Need help?
1300 210 210
We're Australian!
#1 for domains & hosting
94% customer satisfaction
Trusted by over 1 million businesses
Expert, 24/7 customer support
90% of issues resolved within a day
Best value
We price match*
Online Support Web Hosting

Malware on WordPress - adding security

The onset of modern technology marks a more convenient lifestyle for all – including malicious individuals. In fact, the digital age has amplified their attacks. Ranging from piracy, fraud, identity theft, security breach, hacking, etc., cybercrime seems unstoppable.

As owners of digital assets, there is no doubt that enhancing your online security is a necessity. In this article, various ways to protect your WordPress site are given for your reference. You can choose from free to paid tools or both.

Important Note: Some advice requires changes to your files. Please back up beforehand.

Table of Contents

Free Security Tools

Paid Security Tools

Update WordPress

Developers regularly maintain and update WordPress (plugins, core, themes) to improve security, reliability and features. Generally, minor updates are automatically installed in your site. You only have to manually update for major releases.

While it appears taxing, updating WordPress is imperative for your site’s stability and security. Outdated sites are more susceptible to malware, viruses, worms, etc.

Here are some articles that will help you update WordPress safely:

Secure Login Credentials

It takes an administration’s username and password to gain full access to your WordPress dashboard. Having said that, it is only crucial that both credentials are given extra measure. The same is true for the other users (editor, author, contributor, subscriber, etc.). Despite their limited access to the dashboard, an extra measure is still necessary. In addition, user permission should be assigned correctly to ensure that every log is authorized.

In order to secure your login credentials, these are the extra measures required from your end:

  • Change default admin username
  • Use a strong password
  • Assign correct user permission

By default, WordPress assigns admin as the administration username. However, a username covers half of your login credentials. Using the default username allows cybercrimes a step towards your dashboard. These days, you can customize username upon installation or you can change the default username from your dashboard.

A password, on the other hand, is your authorization key. If chosen poorly, you are opening doors to malicious individuals. Make sure to use a combination of uppercase and lowercase letters, numbers, and symbols. If your password is not strong enough, please change immediately.

Here are helpful articles to reset your WordPress password successfully:

Lastly, WordPress provides a system to manage user roles. If you want, you can create your own user role in addition to or in favor to the five default user roles. Just make sure that you provide the right access to each user. As for the default users, their access are limited to:


Administrator Full control over the site.
Editor Full control on all contents.
Author Managing and publishing own post.
Contributor Writing and managing – but not publishing – own post.
Subscriber Managing own profile.

Disable File Editors

Two built-in code editors come with the WordPress dashboard. They are specifically designed for your plugin and theme files. Both editors give unrestricted access to the said files. Despite its convenience, it can create havoc to your site once left to wrong or unskillful individuals.

If you want to add security to your site, it is recommended to disable these editors. Here’s a step-by-step guide to disable file editors correctly:

  1. Click on My Account at the top of this page.
  2. Select Hosting Manager from the drop-down menu.
  3. Enter your username and password, and click Log In.
  4. On the Home page, click the Files icon, or the [ v ] arrow symbol on the right side, and then click Files Manager.
  5. Select Web Root (public_html/www), then click Go.
  6. Right-click on the wp-config.php file, then select Edit.
  7. A code editor will display, just click Edit.
  8. Insert following codes at the bottom:
        /** Disable File Editor
        define( ‘DISALLOW_FILE_EDIT’, true );
  9. Click Save Changes.

    Important Note: Moving forward, you can only modify plugin and theme files using an FTP client or from the cPanel.

Disable the Directory Browsing

Directory browsing allows other individuals to examine your files, copy your images, and learn your site’s structure and relevant information. This gives advantage to people who want to access your site. Therefore, it is recommended that you disable your directory browsing.

Here’s a step-by-step guide to turn off directory browsing:

  1. Click on My Account at the top of this page.
  2. Select Hosting Manager from the drop-down menu.
  3. Enter your username and password, and click Log In.
  4. On the Home page, click the Files icon, or the [ v ] arrow symbol on the right side, and then click Files Manager.
  5. Select Web Root (public_html/www), then click Go.
  6. Right-click on .htaccess file, then select Edit.
  7. A code editor will display, just click Edit.
  8. Add the following at the end of the file:
        Options –Indexes
  9. Click Save Changes.

Back up Website Regularly

Your first defense against malwares is to backup. After all the precautions mentioned above, nothing can guarantee a 100% security. Even high profile websites with world-class security are not exempted from malwares.

When worse comes to worst, backups allow you to restore your site quickly without losing your site to malwares and hackers. It is highly recommended that you back up your website regularly.

At Crazy Domains, you can back up your website for free from the Hosting Manager. A zipped copy of your website will be downloaded to your computer. Moreover, Crazy Domains also offers Site Backup & Cloud Backup. Both tools offer automatic, scheduled and real time backups, one-click restore feature and digital file access.

Install Security Plugins

WordPress can extend its function through plugins. You can easily install and activate plugins from your dashboard to add features to your site – including site security.

There are tons of security plugins available in WordPress. More likely, you will have to pay a small amount for these plugins. In general, you can go for a plugin that does it all – from tracking, monitoring and malware scanning. However, there are also plugins meant for a specific action such as to log out idle user, add security question upon log in, and restrict login attempts. Depending on your needs, you can choose a variety of plugins to amplify your site's security.

Was this helpful? Yes No 78% of people found this helpful.
we're
online
Need Help? Chat Now