≡ Menu

How to Prevent WordPress Malware: The Complete Guide

pevent wordpress malware
Wordpress hacking is a very common issue today. I believe that out of every 10 bloggers, 7 will face the problem of either getting their blog hacked or malware infected. As a matter of fact, the post I wrote on how to prevent wordpress hacking gets the most views on this blog and thus received ton of comments and feedback. A lot of my readers had questions regarding several stuff related to wordpress hack and malware prevention. Some of them wanted a downloadable .htaccess file, some requested for a detailed guide and etc. so today, I will do my best to provide almost everything I know and have learned to prevent wordpress hacks, spam, and malware.

There are several reasons for writing this post. First of all, 2 of my shared hosting got infected with malware recently. Yes, I know it sucks, especially because I show my expertise in this field. However, you must know that nothing is perfect and you can never stop hackers or spammers but you can definitely make life hell for them by implementing certain strategies and code to bulletproof your blog and that’s exactly what I am trying to achieve here. I have named this post “the ultimate guide” because I will keep updating it whenever I discover something new. I don’t want to write several articles on hacking or malware prevention; instead, I want to write a guide which will contain all the links and resources at one place. I believe this will not only help my readers right now but also in the future. You can bookmark this, come back in the future if ever your blogs get hacked again.

There is a little difference between getting hacked and infected by malware. Unless you own a popular blog or have some personal issues with the hacker, I don’t see any reason why he would hack your website. Because if a hacker wants, he can run botnets, DDOS and shut down your website in a matter of seconds and if you are on a shared hosting, your chances of defending your blog from this sort of attack is close to zero. Now don’t be scared. Why am I telling this is because usually blogs get infected with malware or hacked due to open security holes.

So what are these open security holes? First of all, most of us bloggers or website owners usually start with a shared hosting. There is nothing wrong with shared hosting and even I have accounts with 3 different hosting companies. However, the downside is, shared hosting can easily be exploited. Lets assume that you have a shared hosting with hostgator. Now remember that there are several other users who are hosting on that same server as yours. You guys share the same server ip. Lets assume, some of them are newbie and just started out. There are several possibilities that they might have a weak password or didn’t properly protect their wordpress blog or their computer might be infected with trojan. In any of these cases, its very easy for the hacker to gain access to the server, install malware which then spreads across and infects all the blogs and websites on that shared hosting.

Now the second case is, if you are a blogger or an internet marketer, I am sure you hang out in several online forums, check out lots of websites etc. Unfortunately, some of the websites might be bad (bad intention) or they might be infected themselves. These websites have no idea that they are infected and are spreading malware to their visitors. You will see all these in action in a few so just hang on.

Before I talk about my recent blog hack and experience, I just wanted to let you know that hackers always have a purpose. As i said earlier, most of the time when we say our blog is hacked, we actually mean our blog got infected with malware. Bad people scan blogs for vulnerabilities and they mass scan. This means if the hacker had a personal issue with you or your blog then he would simply focus on you and take you down.

In simple words, in most cases, hackers just mass scan, find blogs with weak security and open to vulnerability, and then simply injects their hosting with malware which then spreads from one site to another. Malware can be really painful to bloggers. Unlike simple .htaccess mod hack which can be easily solved by editing certain files and codes, malware might get into your script, theme files, database etc.

80% of the time, people seek expert advice and assistance when their blogs get infected with malware. Unless you have pro security background, know about java scripting and databases, I don’t think you can deal with malware yourself. As a matter of fact, even I couldn’t. One reason would be that I have tens of blogs on that hosting which got infected and it takes time to clean them all. I found a better solution which you will see in a bit, read on.

Now that you are quite familiar with malware, let be begin my story. So, by now you know that some of my hosting and blogs got infected recently. Who cares? right? Not exciting! What matters is how I found out about the intrusion, how I got rid of the malware and what I did to strengthen the security.

wordpress malware infected

Almost 2 weeks ago, when I googled my niche keyword to check out it’s ranking, I saw that it had a link above the meta description which read “This site may harm your computer”. When I clicked on that link, google warned me to access the website as it was infected. As soon as I saw that, I really didn’t know much to do because this was the first time I was dealing with such instances. When I scanned the site using sucuri, I found out that several pages including the root file was infected with a javascript malware. The blog was also blacklisted by google.

google malware blacklist

I wasn’t worried about getting black listed because there’s always a way around. However, I was worried about my reputation and credibility. Imagine when you google one of my websites which has my name on it and you see “This site may harm your computer”. You might think I am a bad guy trying to do the bad thing. But you might not know that even I am a victim as well and unknowingly my blogs have been effecting others. This can really hurt the reputation of the blog owner. I am sure you see the picture.

After researching, I found out several unexpected stuff. Remember, when i said that most of the time hackers gain access through open security holes? It was not the same in my case.

I found out that I have downloaded a trojan from some website which was in my computer running windows 7. Most people talk about good anti virus softwares such as Norton, Avast, Macaffee etc. Let me tell you, I have used most of them including these and they all failed in my case. But, ever since I signed up with malwarebytes, I have been having a heck of a time; meaning, I didn’t have to worry much about trojans and viruses. Malwarebytes is light and is superior to other pc security tools I have come across.


Now you might ask, if malwarebytes is so good, how the heck did my computer get infected. Good question: I browse a lot and my windows run 24/7. Malwarebytes has auto protection and website blocking enabled all the time. Unfortunately, weeks ago, after updating malwarebytes, I encountered a bug which disabled the website blocking protection. I didn’t notice or maybe I was ignorant and didn’t know it would matter much. I was wrong.

I have been using Malwarebytes on 2 of my computers running windows since 1.5 years and according to me, they block pretty much all the bad stuff 🙂 Nothing is perfect but if i had to choose an anti virus software then malwarebytes it is.

After scanning my system, I found out that my pc was infected with an evil rootkit trojan. Rootkits are bad, just google for details. They stay hidden, can take control of several programs and run them without your permission. In my case, I was able to delete the rootkit using malwarebytes but unfortunately, this rootkit was the case for installing malware on my server. Yes, you read it right. Lets assume, I have a trojan in my computer and I am unaware of it. I use a FTP client such as filezilla to login to my server. What happens now is, the trojan can steal your login info and details and thus upload malware directly to your server.

Who do you blame here? the newbie guy on your shared hosting? yourself? hacker? or the anti-virus? Lets stop blaming and instead take precautions and be responsible. I cannot provide detailed methods right at the moment on how to remove malware from your server because as I mentioned earlier, majority require expert guidance which means you will have to let a 3rd party do the job for you. I am not saying it is impossible and I might make a video on this, however, let the expert do it for now and let me give you some tips to better protect your wordpress blog from further hacks.

Scan, Detect and Eliminate Malware

malware scanner

First, scan your computer and remove all the malware you find (if any). I highly recommend malwarebytes. Your computer has to be secured and protected first because its the access point that allows you to connect to your hosting server using ftp.

Scan your blog using sucuri to see if it is infected. Sucuri is a popular and well known company that helps to clean your blog from malware. They also monitor your blog. If you find out that your blog is infected then I suggest that you take help from them. They are not free of charge but their yearly plans are quite reasonable. If you love your blog, you should know what i mean. However, I have a sweet alternative and much cheaper plan for you. Just read on and you will see 🙂

How to Better Protect your Blog from Malware

Now that you have taken care of the malware and your blog is clean, you need to install a few plugins and tweak a few codes. Lets begin.

Change Passwords

If your blog was infected, chances are that your password has been compromised. Login to your cpanel and change all the password. Make sure to use an Uppercase, a lowercase, a number and a special character. I suggest you include all of them.

After taking care of the cpanel password, its time to change your wordpress login password. Again, I recommend you use something that is not used previously and is tough to guess.

Backup Entire WordPress Blog

backup buddy

This is the most important step and must not be ignored. I still remember when I spoke to one of my blog security guys regarding malware, he said I shouldn’t be worried if I have a backup. I had to pause for a while and give a knock on my head…because I didn’t have any 😮 . Well, the blog was small so it didn’t matter but imagine if you have a blog with ton of content and it gets compromised? Let me save you from that nightmare. Get backupbuddy. Its the only and most powerful complete wordpress backup plugin and I use it on my blogs. The latest feature even has the dropbox integration which is very cool. It also has several other features like repair buddy, scheduling backups, restore, migrate etc. It also has a built in malware scanner. Previously, I have written a guide on using backup buddy so check it out.

If you don’t think you can get backup buddy for whatever reasons, no worries, the tools I am going to mention will help you do that for free. However, you cannot compare security tools with backup tools because backupbuddy is a complete backup solution while the other tools I am going to mention will only backup your database.

Install Security Plugins

Now that you have backed up your entire wordpress blog, you don’t have to worry about losing anything since you can always restore. Its time we install some security plugins.

1. WP Security Scanner

change wordpress table prefix
This is a light security scanner by Website Defender. Install this and just follow through. There is a setting which allows you to rename database table prefix. Change it to something hard to guess. Usually wordpress installs database with “wp_” as the default table prefix. This makes it easy for hackers to scan and find weak databases and inject malware.

2. Better WP Security

better wp security setting

Better WP Security takes the best WordPress security features and techniques and combines them in a single plugin. This plugin has pretty much everything and should be the first plugin any blogger should install. Ask why? With just one-click activation for most features as well as advanced features for experienced users, better wp security will create and modify .htaccess to strengthen the security of your blog and do much more. You don’t have to manually create any .htaccess and bother about codes. Let this plugin do the magic for you.

After installing and activating the plugin, I want you to do a few more things. First, do the one-click “secure from basic attack” and see how many green and blues come up. Both are OK. Green means well protected, blue means you can make it green but some plugins might not work so you can leave it and red means you need to secure it.

Now click on “hide backend” tab and enable it. The “hide backend” feature changes the URL from which you can access your WordPress backend thereby further obscuring your site to potential attackers.

If you have a fresh installation of wordpress then I would recommend you click on “Content Directory” tab and change the directory name. This will add another level to your security. Only do this if your BLOG IS NEW. Remember, if you change this directory name on an established blog, a lot of links will not function.

The main goal is to tweak all the codes to improve security. Play around and see which option works and which doesn’t. For example, I may be able to change a blue link to green as it might not effect my blog or plugins. However, the same modification might effect your blog or theme. Like I say, trial and error. I have laid out the important steps and the rest depends on your discovery.

Downloadable .htaccess and robot.txt

After ton of request for a downloadable .htaccess file, I have finally decided to put it up. Feel free to download it and upload it to your root. Please, make sure you modify it to meet your blogs requirement. Not all blogs or websites run the same way. But I believe it will work and if you are using the better wp security plugin then you wont need this. However, I have included few other codes that the plugin wont write to the .htaccess so what you can do is, upload this file to your root and let better wp security modify it and add other codes. The choice is yours, both works good.

WordPress Installation, Design and Security Service

Remember, I said earlier that there was an alternative and cost effective way of removing malware from your blogs? Well, the method is none other than hiring me and my team of wordpress rockstars to guide and assist you with all your wordpress related stuff. When I discovered that my servers were infected by malware, I wasn’t really scared but I was worried that I would lose some data as I didn’t have a backup. Guess what? I didn’t lose anything and my blogs were completely restored by my team.

Due to my curious nature, I wanted to find out what others are providing as a solution to malware so I did a google search. Unfortunately, there were not many legit results but I found sucuri to be the only one dominating this market. Their yearly plans can be expensive for a lot of people so I thought it would be nice to offer wordpress security and malware removal service to my readers and to those who are facing this problem. My main intention for providing wordpress service is to help my readers, bloggers and others who seek cost effective yet powerful long lasting wordpress solution.

Lets not say anymore. You will be amazed to see our deals and I am looking forward to see your feedback. Whatever I provide, it is always backed up by my credibility, reputation and myself 🙂

Click Here to Check out our Services

Always Keep an eye on wordpress update. If latest version is available, make sure you update it right away.


I don’t know if I should be happy about getting hacked or spammed. Sometimes I think, if my blogs were not hacked, I wouldn’t have bothered to make a blog post on it. Because 90% of the stuff I write about is totally based on my experience and real life. If my blogs were not infected by malware recently, maybe I wouldn’t be writing this post today :); but glad I did. As i said earlier, there is no ultimate bulletproof for your blog but if you take certain steps, you can definitely prevent malware from messing with your sweet wordpress blog. Implement everything I have mentioned on this post. It took me 3 hours to type this out and I hope that you really make good use of it. This will be the ultimate guide for wordpress malware prevention and ill keep it updated with latest stuff. Now go and protect your blog before some bad guy decides to infect it with worms.

2 comments… add one

Leave a Comment