I have been building WordPress sites for the past 8 + year. In that time, I have seen my share of WordPress sites that have been infected. WordPress is the most widely used platform on the internet. This presents itself as a target for those looking to exploit any vulnerabilities. I will outline some good preventive strategies as well as steps you can take after your website has been infected.

Preventative Measures to Protect Your WordPress Site

They say the best defense is a good offense. This is the case when it comes to dealing with the prevention of your WordPress website(s) from being infected with a virus.  I will outline some of the steps I have taken / recommended with my clients over the years.

Picking a Better WordPress Host

The prevention and security of a WordPress site starts with the host. I am a big fan of WPEngine , but many of the WordPress dedicated hosting services have the infrastructure in place that seem to prevent if almost eliminate the rate of infected WordPress websites. The advantage with WPEngine is the ease to restore a backup from a working & uninfected copy.   In the 4+ years I have been using WPEngine; I have not seen a website become infected that has been hosted with them. This is over hundreds of websites.

Avoiding Unnecessary Plugins / Heavy Themes

The more code on your website, the more opportunities for a virus or malware infection. I recommended building on a lightweight theme or framework and minimizing the number of plugins being used. In many cases I see plugins being used where natural WordPress would handle the functionality. It is also critical to ensure that any plugins being used have regular updates. A plugin that is not compatible with that latest version of WordPress.

Keeping WordPress Core / Themes / Plugins / PHP Updated

A preventative step to ensure you website does not become infected with a virus / malware is to ensure the website is being updated regularly. I recommenced at least updating plugins once a month. The theme / PHP and WordPress core update, will depend on the version currently being utilized. I generally recommend waiting for a week or two prior to upgrading a WordPress version. It is critical to make sure you do backups prior to any upgrade.

Securing Your WordPress Website with Software

Once you have your WordPress site on a secure host, the next thing you will want to consider is securing the installation. WordPress by default leaves itself vulnerable for being exploited by hackers.  Changing the database name and location of the administrative login minimizes the risk of your website being compromised.

I have found there are a few of these security plugins that adequately deal with securing the WordPress platform. The most popular is this category is iThemes Security (formerly Better WP Security). These types of plugins allow you to secure your WordPress installation from a “Dashboard environment”. Another option is the All In One WordPress Security and Firewall Plugin. This is the plugin I have used on my website. Here is a sample video of the dashboard.

Dealing with a WordPress Website That is Infected with a Virus / Malware

The first step when you suspect that your WordPress site is in infected with a virus is to test the website. I use Sucuri to detect a virus / malware infection.  A good alternative is to scan the website with a security plugin such as Wordfense.

Once it is determined your WordPress website is infected with a virus, you will need to determine the appropriate course of action. I have broken down the three most likely course of actions you can take.

1 – Restore from Backup
Restoring from backup can be an easy solution to an infected WordPress website. You will need to consider any data that will get lost during the restore process. The problem I have found is that in many cases the issue pre-dates an uninfected copy.  Even with multiple backups this can make determining what instance is uninfected very challenging.

2 – Attempt to Remove Manually
Another option is to reinstall the WordPress core and attempt to scan and remove any virus entries from the files / database. The catch with this method is that in many cases the virus will live inside plugins / theme files that are very hard to detect. If this method is being used, it should be done under the agreement that if manually attempting to remove the virus does not work, you move on to option #3 (Third Party Virus Removal ).

3 – Third Party Virus Removal
Using a 3rd party that specializes in the removal of website viruses is the best way to ensure that your website is running in the shortest amount of time. My previous recommendation was to attempt a manual removal up to two times before seeking 3rd party help.  My current recommendation is to seek immediate remediation from a company like Suciri. The cost is between $199 to $499 per year. This ensures that it will be taken care of by professionals that who specialize in virus removal.


Keeping your website virus and malware free not only will make sure you don’t have a frustrated customer base , but search engines can penalize your website if malware is detected. Most of the preventive steps I have discussed are well within the capabilities of someone with a basic knowledge of WordPress. Feel free to contact me with any questions , comments and / or concerns.

Visit Us
Follow Me