WordPress, being the backbone of millions of websites over the cyberspace, has changed the lives of many. Most of the people are migrating their websites to WordPress due to its simple handling and low cost of operations. But having your website on WordPress has some disadvantages too. The website gets prone to viruses or malware if you do not keep a proper check on the latest WordPress version and plugin updates. Here, we are discussing the causes of malware infections and the ways to protect your WordPress website from the viruses that can prove to be harmful to your website.
Causes of malware infection
WordPress version is not updated
WordPress is improving each day, and you have to update the changes as soon as they emerge. If you do not update your WordPress version on a regular basis, it is more susceptible to viruses. Most of the updates are for enhanced security, and not updating the version might get you into trouble as it opens the way for the hackers to get into your website. Always keep a backup of your WordPress account when making any changes to it.
Important note: always update the minor versions (e.g. 6.2.2). They often have fixes for security bugs. The major version (6.3, 6.4) might have more features and compatibility problems that might need to test before updating.
Plugins are not updated regularly
Plugins are updated on a regular basis by their makers for bug fixes and improved performance. You should keep installing these updates so that your WordPress website do not get open to malware infections and hackers. It is equally important as updating the WordPress version.
A good tip is to enable automatic updates on WordPress websites. If you use premium plugins like, make sure your license is active, so you can update them. At eLightUp, all of our products like Meta Box and Slim SEO have the automatic update feature.
The server is not well-configured
As the WordPress version keeps on updating regularly, it needs certain server requirements to function. If the server is not well configured and does not meet those conditions, you might face malware issues as you would not be able to work on the latest WordPress version.
There are several things you should take care on your server:
- Proper chmod/chown
- Using SSH keys
- Installing a firewall
The dangerous thing about an infected server is you might have a file inclusion vulnerability that allows hackers to upload files to your
wp-content/uploads folder and run it (yeah, they can do almost everything when the file runs). This vulnerability might come from another website hosted on the same server. Even when you chmod/chown your folders very well, you still can be hacked!
Easy login credentials
The username and password for your WordPress account should be a tough one so that no one can easily break into your account. For a strong password, you should use a mix of
- upper case/lower case letters
- special characters
WordPress since version 4.3 already has a password strength meter which forces users to enter strong passwords. So don't manually enter a weak password!
To prevent being hacked by weak passwords, you can use one of these plugins:
You can also use two-factor authentication to secure your login.
How to remove malware on a hacked WordPress website
Step 1: Change your cPanel / FTP Password
After making the system virus-free, you can change your cPanel/FTP password to something that is not easy to get, using numbers and special characters with alphabets.
If you have a VPS, you should use SSH keys instead of passwords. It's stronger and can't be hacked.
Step 2: Scan your system
There can be a virus in your system that might leak your File Transfer Protocol (FTP) password and result in the hacking of your WordPress Account. So, the first thing that is necessary to prevent your website from malware is scanning your system with a good antivirus, to make it secure.
To do a complete scan of your system, I recommend using Wordfence Security. It also scans other plugins/themes (only ones hosted on WordPress.org) to find changed files and revert them.
Find out more security plugins.
Step 3: Remove all suspicious files and folders
After scanning your server, you need to find all suspicious files and folders. They're often:
- The PHP files in the
- The PHP files with weird file name
- The files with recent date change
Then delete all of them.
Step 4: Re-install themes and plugins
- Firstly, you have to take a note of all the plugins you are using and then delete them. Once the process is completed, you can re-install the plugins.
- Secondly, enter the themes folder and delete the themes you are not using. Check the remaining themes thoroughly for the virus. Or, delete the themes folder if you have the backup of your themes.
Step 5: Update WordPress, change password
- Update the WordPress to the latest version available.
- Change the username and password of your account to a difficult one, so that the account cannot be hacked easily. If your username is
admin, then create another admin account and delete the
These are the ways to fight malware infections and remove them from your WordPress website. Also, there are certain antivirus WordPress plugins that protect your account from these unwanted viruses. If you are not a web developer, you might face problems performing these methods on your own, and you might not get the desired result. Doing this work needs a person who has a good knowledge of the subject, and if you need any assistance regarding these problems, you can hire a WordPress professional - to make the task easy for you.