Home / Development / How to Protect WordPress Website from Malware Attacks
How to Protect WordPress Website from Malware Attacks
How to Protect WordPress Website from Malware Attacks

How to Protect WordPress Website from Malware Attacks

Introduction:  Today, WordPress is the most demanded platform because of its easy interface. WordPress platform was recognized in 2003 to enhance the typography of everyday writing via blog representation. Since then and now, WordPress has grown to be the most used open-source platform for the largest self-hosted blogging, CMS, or any other custom solution in the world. Based on PHP and MySQL, it provides free open-source platforms, security, and speedup features for developers. Here are the tricks to Protect WordPress Website from Malware Attacks.

With this article, I am sharing some security actions for the WordPress website. These tips will help you secure your database, server path, and website access from third parties or hackers. Please follow the below steps that include-

  • WP-Config.PHP file setting
  • Database protection
  • Htaccess File setting
  • Latest version updates the settings
  • Error removal
  • Protecting files
  • Login restriction
  • WordPress admin restriction

1. Change the Database Prefix

The basic setup of WordPress includes default database prefixes (es). The default prefix is known to hackers and they can easily find the table names of your site’s database. So, it should be changed to protect the database files.

2. Create Custom Secret Keys for wp-config.php File

Wp-Config.php, the main file in the WordPress root directory contains all the confidential details of the website. The file requires to be secured from hacking, attack, or database sharing. The file contains secret keys that keep a bit of information about authentication and access. The default secret keys should be changed to something else to keep the information confidential.

Don’t use any software or online tool to generate random keys for you.

3. Protect your wp-config.php File

The wp-config.php file should be secured to keep all the confidential information safe. Protect the file by placing the below code in your .htaccess file on your server.

<Files wp-config.php>
 order allow,deny
 deny from all

4. Protect Your .htaccess File

Protecting the wp-config.php file is not enough for advanced security. The .htaccess file should also be protected to have the website’s other information secure. Put the below code in your .htaccess file.

<Files .htaccess>
order allow, deny
deny from all

5. Automatic Core Updates

The old version of WordPress, theme, and plugin is well known to hackers and they can easily hack the site. So, always upgrade your WordPress version, theme, and plugin to the latest version. The automatic updates option might be a good choice to keep aware of every version. It will help those who want to take a more hands-off approach to site management but want a secure site, just the same. Though minor updates install automatically, major ones still require approval. The approval of a major upgrade may fix any security bug from the previous version. To do this, put the following code into a wp-config.php file and allow the major code updates to happen automatically in the background without any approval.

 define( 'WP_AUTO_UPDATE_CORE', true );

The minor updates do not affect any code or site functionality; however, the auto major updates can break your website, especially if you’re running a plugin or a theme that isn’t compatible with the latest version. So, log into your website regularly and don’t change your core files to stop the new version override your files. Automatic updates for plugins and themes can be configured by the below code into wp-config.php.

For plugins:

 add_filter( 'auto_update_plugin', '__return_true' );

For themes, use:

 add_filter( 'auto_update_theme', '__return_true' );

You can hide the WordPress version number as well that displays via meta. Displaying the WordPress version lets hackers know your current version and attack your website through the previous version’s bugs.

You can hide your WordPress version number by following below instructions:

  • If you are using an older theme, remove the following line from your theme’s header.php file
php bloginfo('version'); ?>" />
  • Remove the generator tag, which actually exposes all known vulnerabilities to that version date. If you are using a newer theme, just add the following in your theme’s functions.php file
<? php remove_action('wp_head', 'wp_generator'); ?>
  • Simply put the following code into your functions.php file:
add_filter( 'the_generator', '__return_null' );
  • You can go one step further and additionally remove it from RSS feeds using this:
function wpt_remove_version() {
 return '';

}  add_filter(‘the_generator’, ‘wpt_remove_version’);

6. Eliminate PHP Error Reporting

Your WordPress website has a lot to do with backend security and protecting the site from weak spots. Another one is error reporting. If a theme or plugin doesn’t work properly, it occurs an error message. These error messages give the hackers every nook and cranny of your website on a silver platter. Because the error messages contain your server path and hackers can easily get your full server path by these error log files. So, it should be disabled by a single code snippet into wp-config.php.

// Turn off all error reporting

@ini_set(“display_errors”, 0);

7. Disable Login Hints

Once you try to log in on the WordPress website’s admin panel with a wrong, incorrect password or a non-existent username, you will get a hint like your username is wrong, or your password doesn’t match that username. This can offer a fair opportunity for hackers to break into your site. So, you should get rid of such information by disabling it with a script within your functions.php file:

function no_wordpress_errors()
return ‘What the heck are you doing?! Back off!’;
add_filter( ‘login_errors’, ‘no_wordpress_errors’ );

8. Protect your WordPress Admin Area

The WordPress admin area is the panel where you keep backend customization and content integration of your website. So, access to the admin area should be restricted to people that actually need access to your panel. Third parties or people would not be able to access your /wp-admin folder or wp-login.php file if you have restricted registration or a front-end content creation area. Put the below code with your home IP address and add these lines to the .htaccess file in your WordPress admin folder replacing xx.xxx.xxx.xxx with your IP address.

<Files wp-login.php>
 order deny,allow
 Deny from all
 Allow from xx.xxx.xxx.xxx

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another

Allow from xx.xxx.xxx.xxx statement on a new line.

If you want to be able to access your admin area from any IP address restricting your admin area to a single IP address or to a few IPs can be inconvenient. In such cases, you can limit the number of incorrect login attempts to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password.

9. Hide Author Usernames

It is often seen that the author’s name and the administrator’s name are the same. No one thinks to keep them separate if only a single user is managing the website. It is easy to find the admin’s username if anyone has your main author or administrator’s name. It’s not good for security purposes. It is the same like you give the treasure of your site to hackers and run the risk of seeing your site compromised.

You should hide the author’s username to prevent hackers. You just need to put the below code snippet to your website’s function.php file. It will make it so when someone inputs. author=1 after your main URL, they won’t be presented with the administrator’s information and will instead be sent back to your homepage.

add_action(‘template_redirect’, ‘bwp_template_redirect’);
 function bwp_template_redirect()
 if (is_author())
 wp_redirect( home_url() ); exit;

Several other tips and tricks are still there that you can use to keep advanced security of WordPress website, however, above are the best bunch of security features that would make your website more secure and safe.