Protect Wordpress Website from Malware

WordPress website becomes vulnerable due to the following reasons:

1. WordPress is not updated
2. Plugins are not updated
3. The administrator username passwords are too easy.
4. The computer used to administer the WordPress site (Admin area & cPanel/FTP) is itself infected to viruses.
5. Use of nulled / pirated templates or Plugins – in which codes are embedded which gives the hacker the access.
6. Presence of other hacked script/website in the same hosting account.
7. Unsecured Web hosting. (Poorly configured server, easy guessable passwords etc.).

Some of the basic steps to be followed in WordPress to prevent malware attacks in websites.

1. Change the database prefix from default wp_ to obscure like asdfadsfa894sdms_ that no script or person could guess.

2. Change your security keys in wp-config.php file after installation. The WordPress salt keys will also make harder to break your password 

2. Keep WordPress updated

3. Disable plugin and theme editor

4. Using Correct File Permissions

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

5. Protect wp-config file using htaccess

      <files wp-config.php>

       order allow,deny

       deny from all


6. wp_includes directory has important files required to run the wordpress . Protect it using .htaccess with the codes

        # Block the include-only files

        <IfModule mod_rewrite.c>

        RewriteEngine On

        RewriteBase /

        RewriteRule ^wp-admin/includes/ - [F,L]

        RewriteRule !^wp-includes/ - [S=3]

        RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

        RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

        RewriteRule ^wp-includes/theme-compat/ - [F,L]


7. Protect your wp-uploads folder. The upload folder contains media files. If you find any file with extention of .php then your site is hacked.     Create a new htaccess file with the below code and save it in uploads directory.

        order deny,allow

        deny from all

        <files ~ ".(xml|css|jpe?g|png|gif|js)$">

        allow from all

8. Disable directory browsing in .htaccess

    # disable directory browsing
    Options All –Indexes

9. To prevent script injection add the following in the htaccess

      # protect from sql injection

      Options +FollowSymLinks
      RewriteEngine On
      RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
      RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
      RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
      RewriteRule ^(.*)$ index.php [F,L]

10. Install malware protection plugins like Sucuri and WordFence to protect your website from further infection.