PREVENTING WORDPRESS MALWARE WITH 3 SIMPLE STEPS
Preventing WordPress Malware sounds like a great thing to talk about uh?
Hopefully you are comfortably interested in reading this post in an effort to proactively avoid dealing with a WordPress infection. If so this is great news because it shows that you take WordPress security seriously and you do not want to find yourself in the situation where you are dealing with a WordPress malware infection on your website that is causing it to either function improperly or be completely inaccessible all together.
We have a team of Agents that have been servicing flat fee WordPress support issues since 2009. One of the most popular services that we offer is our Infection Removal Service and we can tell you that over the years we have seen it all and conquered it all when it comes to WordPress infections.
While there are hundreds and maybe even thousands of different ways a website can become vulnerable and get infected there are three very common reasons why an infection could become present on your WordPress website. Avoiding these three often seen causes that lead to a WordPress infection will increase the level of security and stability on your website and decrease any panic or concerns that you may have in getting an infection on your WordPress site.
Our goal here is to fully outline in detail the three most commonly seen reasons that lead to a WordPress infection. By the end of this article you will have a full understanding of each reason and be able to jump into action on your own website to ensure that none of these things are in place which in turn will automatically limit the vulnerability of your website getting an infection. Simply watching out for these three very common causes will arm you with a strong strategy in preventing a WordPress malware infection.
⚡️ UPDATE YOUR WORDPRESS SOFTWARE – PREVENTING WORDPRESS MALWARE
One of the most impressive features of using WordPress as your content management system is that it is constantly being updated to not only provide better functionality but also to enhance its level of security and safe usage. It is extremely important that you manage and maintain the software updates on your WordPress website to limit not only security concerns but also any functionality conflicts that could arise from not completing your updates.
WordPress updates come in many different forms. Below are the different categories of updates that may be available on your WordPress website.
👉 WordPress Core Update
This is the heart and soul of your entire WordPress installation. This is the core open source software that makes up the WordPress environment that you are using for your website. This software can be found and downloaded at the link below.
The WordPress core files are extremely important to stay up-to-date in order to comply with the ongoing web standards as well as any security concerns that may make your website vulnerable to attacks. If you are not currently running the newest version of WordPress core, you are putting your website at risk and shouting out loud to hackers and other malicious software that exists on the internet looking for websites to do their dirty deeds on.
Major upgrades usually happen two or three times a year and minor releases happen as needed. Depending on where your site is hosted, some hosting companies will automatically update your WordPress core. Below is a tentative update schedule for 2020 through 2021.
For a full list of every single WordPress core release that has ever been available you can visit the release archives at the link below.
👀 Let us take a brief trip down memory lane for a moment.
Just for some fun facts here I wanted to include a brief WordPress history lesson. In 2002, Matt Mullenweg, a college student at the time, installed the b2 or cafelog blogging system for personal use. Unfortunately, the original creator of b2/cafelog had to give up updating his creation because of personal matters and the project and its community were left without a leader.
On April 1st, 2003, Matt created a new branch of b2 on SourceForge by forking the original b2/cafelog system to create his own version with the help of Mike Little. Matt’s friend, Christine Tremoulet recommended calling it WordPress and that’s the name they stuck with. After hundreds (maybe thousands) of commits to the official SVN repository, the first version, WordPress 0.7 was released on May 27th, 2003.
WordPress 1.0 was released in January 2004: otherwise known as the ‘Davis’ version. Mullenweg has an affinity for jazz greats. He names all updates after Jazz greats from the past and today. In addition, Matt used to include a plugin called Hello Dolly in every release. This plugin is a long-standing tribute to Louis Armstrong.
Below is a great short video that explains the uber importance of why you should update WordPress when an update is available. You can also check out another great article at the link below explaining the features and benefits of updating WordPress.
👉 WordPress Plugin Updates
Plugins, plugins, plugins and did I mention plugins? WordPress plugins are the best friend and confidant in any WordPress environment. Plugins enhance and create functionality which adds value to your website.
So I’m sure you already know this by now that there are tons of plugins out there and on average any given WordPress website is usually running 10 or more active plugins. With the installed plugins that are actively being used on a WordPress website there are updates that happen frequently.
Now before I get into detail about these updates and what to look for and how to manage them it is important to understand that plugins need to be broken up into two subcategories.
1. Free Plugins
These are the plugins that are most commonly used on a WordPress website. The majority of these types of plugins are either downloaded from wordpress.org or installed directly from the administrative area in your WordPress website. These plugins like any plugins, are maintained and updated by the developer as they see fit to improve on the functionality of their plugin or adapt the code within the plugin to stay up-to-date with the changes to WordPress core itself. As the developer makes updates to their created plugin, these updates are then pushed out as notifications to WordPress users that there is a new version of the plugin that they have installed on their website.
According to wordpress.org there are over 58,000 free plug-ins available for download. See at https://wordpress.org/plugins. I guarantee that this number below changes often as there are constant additions added to the wordpress.org plugin directory because of the many talented and generous developers out there that create plugins to improve and enhance the WordPress experience.
The below image is a very familiar view for many WordPress users. You will see a bubbled number next to the word updates and plugins in your WordPress administrative area when there is a pending update that needs to be completed on a free WordPress plugin.
2. Premium Plugins
Now let’s talk about premium plugins. A premium plugin is going to be a plugin that you have paid money to use. In most cases this is an upgrade to a free plugin that you are already using. The premium version of the free plugin will enable you to additional features that the free version does not include. The updating process for premium plugins can sometimes be different than the process you are used to with free plugins. Some premium plugins will require you to actually manually upload the newest version of the plugin which you can have access to in the account where you purchased the plugin. On the other hand some premium plugins will have the same update process that you do for free plugins.
So now that I have explained the two subcategories of plugins let’s get back to the main topic at hand here of preventing a WordPress malware infection. Failure to complete the updates that your plugins have pending is one of the most common reasons a WordPress website can become infected. The majority of plugin updates that become available will include security improvements that limits the vulnerability of your website to malicious activity. This is why completing your plugin updates is so extremely important. Not to mention that failure to complete your WordPress plugin updates can lead to functionality conflicts that would cause your website not to work properly.
Below is a short video showing you the easiest way and foolproof way to update your plugins on your WordPress website. Read about EASY updates at the link below.
👉 WordPress Theme Update
Your active WordPress theme is the group of files that make up the actual design of your website. Just like I talked about earlier with plugins there are both free and premium themes.
Currently at the date of this post, there were actively over 8000 free WordPress themes available at wordpress.org.
Updates to themes will be visible in the WordPress administrative menu under Appearance > Themes. You can also find any theme updates under the WordPress administrative menu Dashboard > Updates. If you are using a free WordPress theme the update process will be pretty straightforward. You will be able to click an update now hyperlink in the appearance area of your WordPress administrative menu or in your General > Updates area. You can see an example of each one of these areas in the images below.
👌 APPEARANCE > THEMES
👌 DASHBOARD > UPDATES
Many WordPress users are not running their website using a free WordPress theme. In the majority of WordPress installations there is going to be a premium theme that is running. Most premium WordPress themes require a license activation code to be able to have access to update notifications which allow you to update the theme to the newest version directly from your WordPress admin area.
There are some premium WordPress themes that do not have the ability for update notifications inside of your WordPress admin area. If this is the situation with the WordPress theme that you are actively using it will require you to manually upload and update the active theme on your website.
Below is an in-depth article walking you through the many different ways to update a WordPress theme.
👋 SUPER IMPORTANT
If there are additional WordPress themes installed on your website that are not being used, delete them immediately. There is no reason to keep inactive WordPress themes inside of your WordPress installation. Keeping these will definitely increase your vulnerability and decrease the ability in preventing WordPress malware.
So just to keep with the theme here of preventing a WordPress malware infection, keeping your WordPress theme updated to the newest version is always the best practice to limit the vulnerability on your website that hackers love to look for and target.
👉 WordPress Staging Update
So we have talked about keeping WordPress core updated, updating all of your installed plugins and making sure that your active theme is updated. The last area of updating that we will touch on here may not apply to all WordPress users.
Many WordPress users will have a staging environment setup within the same hosting account as their production website which they use to test different functionalities of their website and complete updates on before pushing those updates to their production site.
Another common scenario is designing a new website or a development website on a subdomain within the same hosting account as a production site.
What we seen often in our many years of removing infections from WordPress websites is that these staging environments or development environments are left dormant and the creators of these environments never complete the software updates in them. This can cause a very messy situation.
If you are not actively using your staging or development environment, delete it. If you are in need of your staging or development environment, make sure that you are maintaining all of the software updates in them just like you do on your production site. This includes all the update categories that we mentioned earlier in this article. Update WordPress core, update all of your installed plugins and make sure that the active theme is running the newest version.
We really cannot stress it enough that if you are not actively maintaining your staging or development area that it will surely leave your entire hosting account vulnerable and it is just a matter of time before an infection arises.
Check out the link below that will show you some valuable staging site best practices.
So hopefully at this point in the article you understand intimately the importance of completing all of your WordPress software updates. Doing this is the first simple step to preventing WordPress malware. Remember that these updates are there for a reason and should not be ignored. If you were driving your car and the engine light came on that is the car’s software telling you that there is a problem that needs to be attended to. The same thing goes for all of those bubbled update numbers inside of your WordPress admin area. You must manage and maintain these to ensure that you are limiting the vulnerabilities in your WordPress website.
⚡️ RUN RECOMMENDED PHP VERSION – PREVENTING WORDPRESS MALWARE
Not sure if you knew this but there are actually hosting requirements that WordPress needs to function optimally.
WordPress runs under PHP; for server side scripting language, and MySQL; for database management platforms and below are the requirements needed for the server environment:
– PHP (Versión 7 or higher).
– MySQL (5.6 or greater).
– URL Rewrite Capability; It is not required, but strongly recommended for a better URL friendly site.
– HTTPS; It is not mandatory but strongly recommended for secure communication between the server and your browser.
WordPress still gives support to PHP Version 5.2.4+ and MySQL Version 5.0, but because these versions have reached the official end of life support, they are considered a security vulnerability.
PHP has something called an EOL. What this stands for is END OF LIFE cycle. What it means is a release that is no longer supported. Users of this release should upgrade as soon as possible, as they may be exposed to un-patched security vulnerabilities. Yes security vulnerabilities. If your WordPress installation is using a version of PHP that has reached its end of life cycle, you are really opening the doors and windows to hackers that want to get into your house and wreak havoc.
Below is a nice simple life cycle chart of PHP versions.
Many of the popular and modern WordPress hosting companies are operating with the newest versions of PHP within their server environments. There are however still hosting companies out there that WordPress users are giving their money to each month which still do not provide the newest version of PHP as an option on the server.
👀 How to Check PHP Version
You may not even notice the PHP version, when things are going fine. But some plugins need a certain version of PHP to work as intended. Let us take a popular WooCommerce plugin as an example. You need to have PHP version 5.6 or later in order to use the latest WooCommerce version. Otherwise your online shop may not work and you may lose the revenue.
There are many ways to find the PHP version of your WordPress site:
- The simplest way is to ask your host.
- Use a plugin like Display PHP Version to see the version number in your dashboard under “At a Glance” section.
- Use php.ini or phpinfo.php file to view the PHP version.
- Check your cPanel under the statistics sidebar or use apps like “PHP Config”, “PHP Variable Manager” or similar. Remember each folder on your account can have different PHP versions. Hence look for the folder on which you have WordPress installation.
- Most of the commercial themes and some of the plugins will have the option to check the server status like PHP version, memory limit, etc. For example, if you are using WooCommerce, you can view the PHP version under “WooCommerce > System Status” menu as shown below:
Latest WordPress versions include a feature called Site Health. It will show a warning message in the Dashboard section when you use deprecated PHP like below.
You can go to “Tools > Site Health > Info” section to find the latest PHP version used on your site. You will see a warning message under “Status” tab when using the deprecated version.
We would like to just summarize and restate what we said in the beginning of this portion related to PHP updates. Running your WordPress website in a hosting environment that is using an end of life cycle version of PHP is a very dangerous game to play. This is an extremely vulnerable point of attack for any hacker or suspicious script that wants to get into your website files and database.
Make sure that you take action immediately to verify what version of PHP your hosting environment is running and based on that information take the appropriate steps to ensure that you are running on the newest version. Doing so will make sure that you are Taking a necessary step in preventing a WordPress malware infection.
⚡️ MANAGE ACCOUNT ACCESS – PREVENTING WORDPRESS MALWARE
There is absolutely no way we would let you escape grips of this article without talking about account access in relation to your WordPress installation. Now right away you may be thinking that this is just the login information to access your WordPress administrative area. Yes, that is one piece of managing account access but there are many other accounts related to your WordPress website that if you are not managing the access properly it can cause vulnerabilities and lead to a WordPress malware infection.
Let us break down the different levels of access that every WordPress installation has.
🔒 WordPress Admin Login
This is the area of your WordPress installation that you are probably most familiar with. This is the place where you actually log into the administrative area of your WordPress website to manage your content and your website settings.
WordPress uses a concept of Roles, designed to give the site owner the ability to control what users can and cannot do within the site. A site owner can manage the user access to such tasks as writing and editing posts, creating Pages, creating categories, moderating comments, managing plugins, managing themes, and managing other users, by assigning a specific role to each of the users.
WordPress has six pre-defined roles: Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role is allowed to perform a set of tasks called Capabilities. Below is the breakdown for the six predefined roles that are included in WordPress.
Super Admin – somebody with access to the site network administration features and all other features. See the Create a Network article.
Administrator – somebody who has access to all the administration features within a single site.
Editor – somebody who can publish and manage posts including the posts of other users.
Author – somebody who can publish and manage their own posts.
Contributor – somebody who can write and manage their own posts but cannot publish them.
Subscriber – somebody who can only manage their profile.
Check out the link below for a detailed breakdown of WordPress user roles.
🔒 Hosting Account Login
Your hosting account is the company that you pay to store and serve the files and content of your WordPress website. It is important that you have this information and have control and access to your hosting environment. It is also equally important that there are not any other users that have this access without your knowledge as this gives an individual full control over every aspect of your website.
🔒 FTP Credentials
FTP stands for a file transfer protocol. This is a process of connecting to your server so you can access the files that are located in the hosting environment. Many times FTP credentials will be created when your hosting account is setup.
FTP access is also a very dangerous place for anybody to have the ability to edit change or delete files on your server. It is so important that you understand where these credentials are located and also manage who actually has access to them.
🔒 Database Credentials
Your database is the area of your website that stores all of the content which is displayed on your WordPress website. This is also the area where all the settings for the functionality of your website and the design seetings are stored.
Most hosting environments offer a phpMyAdmin interface to manage database entries. These credentials should always be kept private and only given access to individuals that are trusted and will not cause any harm.
Enforce Strong Passwords
One of the biggest vulnerabilities and reasons why a WordPress website can get hacked is because of the use of weak passwords. We cannot tell you how many times we have seen WordPress users that have their passwords set to the actual word “password“.
Just taking a simple common-sense approach to creating strong passwords will enhance your WordPress security tenfold. Doing this simple step is key in preventing WordPress malware.
There are many free online tools that will generate strong passwords for any account that you have. One of our favorites is a tool by LastPass which you can check out at the link below and generate highly secure passwords.
Schedule Password Changes
Another very simple and powerful password strategy that you can do in preventing WordPress malware is to schedule password changes. What we mean by this is perhaps every three months or an interval of your choice you can change the passwords of the accounts related to your website. This will add another level of security behavior to your WordPress installation.
If you are running an e-commerce website or a social networking website where you have many users that have accounts within your WordPress installation, you can use a mass password change plugin to have the passwords of all your user accounts changed. You can check out the details of this free plugin at the link below.
LET US SUMMARIZE – PREVENTING WORDPRESS MALWARE
We really hope that the 3 simple actions below that we have outlined in this article in preventing WordPress malware has given you a higher comfort of security for your WordPress website.
⚡️ UPDATE YOUR WORDPRESS SOFTWARE
⚡️ RUN RECOMMENDED PHP VERSION
⚡️ MANAGE ACCOUNT ACCESS
If you have any questions at all about what you have read here please drop us a comment below and we will get those questions answered quickly.