create entire WordPress sites at subdomains of the server’s domain. This can damage an SMB’s site reputation or the reputation of other sites hosted on the same IP or domain. Additionally, if browser developers like Google discover SEO malware infections on a site, the browser may use pop-up security warnings to hold off visitors.

With 25% of all websites globally being built on WordPress, it represents an attractive opportunity for hackers. Search engines and site owners have already gotten savvy to the traditional “black hat” SEO tactics like comment and link spam, so SEO malware is the next step for hackers. It embeds itself into content management systems like WordPress, wreaking havoc.  , “In response, bad actors are more likely to use SEO malware to bypass protections built into content management systems, with devastating consequences for businesses that depend on search referrals.”

And it’s not always obvious when a site is infected with SEO malware. Attackers hide the malicious content from ordinary visitors and site administrators. It’s buried deep and may require using malware scanning software. Another way to identify SEO malware is to review the site’s analytics for unexpected queries or strange referrals that aren’t relevant to the site’s content. That indicator means there’s hidden content on the site likely damaging the site’s reputation and search engine rankings.

The best protection for WordPress sites is to ensure the version of WordPress and all plug-ins are up to date. It’s also worthwhile to install a plug-in like WordFence, which helps detect malware. Also, make sure administrators are using complex passwords, preferably with upper and lowercase characters, special characters, and numbers. This will make brute-force attacks much more difficult so that SEO malware can’t be installed.