Quick Guide To Protect Your WordPress Website
Many people hear the word hack and think about someone sitting in a dark basement in a hoodie, entering code into a command line, targeting a website by broken firewalls, and bypassing safety bots as if they were a supervisor on the run until the site is broken down and removed.
But that’s not the truth. In fact, a hack is usually malware that has been slightly inserted into the server of your website by a bot that found some sort of vulnerability. And beyond that, there’s a good chance you don’t even know if your site has been hacked (read: infected with hidden malware).
But we’re here to help ensure that you can clean it up with a malware scan of WordPress.
Let’s get to it!
How does Malware get into the system?
In a number of ways, hackers can access your website. One of the most common is a brute force attack in which a botnet tries various username/password combinations until you work and allow them to work. Once you have access to your site, you can do what you want and install any malicious code.
It could be installed from a file you have downloaded to your local machine which contains malware that has gone to your server. You might even (accidentally, of course) have clicked on a phishing link or were redirected to one that seemed legitimate via a compromised website.
There are even entire networks of WordPress websites with specific vulnerabilities searching the internet. As with outdated plugins, themes with specific, unpatched exploits, servers running old PHP versions, etc.
Having hidden malware on your website could lead to an action, which caused it to be installed, but not always. At some point, these things happen to us all, and we do not want you to beat yourself too badly if it does. Because although it is certainly not a good event, it is still possible to follow the right steps. Which we’ll take you through now.
Select your anti-malware plugin
Whether you believe you have hidden malware on your site or not, the first step is to select antimalware. For WordPress users, WordFence and Sucuri are two of the top choices. Both are tried and tested to protect WordPress websites. And both offer stellar free versions, with the most advanced premium versions, which tens of thousands of users believe.
With either, you can’t really go wrong. But we’ll use WordFence as an example for this article.
You may also select some external URLs such as VirusTotal.
These types of services run your URL and public files via different databases. These index URLs show whether they are tagged as compromised or suspicious. Either WordFence or Sucuri can help you to fix it in the following steps if you do not come clean.
How to scan your website to find malware?
Whatever the external sites say, you’re going to have a malware scan with a WordPress plug-in to go deep into your filesystem. We will use WordFence for this example, as we said earlier. It can be downloaded from the WordPress.org repository and installed.
The standard WordFence dashboard you see is pretty helpful and is displayed in your WP admin panel under WordFence – Dashboard. You can see up to that point a summary of the protection, the number of scans, the number of questions in the latest scan and more.
When you go into WordFence – Scan, you see a lot of data. But it’s easy to digest once you know what you’re looking at.
When you press the Start New Scan (2) button, WordFence works its way through a timeline (3) of various criteria. (We say timeline because it checks in this order.) After the scan, you see a detailed log of results in the Results Found (4) tab, and the actions you can take to the right (5).
How to Deal with Malware Scan Results
Once you see your results, it’s time to parse and take action on them. But even before that, you have to know what it’s saying.
If you see a message labeled High Priority with a red dot (6), you need to take a look at it ASAP. Especially if you see it saying there is an unknown file in WordPress core. That is bad news. Luckily, WordFence lets you Delete All Deletable Files (5) with the click of a button.
You should always back up your site before doing that, however, just to make sure that you’re not removing anything necessary. WordFence even reminds you to do so.
Once that’s done, press Delete Files to take care of them with WordFence. Your site should be free of hidden malware at this point. If you want to check even more deeply, scan with Sucuri to see if something is missing from WordFence. You can also subscribe to one of the premium versions to obtain a deeper scan.
The files infected with malware are gone. You only have to deal with problems that are less pressing and most likely not related to malware. (Although in their own way they are just as important).
In this case, the version of WordPress is outdated (9). WordFence warns because outdated versions of WP can contain serious problems with security that have not yet been patched. If you’re out of date, you’re a malware sitting duck. WordFence also tells you that plugins and theme versions are outdated (10). For the same reason.
Note that the main update of WP is a high priority. The updates to the plugin are medium. This is because the people behind WordPress are much more likely to target the core of the software everybody uses. Not a single plugin or topic that is only useful in comparison. However, it is worth keeping an eye on it.
Wrapping up with WordPress malware scanning
Malware, hacking, viruses, brute force attacks… they’re all scary, but they’re all very easy to handle. If you keep calm and run a few scans, you can manage any malicious code on your site.
The security professionals are up to date with all the latest threats and we are all able to trust them and their plugins to protect us, our machines, and our livelihoods. So you can scan your WordPress site for malware quickly and press the button and rest and know that your site is as clean as the day that it is installed.