As the WordPress system evolves, there are also potential threats, such as attacks and viruses, which can create serious problems for website and online store owners. This article focuses on the definition of viruses and methods to defend against them, providing detailed information on the subject.
Learn How to Make a Site on Wordpress
table of contents:
- What is malware
- Viruses on sites with wordpress engine
- How to check if there are viruses on my site?
- How to protect a site on WordPress from viruses?
- FAQ - najczęściej zadawane pytania
Malware - what it is
Malware (malicious software) attacking WordPress-based sites looks for and exploits potential vulnerabilities mainly in plugins and templates. It then injects problematic or nuisance code that, depending on the type of virus, can perform a variety of tasks.
However, before proceeding to secure WordPress, it is crucial to understand the characteristics of potential threats.
Viruses on WordPress-based sites
Although WordPress itself is a very secure platform, virus attacks are a fairly common occurrence. The WordPress engine itself is constantly monitored and developed by developers from all corners of the world, which allows us to react quickly to any vulnerabilities in the system and fix them quickly.
So why do viruses often target WordPress specifically, despite its robust security? It's because of its immense popularity - about 40% of the world's websites use this content management system. It is this very popularity that makes it more vulnerable to various types of attacks. The open source of WordPress is secure, but potential vulnerabilities can appear in plugins and templates that are created by both professional companies and ordinary users.
Our offer to create websites :
How do I check if there are viruses on my site?
Ways to check if my site is infected:
- Active use of the site: Go to your site and browse it by clicking through different sections, such as products, categories, offers or shopping cart. The absence of suspicious events, such as pop-ups or redirects to other pages, may suggest that the site is fine.
- Review files using FTP: Use the FTP (File Transfer Protocol) client to browse the site's folders for files with random or strange names. Examples of file names may look like the following screenshot.
- Verify key files, such as index.php, wp-config.php and wp-settings.php, for potential malicious code. Be sure to enable the option to display spaces and tabs in the file editor for more effective analysis.
At first glance, the file looks like a regular WordPress file. However, when you turn on the option to show spaces and tabs in the editor, you'll notice gray dots on the first line, indicating a significant amount of pressed spaces.
Moving the slider to the right or activating the line wrapping option will show the code:
This is only a fragment of the malicious code, which may also exist in other files of this system.
Other examples include:
- Verify the organic results in Google for your site using the following query: site:my-domain.co.uk
In the above screen shot, you can see the thought-provoking results for a site that manufactures corrective eyewear. You can also see that Google found 5140 results, which is unlikely for a site that produces several types of eyeglasses to have that many pages.
5 Install a malware finder program such as WebDefender Security - Protection & AntiSpam. With the help of this plug-in you will check if there are viruses hiding in your site. Unfortunately, each problem you find has to be individually checked and verified if it is malware, as it often happens that the plug-ins you use may contain code that will be detected as malicious.
See also How to move Wordpress from a directory on a server
How to protect a site on WordPress from viruses?
Here is a set of preventive measures that definitely make it more difficult and minimize the risk of a virus infecting your site. However, it is worth remembering that depending on the type of virus or attacking robots, these precautions may not be sufficient.
Choice of hosting
The hosting decision is a key element of any website. Many people are inclined to choose a server based on price or the recommendation of other users. However, this decision is not as easy as it seems. First of all, it is worth making sure that the hosting:
- has the latest version of PHP, currently 8.0,
- regularly backs up the database and files, making them available at no extra charge,
- offers effective protection against DDoS attacks.
In addition to the security aspects, it is also important to check the technical parameters, such as the processor, RAM, capacity and any limits the server may impose.
SSL Certificate
An SSL certificate performs the function of encrypting any data transmitted between the user's browser and the website. Any reputable hosting provider offers both paid and free versions of SSL certificates, such as Let's Encrypt.
WordPress updates
The regular release of new versions of WordPress not only introduces new features and capabilities, but also includes key fixes related to system security. It is also important to regularly update any add-ons, especially plugins and templates, which are more susceptible to potential virus attacks. Therefore, it is always recommended to keep them in the latest versions, which helps minimize the risk of threats.
Remove unnecessary plug-ins and templates
It is worth considering uninstalling plug-ins that we do not use or that we only need occasionally. The same goes for templates - if we have more than one installed, it's advisable to get rid of the ones we don't currently use. Focusing on the minimum number of active elements helps reduce potential risks while making it harder for hackers and bots to operate.
Explore 10 useful plugins for Woocommerce
Hiding WordPress version information and plugins
To increase security, consider hiding WordPress version information and plugins. By default, WordPress adds a tag with version information in the HEAD section:
<meta name=“generator” content=“WordPress 5.6.4” />.
In addition, for plugins, WordPress can add ?ver=X.X to the URL of CSS and JS files.
Enhance security by hiding version information
Disclosing information about the used versions of individual components on a site can make things easier for potential attackers. We can block the display of this information by adding the following code to the functions.php file in our WordPress template.
Protecting access to files
Through appropriate rules in the .htaccess file, we can secure access to specific files or directories, providing an additional layer of protection against potential threats.
The WordPress root directory contains key files, such as xmlrpc.php and wp-config.php, storing vital MySQL database data. To secure these files, it's a good idea to add the following rules to the .htaccess file in the same directory:
In addition, for the /wp-content/uploads/ directory (if it doesn't already exist, let's create an .htaccess file), we can add the following rule that blocks the execution of certain types of files, thus increasing security
Deactivation of unnecessary functions
WordPress provides a number of features that we don't always use. Therefore, consider deactivating some of them.
If our site does not use a comment system, it is recommended to disable the options found in Settings → Discussion, specifically the first two checkboxes.
Pingbacks serve the role of notifying the site administrator that a link to one of our posts has been posted on another site.
If you do not use the built-in comments feature of WordPress, it is recommended that you install the Disable Comments plugin to optimize your site's performance.
Security plug-ins
As threats and attacks on sites using the WordPress system continue to grow, a number of add-ons have emerged to provide additional protection.
Examples of such plugins include Wordfence Security, All In One WP Security & Firewall and iThemes Security. With these, you can effectively secure your site, detect malware and block brute-force attack attempts. However, it is worth remembering that using these plugins may affect the speed of your site.
Security Copies
Regular backup is a key element of security, even if our hosting provider offers this service. There are situations when restoring a backup is troublesome or has not been done at all for various reasons. That's why it's always a good idea to take care of this issue yourself. There are many WordPress plugins that allow you to automatically create copies and store them on an external server. One of the recommended solutions is UpdraftPlus, which allows you to flexibly manage the process of creating and storing backups.
Find out why you need a backup
FAQ - frequently asked questions
How to remove a virus from WordPress?
Checking whether the site is actually infected.Security starts with changing all passwords - to FTP, MySQL and the admin panel.Reinstalling WordPress files is a key step in removing threats.Manually removing all plugins via FTP, then reinstalling them.Manually removing files from the main theme, then uploading them back to the server.
Is WordPress secure?
WordPress is a platform characterized by a high level of security. Dynamic work of developers from different corners of the world allows for quick detection and repair of possible vulnerabilities in the system.
How to secure a site with a WordPress password?
To password protect your site in WordPress, follow these steps:
- Log in to your WordPress dashboard (wp-admin).
- Go to the “Plugins” section.
- Install and activate the Password Protected plugin.
- Then you can customize the plugin's settings by going to “Settings” > “Password Protected.”