Development | Hosting | WordPress | 06.14.2018

3 Rules for WordPress Malware Protection

As is often the case in life, getting a new WordPress website is more than a one-and-done deal. Much like how maintenance and protective acts are needed to keep your vehicle in good shape, you should also take steps to keep your website secure.

In this article, I’ll be sharing my top 3 rules for keeping your WordPress website safe from malware attacks.

Types of Malware Attacks

There are various malware attacks that can hijack or disable your website, but here are 2 that we’re seen to be more prevalent:

  • Link Hijacking: This is where your website is accessed and junk links are added to your content (i.e. pharmaceutical or gambling links). The point of this attack if for the hacker to use your domain authority in order to increase SEO rankings for the target websites.
  • Site Redirection: In this case, when your website is compromised, users will be immediately redirected to some sort of spam website when they try to visit your website. An example of this would be having the user dropped onto a sweepstakes website.

So what can you do to minimize the risk for such attacks on your WordPress website? Keep reading…

Rule #1: Use Good Passwords

It’s important that you use good passwords as hackers know that it’s relatively common practice (though bad) for companies to use simple passwords out of convenience. For example, here are a few terrible username/password combos:

  • admin / password
  • hertz / investments
  • admin / website2018
  • laura / temppass

When it comes to passwords, each of the following tips will make your password more secure:

  • Use 8 characters or more
  • Include numbers
  • Include uppercase and lowercase letters
  • Use a symbol such as $, #, @, *, or !

This rule is easy and quick to put into practice, but remember, all of your WordPress users need to have secure passwords. In security, the rule is that you’re only as secure as your weakest link.

Important: Along with having more secure passwords, make sure to also remove inactive users. This might include employees or vendors that are no longer with your company.

Rule #2: Keep Your Software Up To Date

This one is a big deal. Unfortunately, as busy people, we’re often weak at maintaining systems. But neglecting to update your WordPress and plugin software can be a detrimental mistake. It’s also one of the biggest reasons for malware attacks against your WordPress website.

Neglecting to update your WordPress and plugin software can be a detrimental mistake.

Why? Well, the reason is quite simple. Hackers are known for finding holes in software and then publishing their findings to the web. What does this mean for you? Well, if you’re using a version of WordPress that’s a year or two old, it’s very possible that a vulnerability was discovered and it’s only a matter of time until your website is compromised.

To take it from bad to worse, hackers can actually create software to scan the web and find vulnerable websites (think outdated software) and automatically infect the websites using the known vulnerability exploit.

Does this all make your nervous? Fear not! Keeping your website software up to date is fairly simple. Many web design companies will actually provide monthly or quarterly update services. At our web development agency, we update plugins for about 90% of our clients on a monthly or quarterly basis. You can also do updates yourself, but make sure to have a backup handy in case something goes wrong.

Rule #3: Choose a Reputable Hosting Company

Rule #3 has to do with the company that you’re entrusting your website to- your hosting company. Hosting companies with older software are notorious for having out of date servers that are vulnerable for attacks. If a hacker can figure out how to access your host’s servers, it possible that they could simply modify your website’s code files to inject the nasty malware code.

If you have strong passwords and keep your website up to date, but you have a weak host, your website really isn’t secure at all.

A few tips for website hosts:

  • Cheap isn’t always the smart choice – instead of asking, “what is the cheapest route we can go”? You should ask, “what host will give us the best security, speed, and features for a reasonable price?”. Remember, this is your company website. If it has problems, it usually will hurt your business, so an extra $25 or even $100 / month is more than worth it.
  • Consider WordPress specific hosting – if your host specializes in WordPress then typically you’ll see better security and speed because the host is focusing on one platform. Whenever you chose a specific niche, you generally do a superior job than the generalist.
  • Ask questions of your prospective host, such as:
    • What systems do you have in place to keep my WordPress website secure?
    • Have you had any vulnerability issues with you hosting servers in the last 2 years?
    • What does support look like if I have an issue?
    • How often have websites gone down on your servers in the last year?
What host will give us the best security, speed, and features for a reasonable price?

Bonus Tip: Automatic Daily Backups

Do yourself a favor and find a host with this specific feature: daily automated backups with one-click restore.

  • Daily: so that you don’t have loss of data for new content you’ve been posting
  • Automated: so you don’t have to think about it
  • One-click restore: so that when you’re in crisis mode, getting a previous version of your website back up is easy-peasy.
Important: Remember to update your software and change all of your passwords after restoring from a previous backup.


Just like any other product that has many moving parts, it’s essential that you take the protective measures to keep your WordPress website up to date and secure. There are surely more things that you can do to make your website secure (advanced readers, click here) but getting these 3 foundational things right will make the lion-share of your risk disappear. At our web design company, we’ve never had any clients get hacked when applying these three rules.

I hope you’ve found this article useful. We’re happy to answer any questions in the comments below!