According to Wikipedia, malware is “software used or programmed by attackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems.” So you know that this is a bad thing. You definitely want to know how you get infected with malware so you can try to prevent it. There are many ways that you can get malware on your WordPress site.
Malware Cause #1 – Outdated WordPress
Sometimes it seems like every time you turn around, you are being told that there is a new version of WordPress and you need to update now. I know it is a pain, but you really need to keep your version of WordPress up to date. A lot of times, there are fixes to vulnerabilities in the new versions of WordPress.
Malware Cause #2 – Themes
When I first started out, I would do Google searches of free WordPress themes. I came across some pretty cool ones, but how safe were they? Some of these themes can include security loopholes or just be outdated. You need to be wary of free themes that are not available through WordPress.
Malware Cause #3 – Plugins
You need to take the same caution with free plugins that are outside of WordPress as well. You can run into problems with the plugins that you can find through WordPress but your chances are less risky. Of course, your paid plugins are not found in WordPress.
Malware Cause #4 – Admin Username
By default, a lot of automatic installations of WordPress set up your admin account with the username admin. This is a no-no that I committed with my first WordPress site. There are programs out there that will try to login in as an administrator on your site using the username admin and randomly generating passwords. If your admin account has the user name admin, create another admin account with a user name other than admin. Log in as that new admin user and delete the original account. You will be prompted to transfer all assets to the new admin user.
Malware Cause #5 – Uploads Directory
Your uploads directory has to have write access; however, there are ways to make it more secure. If you don’t, someone can execute PHP code. Since PHP is executable code, all types of things can be done to your website.
Even with precautions, there are still times when your site gets infected with malware. If this happens, you need to get rid of it as soon as possible. Google routinely blacklists sites that are infected with malware. If you are blacklisted then a warning message will be displayed when your site is searched for in the search engines.
You can manually try to get rid of malware or use a tool. I use a WordPress plugin to clean my site of malware as well as perform 1-click hardening to prevent it. This free WordPress plugin is included as part of the Top WordPress Plugins For Business course.