How to Prevent and Remove Malware in WordPress

WordPress is now the most popular website management software, powering over 70 million websites worldwide. By its very nature, software needs to be maintained as new updates and patches become available. WordPress has been freely available since 2004, and versions remain online from 1. x to the most current (3.3.2).

From the first version of WordPress to the latest, hundreds of updates are available, some of which patch huge security holes. Over the last few years, the term “malware” has been used with WordPress websites compromised (hacked) through one of these security holes. While malware is typically a term to describe a virus with a payload on a PC, it is now more often used to describe a (WordPress) website infected with SEO spam or malicious scripts or code.

The best prevention for malware in WordPress is simply keeping it up to date. As new releases become available, perform the upgrade as soon as possible. Also, be sure that your installed theme and plugins are up to date.

WordPress.com - Wikipedia

Tips for Malware Prevention

While updating WordPress is great preventative medicine, there are multiple additional things that you can do to protect your website further:


Remove old plugins: Be sure to remove any plugins you aren’t using (deactivated). Even unused plugins can be a security risk. Also, leave installed plugins that have had an update within the last 12-18 months. If you’re using plugins older than that, they may not be compatible with the latest version(s) of WordPress (or your theme) – and they could have security holes as well.

Review your theme: How old is your WordPress article? If you purchased it from a developer, check and see a recent update available to install. If you have a custom theme (or even one you coded yourself), be sure to have it reviewed by a competent developer or security expert about once per year to ensure it doesn’t have security holes.

Security and Hardening: You should install and configure one or more popular WordPress plugins to secure and harden your website (beyond the ‘out of the box’ setup). While WordPress is a very mature and secure platform, you can easily add additional layers of basic security by changing your admin username, the default WordPress table name, and protection against 404 attacks and long malicious URL attempts.

Tips for Malware Removal

If you think your WordPress website has been hacked or injected with malware, malicious scripts, spam links, or code, the first thing you should do is get a backup copy of your website (if you don’t already have one). Get a copy of all files in your Webhosting account downloaded to your local computer, as well as a copy of your database.

Next, install one of the many free malware scanner plugins in the WordPress official plugin repository. Activate it and see if you can find the source of the infection. If you’re a technical person, you might be able to remove the code or scripts independently. Be sure to check all your theme files, and you might also need to reinstall WordPress.

If your WordPress core files are infected, one of the best ways to remove the source of the infection is to delete the entire wp-admin and wp-includes folders (and contents) as well as all files in the root of your website. Inside the wp-content folder, delete both the themes and plugins folders (keeping the uploads with attachments and images you’ve uploaded). Since you have a local copy of your website, you can reinstall the theme, and you know what plugins were installed.

The best thing to do now is to download a fresh copy of WordPress and install it. Use the local copy of the wp-config.php file to connect to your existing database. Once you’ve done this, before reinstalling your theme and plugins, you might want to log in one time to your wp-admin dashboard and go to “Tools->export” and export an entire copy of all your content, comments, tags, categories, and authors. Now (if you want), at this point, you could drop the entire database, create a new one, and import all your content so you’d have a completely fresh copy of both WordPress and a new database. Then, last, reinstall your theme and fresh copies of all plugins from the official WordPress repository (don’t use the local documents you downloaded).

If these steps are too technical for you, or if they didn’t remove the infection source, you might need to enlist the help of a WordPress security expert.

Preventive Maintenance Moving Forward

If your website is important to you or you use it for business – it’s important that you protect it as if it were your physical business. Would it happen if your website were down or out of commission tomorrow? Would it hurt your business? A little preventative medicine goes a long way:

Backup and Disaster Recovery Plan: Make sure you have a working and tested backup solution in place (this is what most businesses would call a disaster recovery plan). There are many free and paid plugins and solutions to accomplish this for a WordPress website.

Install Basic Security: If you don’t have a WordPress security plugin installed, get a highly rated and recently updated one from the official free plugin repository today to protect your website. If you aren’t comfortable doing this on your own or don’t have a technical website person, then hire a WordPress consultant or security expert to do it for you.

About author

I work for WideInfo and I love writing on my blog every day with huge new information to help my readers. Fashion is my hobby and eating food is my life. Social Media is my blood to connect my family and friends.
    Related posts

    Blogging Wars - WordPress Vs Blogger


    WordPress Plugins For Your Tech Blog


    WordPress Troubles and Their Solutions


    WordPress Admin Area

    Sign up for our newsletter and stay informed !