How to secure your WordPress website from malware attacks?


WordPress is largest growing community of website designers & developers powering million of the websites across the web. It powers the community of a simple blogger to the various corporate giants. The community is open source and secure, but, some hackers find some ways to attack the website with different tactics and malware’s. So, it is essential to focus on how one can secure their website from these malware attacks?

As per various professionals across the web, they have faced numerous instances where website owners have link injection, javascript & PHP code injection vulnerabilities. So let’s discuss how one can secure their website from the various malware attacks.

Update your WordPress regularly
Most of the time the vulnerabilities happen because of the outdated WordPress, so whenever you see a message on WordPress “Update Available”, update it. If you’ve doubts on losing the website data, make a backup before installing the update.

Plugins & theme
You should install the plugins and themes from the trusted sources and once installed, you should keep your plugins & theme upto date because they’re considered like a back door entry of your home. Moreover, if you’re using some of the unwanted plugins, you should consider uninstalling them.

Username & password
WordPress has a facility through which can easily give permission & access to other user accounts. Most of the time, it has been noticed that the username people use is “admin” and a simple password. Instead of using simply username & password, people should use a unique username and passwords (combination of alphabets, numeric & special characters) hard to guess by. You should change your FTP, SFTP, SSH passwords at regular intervals as well.

Scan computer for antivirus
You should scan your computer with trusted antivirus for security purpose regularly.

File & Folder Permission
On computer filesystem there are three types of permission which specify who can read, write/modify or access them. If they’re too loose, they can easily be exploited by the hackers.

Lets understand this with an infographics:

As per infographics, there are three categories self, group and public.

Self – You, means you can access your website.
Group – May be you and some others.
Public – Everyone across the web.

These permissions can be given in numbers like,
Read – 4
Write/Modify – 2
Execute – 1

They can also be added up like 7 means 4+2+1=7, means one can read, write/modify and execute the file.

So file permission set to 777 means hackers can easily enter to your website and so as malware. So depending upon your requirements, you’d give these permissions. But, when you talk to the professionals, they will suggest you to set files to 644 and folders to 755.

644 means:
6 = 4+2= Read+Write (Self)
4 = Read (Group)
4 = 4 Read (Public)

755 means:
7 = 4+2+1 = Read+Write+Execute (self)
5 = 4+1 = Read+Execute (Group)
5 = 4+1 = Read+Execute (Public)

Protecting the wp-config.php
This is the file which contain very sensitive information about your database and secret keys and is essential for the website. Anytime you upload the wp-config.php, you should use only SFTP or FTPES to send the data to server in encrypted form.

Backup your data regularly
You should backup your website data regularly.