/
/
Wordpress education
/
How to protect WordPress from viruses

How to protect WordPress from viruses

How to protect WordPress from viruses

As the WordPress system evolves, there are also potential threats, such as attacks and viruses, which can create serious problems for website and online store owners. This article focuses on the definition of viruses and methods to defend against them, providing detailed information on the subject.

Learn How to Make a Site on Wordpress


table of contents:

Malware - what it is


Malware (malicious software) attacking WordPress-based sites looks for and exploits potential vulnerabilities mainly in plugins and templates. It then injects problematic or nuisance code that, depending on the type of virus, can perform a variety of tasks.

However, before proceeding to secure WordPress, it is crucial to understand the characteristics of potential threats.

Viruses on WordPress-based sites

Although WordPress itself is a very secure platform, virus attacks are a fairly common occurrence. The WordPress engine itself is constantly monitored and developed by developers from all corners of the world, which allows us to react quickly to any vulnerabilities in the system and fix them quickly.

So why do viruses often target WordPress specifically, despite its robust security? It's because of its immense popularity - about 40% of the world's websites use this content management system. It is this very popularity that makes it more vulnerable to various types of attacks. The open source of WordPress is secure, but potential vulnerabilities can appear in plugins and templates that are created by both professional companies and ordinary users.

Our offer to create websites :

How do I check if there are viruses on my site?


Ways to check if my site is infected:

  1. Active use of the site: Go to your site and browse it by clicking through different sections, such as products, categories, offers or shopping cart. The absence of suspicious events, such as pop-ups or redirects to other pages, may suggest that the site is fine.
  2. Review files using FTP: Use the FTP (File Transfer Protocol) client to browse the site's folders for files with random or strange names. Examples of file names may look like the following screenshot.

Suspicious site's index.php files

  1. Verify key files, such as index.php, wp-config.php and wp-settings.php, for potential malicious code. Be sure to enable the option to display spaces and tabs in the file editor for more effective analysis.
Code in the editor


At first glance, the file looks like a regular WordPress file. However, when you turn on the option to show spaces and tabs in the editor, you'll notice gray dots on the first line, indicating a significant amount of pressed spaces.

Moving the slider to the right or activating the line wrapping option will show the code:

Malicious code element

This is only a fragment of the malicious code, which may also exist in other files of this system.

Other examples include:

Elements of malicious code
Elements of malicious code
Elements of malicious code
Elements of malicious code
  1. Verify the organic results in Google for your site using the following query: site:my-domain.co.uk
site:domain search results

In the above screen shot, you can see the thought-provoking results for a site that manufactures corrective eyewear. You can also see that Google found 5140 results, which is unlikely for a site that produces several types of eyeglasses to have that many pages.

5 Install a malware finder program such as WebDefender Security - Protection & AntiSpam. With the help of this plug-in you will check if there are viruses hiding in your site. Unfortunately, each problem you find has to be individually checked and verified if it is malware, as it often happens that the plug-ins you use may contain code that will be detected as malicious.

See also How to move Wordpress from a directory on a server

How to protect a site on WordPress from viruses?

Here is a set of preventive measures that definitely make it more difficult and minimize the risk of a virus infecting your site. However, it is worth remembering that depending on the type of virus or attacking robots, these precautions may not be sufficient.

Choice of hosting

The hosting decision is a key element of any website. Many people are inclined to choose a server based on price or the recommendation of other users. However, this decision is not as easy as it seems. First of all, it is worth making sure that the hosting:

  • has the latest version of PHP, currently 8.0,
  • regularly backs up the database and files, making them available at no extra charge,
  • offers effective protection against DDoS attacks.

In addition to the security aspects, it is also important to check the technical parameters, such as the processor, RAM, capacity and any limits the server may impose.

SSL Certificate

An SSL certificate performs the function of encrypting any data transmitted between the user's browser and the website. Any reputable hosting provider offers both paid and free versions of SSL certificates, such as Let's Encrypt.

WordPress updates

The regular release of new versions of WordPress not only introduces new features and capabilities, but also includes key fixes related to system security. It is also important to regularly update any add-ons, especially plugins and templates, which are more susceptible to potential virus attacks. Therefore, it is always recommended to keep them in the latest versions, which helps minimize the risk of threats.

Remove unnecessary plug-ins and templates

It is worth considering uninstalling plug-ins that we do not use or that we only need occasionally. The same goes for templates - if we have more than one installed, it's advisable to get rid of the ones we don't currently use. Focusing on the minimum number of active elements helps reduce potential risks while making it harder for hackers and bots to operate.

Explore 10 useful plugins for Woocommerce

Hiding WordPress version information and plugins

To increase security, consider hiding WordPress version information and plugins. By default, WordPress adds a tag with version information in the HEAD section:

<meta name=“generator” content=“WordPress 5.6.4” />.

In addition, for plugins, WordPress can add ?ver=X.X to the URL of CSS and JS files.

Enhance security by hiding version information

Disclosing information about the used versions of individual components on a site can make things easier for potential attackers. We can block the display of this information by adding the following code to the functions.php file in our WordPress template.


Protecting access to files

Through appropriate rules in the .htaccess file, we can secure access to specific files or directories, providing an additional layer of protection against potential threats.

The WordPress root directory contains key files, such as xmlrpc.php and wp-config.php, storing vital MySQL database data. To secure these files, it's a good idea to add the following rules to the .htaccess file in the same directory:

access protection script

In addition, for the /wp-content/uploads/ directory (if it doesn't already exist, let's create an .htaccess file), we can add the following rule that blocks the execution of certain types of files, thus increasing security

plik .htaccess

Deactivation of unnecessary functions

WordPress provides a number of features that we don't always use. Therefore, consider deactivating some of them.

If our site does not use a comment system, it is recommended to disable the options found in Settings → Discussion, specifically the first two checkboxes.

Discussion settings

Pingbacks serve the role of notifying the site administrator that a link to one of our posts has been posted on another site.

If you do not use the built-in comments feature of WordPress, it is recommended that you install the Disable Comments plugin to optimize your site's performance.

Security plug-ins

As threats and attacks on sites using the WordPress system continue to grow, a number of add-ons have emerged to provide additional protection.

Examples of such plugins include Wordfence Security, All In One WP Security & Firewall and iThemes Security. With these, you can effectively secure your site, detect malware and block brute-force attack attempts. However, it is worth remembering that using these plugins may affect the speed of your site.

Security Copies

Regular backup is a key element of security, even if our hosting provider offers this service. There are situations when restoring a backup is troublesome or has not been done at all for various reasons. That's why it's always a good idea to take care of this issue yourself. There are many WordPress plugins that allow you to automatically create copies and store them on an external server. One of the recommended solutions is UpdraftPlus, which allows you to flexibly manage the process of creating and storing backups.

Find out why you need a backup

Setting up a backup schedule

FAQ - frequently asked questions


How to remove a virus from WordPress?

Checking whether the site is actually infected.Security starts with changing all passwords - to FTP, MySQL and the admin panel.Reinstalling WordPress files is a key step in removing threats.Manually removing all plugins via FTP, then reinstalling them.Manually removing files from the main theme, then uploading them back to the server.

Is WordPress secure?

WordPress is a platform characterized by a high level of security. Dynamic work of developers from different corners of the world allows for quick detection and repair of possible vulnerabilities in the system.

How to secure a site with a WordPress password?

To password protect your site in WordPress, follow these steps:

  1. Log in to your WordPress dashboard (wp-admin).
  2. Go to the “Plugins” section.
  3. Install and activate the Password Protected plugin.
  4. Then you can customize the plugin's settings by going to “Settings” > “Password Protected.”