WordPress, being the backbone of millions of websites over the cyberspace, has changed the lives of many. Most of the people are migrating their websites to WordPress due to its simple handling and low cost of operations. But having your website on WordPress has some disadvantages too. The website gets prone to viruses or malware if you do not keep a proper check on the latest WordPress version and plugin updates. Here, we are discussing the causes of malware infections and the ways to protect your WordPress website from the viruses that can prove to be harmful to your website.
Causes of malware infection
1. WordPress version is not updated
WordPress is improving each day, and you have to update the changes as soon as they emerge. If you do not update your WordPress version on a regular basis, it is more susceptible to viruses. Most of the updates are for enhanced security, and not updating the version might get you into trouble as it opens the way for the hackers to get into your website. Always keep a backup of your WordPress account when making any changes to it.
Important note: always update the minor versions (e.g. 4.6.1). They often have fixes for security bugs (see version 4.6.1 for example). The major version (4.5, 4.6) might have more features and compatibility problems that might need to test before updating. Remember to always check the WordPress changelog before doing that.
2. Plugins are not updated regularly
Plugins are updated on a regular basis by their makers for bug fixes and improved performance. You should keep installing these updates so that your WordPress website do not get open to malware infections and hackers. It is equally important as updating the WordPress version.
In 2014, the very popular Revolution Slider on Code Canyon has a security bug that allows hackers to exploit your website, download your files. The bug affects more than 100.000 websites in the world!
So keep your eyes on plugin updates, even the top-trusted plugins. They can have security bug anytime.
A good tip to manage or enable automatic updates on WordPress website is using a management tool. Some of them are free:
3. The server is not well-configured
As the WordPress version keeps on updating regularly, it needs certain server requirements to function. If the server is not well configured and does not meet those conditions, you might face malware issues as you would not be able to work on the latest WordPress version.
There are several things you should take care on your server:
The dangerous thing about an infected server is you might have a file inclusion vulnerability that allows hackers to upload files to your folder, run it (yeah, they can do almost everything when the file runs). This vulnerability might come from another website hosted on the same server. Even when you chmod/chown your folders very well, you still can be hacked!
4. Easy login credentials
The username and password for your WordPress account should be a tough one so that no one can easily break into your account. For a strong password, you should use a mix of
- upper case/lower case letters
- special characters
WordPress since version 4.3 already has a password strength meter which forces users to enter strong passwords. So don’t manually enter a weak password!
To prevent being hacked by weak passwords, you can use one of these plugins:
Bonus tip: Using two-factor authentication is another way to secure your login.
5. Using virus infected system for work
If your server has a virus, it might be the cause of your WordPress account and website not working properly. The information on how to protect your system from the virus is given below.
Guide to removal viruses/malware on a hacked WordPress website
Step 1: Change your cPanel / FTP Password
After making the system virus-free, you can change your cPanel/FTP password to something that is not easy to get, using numbers and special characters with alphabets.
If you have a VPS, you should use SSH keys instead of passwords. It’s stronger and can’t be hacked.
Step 2: Scan your system
There can be a virus in your system that might leak your File Transfer Protocol (FTP) password and result in the hacking of your WordPress Account. So, the first thing that is necessary to prevent your website from malware is scanning your system with a good antivirus, to make it secure.
To do a complete scan of your system, I recommend using one of the following plugins:
Both of them allow you to scan all WordPress files, detect the changes and revert the changes if possible. The Wordfence security also scans other plugins/themes (only ones hosted on WordPress.org) to find changed files and revert them.
These are the must-have tools to fix a hacked WordPress website!
Step 3: Remove all suspicious files and folders
After scanning your server, you need to find all suspicious files and folders. They’re often:
- The PHP files in the upload folder
- The PHP files with weird file name
- The files with recent date change
Then delete all of them. This might be the removal of malware from your WordPress account along with other content.
Step 4: Make changes to
The wp-content folder will show four files and folders in it.
- Firstly, you have to take a note of all the plugins you are using and then delete them. Once the process is completed, you can re-install the plugins.
- Secondly, enter the themes folder and delete the themes you are not using. Check the remaining themes thoroughly for the virus. Or, delete the themes folder if you have the backup of your themes.
Step 5: Update WordPress, change password, and re-install plugins
- Update the WordPress to the latest version available.
- Change the username and password of your account to a difficult one, so that the account cannot be hacked easily. If your username is
admin, then create another admin account and delete the
- Re-install the plugins that are useful.
Step 6: Remove Google warnings
After re-uploading the website and making changes to your WordPress account, submit your website to Google webmaster tool and get the warning removed. The warning says “This site may harm your computer” which needs to be removed from the website once it is clear from malware infections or virus.
These are the ways to fight malware infections and remove them from your WordPress website. Also, there are certain antivirus WordPress plugins that protect your account from these unwanted viruses. If you are not a web developer, you might face problems performing these methods on your own, and you might not get the desired result. Doing this work needs a person who has a good knowledge of the subject, and if you need any assistance regarding these problems, you can hire a WordPress developer at syoninfomedia – to make the task easy for you.