FB Pixel

How to Protect Your WordPress Site Against Malware in 4 Steps

Malware (or ‘malicious software’) is a term that actually encompasses a broad collection of harmful or disruptive programs. These nuisances have been around for longer than the internet itself, and protecting your website against them remains a top priority.

In order to keep your site safe, you’ll first need to know what you’re up against. As such, it’s vital to understand the different types of malware, and how they can infect and hurt your site. Once you do, you’ll know what WordPress security measures you must take to prevent them.

In this article, we’ll discuss malware, and introduce you to some of the most common and dangerous strains. We’ll also show you how you can protect your site against WordPress malware including malware removal and how to recover a hacked WordPress site. Let’s go!

An Introduction to Malware

The Elk Cloner malware.

Even if you’re only casually familiar with computer security, you’ve more than likely heard the word ‘malware’ before. The term itself is short for ‘malicious software’, and it refers to any software that’s been intentionally created to cause disruptions or damage. The target could be a computer, a server, a network – or a website.

Malware actually predates the internet, going as far back as the early 70’s. The first examples were decidedly less harmful, however, such as the Creeper virus. This software was created in 1971, and simply replicated itself between connected computers without causing any damage. Other notable pioneers were created as pranks, such as the infamous Elk Cloner, which managed to infect millions of systems in 1982.

Today, malware isn’t something to be taken lightly. What started as harmless experimentation has grown into one of the greatest threats to all digital systems. Malware has also evolved into many different strains, which have varying ways of infecting and damaging the systems it affects. New types of malware are released and discovered every day, with recent prominent examples including the WordPress malware BabaYaga.

It’s easy to assume that you’re safe, but there really are no devices or sites that are 100% secure against malware. Even if you’re only running a basic WordPress site, it could still become infected in ways that could cause you to lose content, and even hurt you financially. As such, it’s best to be prepared and know what you’re up against, so you can take the appropriate measures to protect yourself against malware infection or a hacked WordPress site, and then remove malware appropriately.

The Different Types of Malware

Before discussing the steps you can take to protect your site, let’s first introduce you to the many types of malware. These are some of the most common malware variations you may encounter:

  • Virus: While ‘computer virus’ is commonly used to describe many types of malware, it actually refers to software that replicates itself by inserting its own code into other programs. This can take many shapes, such as adding spam content to your site and infecting your visitors’ computers.
  • Trojan horse: A Trojan horse refers to software that pretends to have one function but secretly performs other actions, such as corrupting your WordPress files, ftp files or php files, or exploiting your system’s resources.
  • Spyware: This is a program that remains hidden, in order to collect information. This can lead to data breaches and the loss of personal data.
  • Ransomware: As the name implies, this is malware that holds you to ransom. Once you’re infected, you will not be able to use your site until you pay the creators to remove it. This can have catastrophic effects, as seen in the WannaCry attack, which shut down several hospitals and radio stations.
  • Adware: This malware simply forces you to interact with an advertisement, such as by clicking on it, before you can use your site. This is usually relatively harmless, although irritating and highly undesirable as all it can take is one click.
  • Cryptocurrency miners: This is one of the newest types of malware, which infects a site in order to use its resources to mine bitcoins. This can severely slow down your site, and lead to additional security vulnerabilities in the process.

It’s worth noting that this is by no means a comprehensive list. We could also discuss botnets, brute force attacks, wipers, and computer worms, for example, but we think you get the point. Malware come in many shapes and sizes, so the question is: how do you safeguard yourself against malware infection?

4 Ways to Protect Your WordPress Site Against Malware

In order to keep malware from infecting your site, you’ll need to take steps to tighten its defenses. While this can seem difficult, especially if you’re unfamiliar with website security, the key is understanding what potential vulnerabilities your site might have and preventing them from being exploited.

WordPress is a very secure platform, but that doesn’t mean it’s completely foolproof. In fact, it’s highly recommended that you take time to implement certain WordPress security routines and features on your WordPress website. With that in mind, we’re now going to show you four of the best ways to make sure your site can hold up against most threats.

1. Keep Your Site Updated

This first step is both the easiest and the most important. It’s absolutely crucial that you make sure to always update every aspect of your site as soon as possible. This includes both WordPress itself, as well as the many WordPress themes, WordPress files and WordPress plugins you have installed. Old versions of your site’s software are much more likely to contain security vulnerabilities because they don’t have the latest anti-malware security measures in place.

For instance, you’ve probably come across new versions of WordPress that are labeled as ‘security updates’. These are usually designed to protect against the latest types of malware and other risks, with anti-malware security. If you don’t take the time to install these updates, you’re failing to fix known weak points on your site, which attackers are sure to target. Take the time for these WordPress installations.

Fortunately, updating your site is very simple. New versions will simply appear in your site’s admin area, under Dashboard > Updates:

The WordPress updates page, showing no new updates.

In fact, many web hosts even automatically update some (or all) parts of your site. Even so, it’s worth making the effort to ensure that your site is always up-to-date.

2. Secure Your Login Page

WordPress doesn’t have many weak points, but one of the most prominent is your site’s login page. This isn’t actually a fault of WordPress itself. Instead, your wp-login page is a target because most attackers will focus their efforts there, to try and gain access to your site in order to infect it with malware. As such, it’s important to understand how you can strengthen your login page to prevent such attacks.

We’ve previously talked about how you can protect your wp-login page, but let’s quickly go over the basics. The two most important things you can do are very simple: choosing a strong username and password. You should always avoid using ‘admin’ as your username, as this is the most common option and thus is easy for hackers and bots to guess. You also need to use a strong password, which you can generate within WordPress itself.

In addition, you may want to go even further by implementing two-factor authentication, which means users will require a mobile device to log in. You can also use a plugin like Limit Login Attempts Reloaded, to stop users from being able to make endless attempts to break into your account.

3. Create Regular Backups of Your Site

A backup is essentially a copy of your site, which can be used to revert it to an earlier state. Naturally, backups are mainly used when your site has already been infected, but they’re nonetheless a crucial tool for battling malware. If your site does get infected and you have no backup, you may have lost your data and content entirely.

With a backup, however, you can simply restore the saved version, ‘rebooting’ your site to a point before it was attacked. Depending on how old the backup is, you may have still lost some data, but not nearly as much as if you had not taken this precaution.

There are many ways to create backups in WordPress. Several plugins contain backup features, such as the immensely popular UpdraftPlus. You’ll also find that some web hosts offer this functionality as a part of their plans, and will automatically create backups for you at specific intervals.

Finally, you can also get a support plan that includes regular backups. This ensures that you’ll always have a plan B, should the worst-case scenario ever come to pass.

4. Install a Security Plugin

We’ve already touched on several plugins that can protect specific aspects of your site. However, there are also a number of plugins that provide a complete security system for your WordPress site. In fact, there are so many that we can scarcely name even a fraction of them here. Instead, let’s take a quick look at some of the most popular options.

First up, we’ve got Sucuri Security, which is a free plugin that offers a lot of features:

The Sucuri Security plugin.

Among other things, Sucuri scans your site for malware and keeps itself up-to-date on the latest threats. It will send you notifications about any security issues, and monitors all of your site’s files to spot anything that’s potentially harmful.

Next up is Wordfence Security:

The Wordfence plugin.

This plugin’s best feature is arguably its strong firewall. However, Wordfence also includes a malware scanner, and can monitor traffic and hacking attempts in real time.

Finally, All In One WP Security & Firewall is another strong option:

The All In One WP Security & Firewall plugin.

As promised by the name, this is a comprehensive solution that includes security scanning, automatic backups, and a firewall. Best of all, it’s completely free. With this type of plugin installed, you’ll have a lot less work to do when it comes to securing your WordPress site.


Keeping your site free from malware is one of your most important tasks, and one you shouldn’t take lightly. WordPress makes this a lot simpler, as it provides a secure foundation, but it’s still easy to leave yourself open to vulnerabilities if you don’t take precautions.

In this article, we’ve covered some of these tasks you can undertake in order to strengthen your site’s defenses. These include:

  1. Keep your site updated.
  2. Secure your login page.
  3. Create regular backups of your site.
  4. Install a security plugin.

Here’s another great read on keeping your WordPress site safe!

If you need help securing website, don’t hesitate to reach out! Our maintenance service includes daily malware scanning and cleanup to keep your site safe and secure.

Image credit: Pixabay.


Will Morris

Will Morris

Will Morris is a staff writer at WordCandy. When he's not writing about WordPress, he likes to gig his stand-up comedy routine on the local circuit.

You’ll be joining a community of highly-vetted digital agencies and web professionals with one common goal — growth! Learn more. 


The Landing Page Builds service includes:

  • Unlimited page builds for one monthly rate
  • Dedicated account manager
  • Dedicated WordPress developer
  • At least 2 hours of daily dev time
  • Daily progress reports
  • Find out more here

The Content Edits Plan includes:

  • Unlimited content edits
  • White label help desk
  • Support ticket dashboard
  • 24/7 team of WordPress experts
Plus, everything in our Maintenance Plan:
  • Visual Validator WordPress updates
  • 90 days of off-site backups
  • Daily security scans and malware cleanup
  • Maintenance dashboard
  • Find out more here

The Maintenance Plan includes:

  • Visual Validator WordPress updates
  • 90 days of off-site backups
  • Daily security scans and malware cleanup
  • Maintenance dashboard
  • Find out more here