How to Prevent and Remove Malware in WordPress

WordPress is now the most popular website management software, currently powering more than 70 million websites worldwide. By its very nature, software needs to be maintained as new updates and patches become available. WordPress has been freely available since 2004 to create a website, and versions remain online from 1.x to the most current (3.3.2).

From the first version of WordPress to the latest, hundreds of updates are available, some of which patch huge security holes. Over the last few years, the term “malware” has been used in conjunction with WordPress websites compromised (hacked) through one of these security holes. While malware is typically a term to describe a virus with a payload on a PC, the term is now more often used to describe a (WordPress) website that’s been infected with SEO spam, or malicious scripts or code.

The best prevention for malware in WordPress is simply keeping it up to date. As new releases become available, perform the upgrade as soon as possible. Also, be sure that your installed theme and plugins are up to date as well.

Tips for Malware Prevention

While updating WordPress is great preventative medicine, there are multiple additional things that you can do to protect your website further:


Remove old plugins: Be sure to remove any plugins you aren’t using (deactivated). Even unused plugins can be a security risk. Also, be sure to leave installed plugins that have had an update within the last 12-18 months. If you’re using plugins older than that, they may not be compatible with the latest version(s) of WordPress (or your theme) – and they could have security holes as well.

Review your theme: How old is your WordPress theme? If you purchased it from a developer, check and see a recent update available for you to install. If you have a custom theme (or even one you coded yourself), be sure to have it reviewed by a competent developer or security expert about once per year to ensure it doesn’t have security holes.

Security and Hardening: You should install and configure one or more popular WordPress plugins to secure and harden your website (beyond the ‘out of the box’ setup). While WordPress is a very mature and secure platform, you can easily add multiple additional layers of basic security by changing your admin username, the default WordPress table name, and security against 404 attacks and long malicious URL attempts.

Tips for Malware Removal

If you think your WordPress website has been hacked or injected with malware, malicious scripts, spam links, or code, the first thing you should do get a backup copy of your website (if you don’t already have one). Get a copy of all files in your Webhosting account downloaded to your local computer, as well as a copy of your database.

Next, install one of the many free malware scanner plugins in the WordPress official free plugin repository. Activate it, and see if you can find the source of the infection. If you’re a technical person, you might be able to remove the code or scripts on your own. Be sure to check all your theme files, and you might also need to reinstall WordPress.

If your WordPress core files are infected, one of the best ways to remove the source of the infection is to delete the entire wp-admin and wp-includes folders (and contents) as well as all files in the root of your website. Inside the wp-content folder, delete both the themes and plugins folders (keeping the uploads with attachments and images you’ve uploaded). Since you have a local copy of your website, you can reinstall the theme, and you know what plugins were installed.

The best thing to do at this point is to download a fresh copy of WordPress and install it. Use the local copy of the wp-config.php file to connect to your existing database. Once you’ve done this, before reinstalling your theme and plugins, you might want to log in one time to your wp-admin dashboard and go to “Tools->export” and export an entire copy of all your content, comments, tags, categories, and authors. Now (if you want), at this point, you could drop the entire database, create a new one, and import all your content so you’d have a completely fresh copy of both WordPress and a new database. Then last, reinstall your theme and fresh copies of all plugins from the official WordPress repository (don’t use the local copies you downloaded).

If these steps are too technical for you, or if it didn’t remove the infection source, you might need to enlist the help of a WordPress security expert.

Preventive Maintenance Moving Forward

If your website is important to you or you use it for business – it’s important that you protect it as if it were your physical business. Would it happen if your website were down or out of commission tomorrow? Would it hurt your business? A little preventative medicine goes a long way:

Backup and Disaster Recovery Plan: Make sure you have a working and tested backup solution in place (this is what most businesses would call a disaster recovery plan). There are many free and paid plugins and solutions to accomplish this for a WordPress website.

Install Basic Security: If you don’t have a WordPress security plugin installed, get a highly rated and recently updated one from the official free plugin repository today to protect your website. If you aren’t comfortable doing this on your own or don’t have a technical website person, then hire a WordPress consultant or security expert to do it for you.

About author

I work for WideInfo and I love writing on my blog every day with huge new information to help my readers. Fashion is my hobby and eating food is my life. Social Media is my blood to connect my family and friends.
    Related posts

    WordPress or HTML?


    Simple Steps to Choose WordPress Hosting


    Why You Should Not Use a Free WordPress Theme


    How to Create WordPress Template Designs in Minutes Using Artisteer

    Sign up for our newsletter and stay informed !