Category: jetpack.com

Every WordPress installation has a selection of “core” files. These are the files behind critical functionality, and one of them is .htaccess. It includes configuration options for your web server. In other words, it’s extremely important.

If you know how to find and edit .htaccess, you can change your site’s permalink structure, set up redirects, increase security for the dashboard, and make many more tweaks. You don’t even need to know how to code if you follow instructions carefully.

In this article, we’ll talk about the .htaccess file and how it works. We’ll show you how to locate, access, and edit the file. Finally, we’ll wrap up with some frequently asked questions.

What is an .htaccess file?

.htaccess or Hypertext Access files aren’t unique to WordPress. Every Apache web server has an .htaccess file that contains configuration settings for the server. In the case of WordPress, the file also includes instructions for your website’s permalink structure. 

Here’s how the file looks by default on most websites:

We say “most websites” because some hosts customize their clients’ .htaccess files to include additional functionality. Still, the file is always located in the WordPress root directory.

If you have access to the server, you can locate and edit .htaccess to make critical changes to your site’s functionality. Some of the changes you can implement include:

• Adding redirects. Implement redirects at the server level.
• Changing the permalink structure. When you change your website’s permalink structure, these changes are reflected in .htaccess. You can use the file to manually change the URL structure instead of doing so in the WordPress admin panel.
• Preventing resource hotlinking. If you don’t want other websites to use images or other elements from your website, you can disable hotlinking by modifying the .htaccess file.
• Configuring access to the website. .htaccess enables you to password-protect directories, whitelist IP addresses for access to the dashboard, and more.

It’s important to understand that .htaccess is an incredibly delicate file. Since it lets you configure server-level rules, changing the file can break your website if you’re not careful.

You don’t need to know a specific programming language to edit .htaccess, although PHP knowledge can help. If you follow instructions and copy the necessary code snippets, you can easily modify the file. 

If you’re not comfortable using code, several plugins can edit .htaccess for you. Most security and redirect plugins work by editing the file without you having to open it. Depending on the changes you want to make, you may be able to use a plugin to edit .htaccess.

Where is the .htaccess file located in WordPress?

The .htaccess file is located in the WordPress root directory. This directory contains all of your WordPress core files (like wp-config.php), as well as everything that you upload to your website.

You can’t access the root directory from the WordPress dashboard. To get access to .htaccess and other similar core files, you’ll need to connect to your server via File Transfer Protocol (FTP) or your hosting control panel.

Since WordPress is open-source software, you can freely edit all the files in any way you want. In the next section, we’ll show you how to make changes to .htaccess safely (and the same advice applies to all other WordPress core files).

How to edit your WordPress .htaccess file (3 methods)

Editing the WordPress .htaccess file requires access to the root directory. But before making any changes, we highly recommend downloading a backup of your .htaccess file. Since .htaccess deals with server configuration settings, any errors in the file’s code can render your website inaccessible. If that happens, you’ll need to restore a previous version of .htaccess, remove the incorrect code, or create a new .htaccess file to reaccess your site. With that in mind, it’s best to play it safe and have a recent backup available.

Thankfully, backing up the .htaccess file is a pretty simple process. Start by accessing your server’s files via either your host’s file manager or file transfer protocol (FTP) software like FileZilla. Navigate to your website’s root folder, typically called public_html, www, or your website name. Here, you’ll find the .htaccess file.

If you don’t see that file, you may need to turn on a setting that enables you to view hidden files. This will depend on your host or FTP software. If you’re using cPanel, click the Settings button at the top right, followed by Show Hidden Files (dotfiles) and Save.

With FileZilla, you’ll need to toggle this setting before you connect to your server. All you have to do is go to Server → Force showing hidden files.

Once you’ve found the .htaccess file, download it to your computer and rename it to something you’ll remember, like .htaccess_before-changes. Then, if you do need to revert any changes that you’ve made, you can simply copy the code from this file and paste it into the live version on your server.

1. Using an FTP client

The best way to access the .htaccess file is with an FTP client. FTP clients tend to be easier to navigate than file managers in hosting control panels, and they provide more control for interacting with your site’s directories and files.

It’s up to you which FTP client you use. But you might consider the open-source FileZilla option if you haven’t used FTP before. 

To connect to WordPress, you’ll need your site’s FTP credentials. You should have received these when signing up for a hosting plan. If not, you can find them in your hosting control panel.

Once you have the right credentials, connect to your website via FTP. Navigate to the folder that says www, public_html, public, or your site’s name. Those are the most common names for the WordPress root directory. 

Open the directory, and you should see a collection of files and folders that looks like this:

The file we’re looking for, .htaccess, is located in this top-level directory. Once you find it, right-click on the file and select View/Edit (the name of this option may change depending on which FTP client you use). This will open the file using your default text editor.

Again, before taking this step, make sure you download the file to a safe location so you can restore the code if you make a mistake.

Any changes that you make to this file need to come before the “# END WordPress” line. To keep things organized, we recommend adding new snippets of code with a line of separation from others. 

If possible, also add comments like this to identify what each snippet does:

# This is a comment

That way, if you return to the file to remove part of its code, you’ll know precisely what each snippet does. When you’re ready, save the changes to the file and close it.

The FTP client will ask if you want to update the file on the server. Choose the option that says Yes, and that’s it. The changes that you made to .htaccess should be live now.

2. Using your cPanel

Editing a WordPress .htaccess file using cPanel is relatively simple since the software includes file manager functionality. But keep in mind the text editor included with the file manager is very bare bones. We recommend using an FTP client instead if you can. 

If you prefer using cPanel, login to the hosting control panel and look for the File Manager option under the Files section.

On the next screen, look for a directory called www, public_html, public, or your website’s name. That is your WordPress root directory, and it contains the .htaccess file.

Right-click on .htaccess and select the Edit option. This will open the file manager’s text editor and enable you to make changes to the file. Again, make sure you have a current version of your .htaccess file on hand that you can restore if needed.

We included instructions on how to edit .htaccess safely in the previous section. Make sure to review those instructions before adding code to the file to prevent any problems with your server.

3. Using a WordPress plugin

If you don’t want to use an FTP client or cPanel to access the .htaccess file, some plugins provide this functionality from the WordPress dashboard. One example is Htaccess File Editor by WebFactory.

This plugin adds a new WP Htaccess Editor tab to the dashboard. From here, you can use a basic text editor that works only with .htaccess.

The advantage of using a plugin to edit .htaccess over a regular text editor is that you may get access to functionality like testing the file before saving. You might also be able to restore backups in case of an error. 

Other plugins that let you edit .htaccess include Redirection and Htaccess File Editor. In most cases, we recommend using FTP over plugins. But a plugin might do the trick if you only plan on making minor changes to .htaccess.

How to create a new WordPress .htaccess file

Creating a new WordPress .htaccess file is relatively simple. Sometimes, you won’t see the .htaccess file if you go to the root folder of your WordPress website. This can happen because WordPress hasn’t generated the file yet.

Sometimes, WordPress doesn’t generate an .htaccess file until you make changes to your site’s default permalink structure. To do this, go to Settings → Permalinks. The default permalink structure for WordPress is set to Plain. But you might want to change that structure to another, more user-friendly option, like Post name or Month and name.

When you change the permalink structure from Plain, WordPress will generate a new .htaccess file. It will contain the instructions for the new structure that you choose.

After saving the changes to your site’s permalink structure, return to the WordPress root folder. There should be a brand new .htaccess file inside, ready for you to start editing it.

How to replace your current .htaccess file with a new one

If you want to restore the .htaccess file to its original contents, you can either delete all custom code or replace it altogether. In many cases, replacing the file is the easier option. That applies particularly if you run into an error and are unsure which part of the code is causing it.

Before moving forward, download a copy of your existing .htaccess file, just in case.

First, you’ll need to make a new copy of a default .htaccess file. To do so, create a new file called .htaccess on your computer (including the period). 

Then, open the new file using a text editor and paste the following code within:

# BEGIN WordPress

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

That is the default code for the .htaccess file, and it should work with every website. The only exception is if you’re using a Multisite installation. In that case, the default .htaccess file should look like this, with a subdirectory setup:

# BEGIN WordPress Multisite

# Using subfolder network type: https://wordpress.org/support/article/htaccess/#multisite

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /

RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin

RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]

RewriteCond %{REQUEST_FILENAME} -d

RewriteRule ^ - [L]

RewriteRule ^([_0-9a-zA-Z-]+/)?(wp-(content|admin|includes).*) $2 [L]

RewriteRule ^([_0-9a-zA-Z-]+/)?(.*\.php)$ $2 [L]

RewriteRule . index.php [L]

# END WordPress Multisite

Alternatively, if you’re using a subdomain setup for Multisite, the code will look like this:

# BEGIN WordPress Multisite

# Using subdomain network type: https://wordpress.org/support/article/htaccess/#multisite

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /

RewriteRule ^index\.php$ - [L]

# add a trailing slash to /wp-admin

RewriteRule ^wp-admin$ wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]

RewriteCond %{REQUEST_FILENAME} -d

RewriteRule ^ - [L]

RewriteRule ^(wp-(content|admin|includes).*) $1 [L]

RewriteRule ^(.*\.php)$ $1 [L]

RewriteRule . index.php [L]

# END WordPress Multisite

In any case, save the new .htaccess file and upload it to the WordPress root directory. You can follow our earlier instructions on accessing the directory using FTP or cPanel. Once you’re inside, delete the existing .htaccess file and upload the new one, or simply upload and overwrite it. 

Five examples of rules you can add to your .htaccess file

There are several ways to edit the .htaccess file and add new functionality to WordPress. Each code snippet is known as a “rule” because it tells the server what to do.

In this section, we’ll introduce you to several rules you can implement in the WordPress .htaccess file and explain what they do!

1. Redirect all traffic via HTTPS

Once you add a Secure Sockets Layer (SSL) certificate to WordPress, you’ll want to configure the website to load over HTTPS. There are several plugins you can use to implement this change, but you can also do so by adding a new rule to the .htaccess file:

RewriteEngine On

RewriteCond %{HTTPS} off

RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This rule implements 301 redirects that will process every HTTP request over HTTPS. If you see security errors in the browser after implementing this rule, there might be an issue with your site’s SSL certificate.

2. Add a password to a directory

.htaccess enables you to password-protect specific parts of your website. The password prompt doesn’t appear as a login screen, but as a pop-up window directly through the browser. The server will block your access to the page if you don’t enter the correct password.

In this example, we’re using code to password-protect the WordPress admin dashboard:

<Files /wp-admin>

AuthName "Prompt"

AuthType Basic

AuthUserFile /wp-admin

Require valid-user

</Files>

You can change which page you want to add a password to by editing the part of the snippet that comes after the “/”. For example, you can add a password prompt to /wp-login.php to protect the login page further.

Note: Requiring a password to access the homepage will break Jetpack’s connection. So, if you’re using any of Jetpack’s tools, you won’t want to implement this rule.

3. Disable access to specific files

On top of disabling access to parts of your website, you can block every user from being able to access specific files. This rule can come in handy for core files, since you don’t want anyone else to be able to download or edit them.

For this rule, we’re using code that tells the server if a visitor tries to access a file that matches one of the names you specify, it should block that connection:

<FilesMatch "^.*(error_log|wp-config\.php|\.[hH][tT][aApP].*)$">

Order deny,allow

Deny from all

</FilesMatch>

You can add more files to that list by separating them with a “|”. Keep in mind that there should be one final “|” symbol right before the slash in the first line within the rule.

4. Blocklist an IP address

One of the most useful functions in .htaccess is the ability to blocklist specific IP addresses. If you include an IP address using a blocklist rule, it won’t be able to access any of your site’s pages. Here’s what that rule looks like:

order allow,deny

deny from 192.168.1.1

allow from

That example uses the localhost IP, but you can replace it with any other address. To include multiple addresses, separate them using a comma.

Note that blocklisting an IP means the user with that address won’t be able to load any of your site’s pages at all. They won’t see 404 errors or be redirected to login pages. Instead, they’ll get “access denied” errors.

It’s also important to understand that blocking or allowing IP addresses in your .htaccess will not supersede any IP blocking or allowing that is done at the server level, or via a security plugin or service. That is why it is important to ensure that our IP addresses are allowed at the server level and in any security plugins you may use.

5. Add a redirect

You can use the .htaccess file to implement multiple types of redirects. Earlier, we showed you how to use redirects to force WordPress to load over HTTPS. But you can also implement more straightforward rules to redirect a single page to a second address. 

Here’s how a basic 301 redirect looks in .htaccess:

Redirect 301 /page.html 

http://www.yoursite.com/page2.html

The file also supports more complex redirects, like redirecting an entire website to a new URL. Here’s what that rule would look like in action:

Options +FollowSymLinks

RewriteEngine on

RewriteRule (.*) http://www.newsite.com/$1 [R=301,L]

This rule can be useful if you want to stop working on a website and redirect all of its traffic to a different property. 

Keep in mind that 301 redirects are “permanent.” That means that search engines interpret them as “This page has moved permanently to a new address” and pass along some of its link equity.

Frequently asked questions about the .htaccess file

If you still have questions about the WordPress .htaccess file, this section will answer them. Let’s start by talking about what you can do with this file!

What can you do with your .htaccess file on WordPress?

The .htaccess file on WordPress is highly versatile. You can use it to implement redirects, update your site’s permalink structure, whitelist IP addresses, password-protect directories, force your site to load over HTTPS, and more.

These changes require you to either use plugins or add code to the .htaccess file. You can do this even if you’re unfamiliar with coding since the snippets can be found online, including in this article!

What if you can’t find your WordPress .htaccess file?

You may not be able to find the .htaccess file in the WordPress root directory if it hasn’t been created yet. In some cases, WordPress doesn’t generate the file unless you change your website’s permalink structure from Plain to another option. Earlier in this article, we explain how to do this. 

Do .htaccess changes take effect immediately?

Any changes that you make to .htaccess should take place immediately. You don’t need to restart the server for changes to take effect.

If you edit the file and you don’t see the changes reflected immediately, there might be an issue with your web host. In some cases, hosting providers might not provide the necessary permissions for your .htaccess file to override the server’s configuration. This is particularly common in shared hosting plans.

Should I use a plugin to edit .htaccess?

Many plugins can edit .htaccess, but some of these tools don’t give you access to the file itself. For example, if you use a redirect plugin, it likely implements redirects via .htaccess, but it doesn’t show you the changes in the file.

Some tools enable you to edit .htaccess from the dashboard. But these plugins often offer limited editor functionality, making it harder to implement changes. Whenever possible, we recommend using FTP so you can use your favorite text editor to interact with .htaccess.

Can your WordPress site’s .htaccess file be hacked?

If attackers can gain access to your server, they can also access the .htaccess file and use it to break parts of your site, implement malicious redirects, and even lock you out of the website altogether.

Backing up your website regularly is vital to protect user data and avoid downtime from attacks. With Jetpack Security, you can access real-time automatic backups and malware protection.

Jetpack also adds a firewall to your website. This feature helps further prevent other attacks, like DDoS events or attempts to brute force the WordPress login page.

How do I edit the .htaccess file in Nginx?

.htaccess files are unique to Apache servers. They’re still very common because Apache is one of the most popular server software options on the market. But it’s not the only one.

Many popular WordPress web hosts use Nginx since it offers several advantages over Apache. But Nginx servers don’t have .htaccess files. That means you may be unable to implement several of the customizations discussed in this article, or the process might be entirely different.

What is an example of a default WordPress .htaccess file?

By default, the .htaccess file should look the same on most WordPress websites. Here’s the code the file should contain if you’ve made no changes to it:

# BEGIN WordPress

RewriteEngine On

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

RewriteBase /

RewriteRule ^index\.php$ - [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

# END WordPress

You can use this code to restore the .htaccess file to its original settings in case of any errors while customizing it. We include instructions on how to replace the file in one of the previous sections of this article.

Change the WordPress .htaccess file

Knowing how to access and edit the WordPress .htaccess file can help you change key functionality on your website and keep it safe. You can use this file for anything from implementing redirects to password-protecting directories if you know how to edit it.

Since you’re dealing with a WordPress core file, we always recommend creating a backup ahead of time. Once you start working on the file, you can use the code snippets from this article to implement new features.

Editing your .htaccess file is just one way to secure your WordPress website. Jetpack Scan constantly monitors your site for threats, notifies you about any problems, and helps you resolve any issues. Check out Jetpack Scan today!

WordPress is an excellent platform for your website. But that doesn’t mean that it’s invincible. If you’re working on your site and encounter a sudden glitch, freeze, or crash, it’s easy to enter panic mode.

Fortunately, there are ways to recover and restore your WordPress site after a crash. Whether you installed a poorly-coded plugin or accidentally deleted a file, you can get your site up and running again by following the right steps.

In this post, we’ll take a closer look at WordPress website crashes and some common causes. Then, we’ll guide you through five steps to recover and restore your site after a crash. Let’s get started!

Does WordPress crash?

WordPress, like any Content Management System (CMS), isn’t infallible. But, since it’s built through volunteer contributions by the world’s top developers and continuously peer-checked and improved upon, it’s truly a stable platform. Most issues arise from human error on an individual site level. 

So, a WordPress site can crash, and one of the main causes is running outdated software, whether it’s WordPress core, plugins, or themes. Outdated software poses a risk to your site since known vulnerabilities are easily exploited. Therefore, your site may be less resistant to viruses, malware, and online attacks. And when things like plugins or themes are outdated, they can conflict with one another and cause errors and outages.

Does WordPress have a crash log?

When WordPress site crashes occur, you can use an error log to identify and resolve the issue as quickly as possible. To view PHP errors on your website, all you have to do is enable the WP_DEBUG function. 

The easiest way to enable WordPress debugging is with a handy plugin like Query Monitor.

Query Monitor adds a developer tool panel to your WordPress admin area. Using this plugin, you can debug various parts of WordPress, including database queries, PHP errors, and CSS.

Alternatively, you can always enable debug mode manually. If you prefer this option, it requires access to your site’s File Manager or a connection through Secure File Transfer Protocol (SFTP). 

Locate your root folder (usually labeled public_html) and open your wp-config.php file.

At this point, look for the line that reads: “That’s all, stop editing! Happy publishing”. Then, insert this line of code above it: 

define ( ‘WP_DEBUG’, true );

If there are errors on your site, a debug.log file will appear within your wp-content folder. You can download it to your computer to view the entire log and identify the errors. 

Seven common causes of WordPress site crashes

Now that you know a bit more about WordPress crashes, let’s look at some of the leading causes.

1. Installing or updating a plugin or theme

WordPress plugins extend the functionality of your site, but poorly-coded plugins can create errors. Not just that, but even a high-quality plugin can cause problems if it isn’t compatible with your version of WordPress or other software on your site.

If your site crashed, think about whether you’ve recently installed a new plugin, updated an existing tool, or changed your theme. 

In the future, it’s important to only choose reputable plugins and themes, like the ones in the WordPress plugin directory.

Alternatively, you could choose premium plugins and themes from trusted third-party marketplaces. Make sure that it has a number of positive customer reviews to verify that the plugin or theme is well-coded and functional.

You’ll also want to pay attention to how frequently the tool is updated, whether the software is compatible with the latest WordPress version, and the level of support from the developer.

2. Expired domain names

If an expired domain causes your WordPress site to crash, the good news is that it’s one of the easier problems to resolve. Your domain name is the website address that visitors enter to find your site. It’s a crucial branding element that helps you establish a strong online identity.

But once you’ve secured a unique domain name, it will typically only last for one year. Since you’re simply “renting” a domain for a set period, you’ll need to renew it before it expires.

If you’ve forgotten to renew your domain name, you should contact the company you used to register your domain and see if it’s still possible to get it back. If you can get the domain back, then check that your contact and payment details are correct. Also, you might want to enable auto-renew so that you don’t have to worry about this happening again. 

3. Server issues

Some server errors can cause problems on your site. For instance, the HTTP 500 Internal Server Error and the Timed-Out Error are both caused by a slow or overwhelmed server. 

The leading causes of WordPress server errors include browser caching problems, database server problems (like slow connection times), and corrupt databases (perhaps containing malicious files). 

Typically, you can only resolve these issues by changing the server configuration. You can contact your hosting provider to sort this out for you.

You can give your website a better chance of avoiding these issues by opting for a quality WordPress host. It’s a good idea to prioritize hosts that offer at least 99.99 percent uptime. You’ll also benefit from choosing a provider that offers plenty of extra security measures like Web Application Firewalls (WAFs) and automated updates. 

Note: Some WAFs will block our IPs, which breaks the Jetpack connection. If you’re using any of the Jetpack plugins, be sure to ask your hosting provider to allow our IP addresses to access your site’s xmlrpc.php file. This will ensure your site has a continuous connection to WordPress.com.

4. Updating the WordPress core software

As we discussed earlier, it’s important to keep plugins and themes up-to-date. But it’s also essential to update your WordPress core software. This way, you can prevent compatibility issues resulting in WordPress crashes.

What’s more, WordPress updates often contain security fixes for bugs found in the previous release. So, there’s less chance of hackers being able to exploit these known vulnerabilities on your site. 

If you’re unsure which version of WordPress you’re running, head to Dashboard → Updates.

Here, you can confirm your version of WordPress, enable auto-updates, and upgrade your plugins and themes. When a new version of WordPress is available, you’ll receive an update message in your dashboard. 

It’s also essential to back up your site before running an update in case anything goes wrong. Later, we’ll explain how you can do this with Jetpack VaultPress Backup!

5. Editing the WordPress code

Even when experts carry out routine website maintenance, human error can result in the accidental deletion of files and folders. Therefore, it’s possible to crash your site when adding or editing code in WordPress. 

The best solution is to make sure that you regularly back up your website. That way, if anything goes wrong, it’s easy to restore your site to its original state. 

One of the quickest ways to do this is with a plugin like Jetpack VaultPress Backup.

For extra peace of mind, Jetpack stores your backups on a different server from your website — using the industry-leading, secure infrastructure of WordPress.com. This means that if you’ve made a mistake on your server, your backups won’t be compromised. And you can restore them even if your website is completely down. 

6. WordPress hacks

While the previous causes are pretty harmless, WordPress can also crash if your site gets hacked or compromised.  

Distributed Denial of Service (DDoS) is one of the most common types of online attacks. This occurs when hackers use multiple machines to overwhelm your server with millions of fake requests. 

Additionally, you might face brute force attacks that target the WordPress login page. These attacks are when hackers try thousands of username/password combinations to try to break into your website. Eventually, attackers can gain unauthorized access to your account and take over your entire site.

You’ll know if your website has been hacked because it may become slow, unresponsive, or inaccessible to users. Visitors may also be redirected to malicious sites. Sometimes, you can find these redirects placed in the footer of your pages. 

Furthermore, an obvious sign that WordPress has been hacked is Google blocklisting your site. Search engines do this to prevent visitors from reaching your pages and becoming infected themselves. 

You can use a tool like Safe Browsing Status to confirm this.

To prevent future WordPress hacks, consider upgrading to the Jetpack Security bundle on your site. The bundle includes malware scanning, spam protection, and regular backups. Additionally, you can strengthen your login credentials by using strong passwords and implementing two-factor authentication. 

7. Updating your site’s PHP version

PHP is an open-source scripting language that WordPress is built on. Like any other software on your site, updating PHP is vital since newer versions are better prepared to deal with security threats. 

If you’re not sure which version of PHP you’re running, navigate to Tools → Site Health.

Switch to the Info tab. Then, scroll down to open the Server tab.

You’ll find your server setup information here, including the current PHP version.

Updating your PHP is generally a safe process. But, if you have outdated code (like themes and plugins), you could crash your site. Therefore, it’s essential to check that all plugins and themes are compatible with the version of PHP you intend to use. 

You can usually find this information by visiting the dedicated plugin/theme page and looking under PHP Version.

Then, you can update your PHP version through your hosting account. The process will differ depending on your web host. 

How to recover and restore your WordPress site after a crash (in 5 steps)

Now that you know why your WordPress site can crash, let’s discuss what to do if you find yourself in this situation!

Step 1: Restore a backup of your site

The best and easiest way to restore a backup of your WordPress site is to use the Jetpack VaultPress Backup plugin. There are a couple of ways you can do this.

Note: You’ll need to add server credentials to your Jetpack settings before you begin these steps.

The first method is to restore your site to a specific event. Start by opening your activity log, which keeps track of all the actions that take place on your site. There, you can either scroll down to a specific event or filter by date range or type of activity.

This can be particularly helpful if you know what may have caused the crash, like a recent plugin update or code edit. Click the Actions button next to the event, then choose Restore to this point.

A window will appear asking what elements you want to restore. In most cases, you’ll want to leave all of them selected. Then, click Confirm restore.

The restore process will start automatically. You can keep track of it using the progress bar that appears, but you’ll also receive an email when it’s done.

The second method is to restore to a specific day. To do this, navigate to https://cloud.jetpack.com and click Backups. You’ll immediately see the most recent backup of your site, but you can also use the arrows to scroll through other options. You can also choose Select Date to find a specific day.

Once you’ve chosen a day and time, click Restore to this point. Then, you’ll need to choose what elements you want to restore and wait for the process to finish.

And that’s it! No messing with server settings, dealing with your database, or editing code. 

Step 2: Retrace your last steps

But what if you don’t have a backup on hand that you can restore? At this point, you’ll need to identify the cause of your WordPress crash to get your website back up and running. You may also need to do this if you restored a backup and aren’t exactly sure what caused the problem.  After all, you don’t want your site to just crash again! 

This can also help you identify the point in time you want to restore your site to. In that case, you may want to take this step before the first one.

It’s best to start with any recent changes you made and work your way back. For instance, have you installed a new plugin? Have you updated your theme? Did you edit your site’s code? Write down everything you can remember.

Then, work your way through the list and revert any changes that you can. You might roll back WordPress, your theme, or a specific plugin to a previous version. Or you may replace the file that you edited with a fresh copy. You can do this through File Manager or FTP if you can’t access your WordPress dashboard. We’ll explain how to do this in the next section. 

But this is where the WordPress Activity Log can be your best friend! There, you can get a list of all the actions that occurred on your site, along with who performed each one and when it occurred. So, if you know that your website went down at 3:05 PM, you can see what happened immediately beforehand. This can also alert you to any nefarious activity taken by an unauthorized user.

Step 3: Deactivate or delete plugins

If you think a plugin may have caused your WordPress crash, but aren’t sure which one, it’s best to deactivate all your plugins at once. You can do this from your WordPress dashboard as long as you still have access. 

Simply head to Plugins → Installed Plugins. Check the box next to “Plugin” to select all of the plugins at once. Then, in the Bulk actions dropdown, choose Deactivate.

If this fixes the problem you’re having with your site, then you know the root cause is a plugin. Reactivate them one by one until you identify the culprit. Now you can delete that plugin, find a replacement, roll back to a previous version, or reach out to the developer for support.

But if you can’t access your WordPress admin area, you’ll have to revert the changes through the File Manager or by using FTP. No matter which one you choose, navigate to the root folder of your website, typically called public_html.

Now, go to wp-content → plugins. Rename this folder to whatever you’d like — e.g. plugins.bak — to deactivate all of your plugins at once. Again, if this solves the problem, then you know it was caused by a plugin.

Rename the folder to its original state. Then, deactivate each plugin one by one by renaming it until you find the culprit. Again, your next step is to delete the plugin, find a replacement, roll back to a previous version, or reach out to the developer for support.

Step 4: Switch to a default theme

It’s possible that a theme update might conflict with WordPress core, or that there was a problem with your theme code in general. You can determine this by switching to a default theme, like Twenty Twenty-Two.

If you can access your WordPress dashboard, go to Appearance → Themes.

Find a default WordPress theme like Twenty Twenty-Two and hit Activate. If this solves the problem, then you may need to roll back your original theme, switch to a new theme, or reach out to the theme developer for help.

If you can’t log in to your WordPress dashboard, you’ll need to use either your host’s file manager or FTP to access your site files. Again, you’ll need to locate your wp-content folder. 

Open the themes folder inside of it. Rename the directory for your current, active theme. This will force WordPress to activate a default theme instead. If this fixes your problem, then you can attribute it to your theme!

Pro tip: You can take care of steps 3 and 4 all at once using the Health Check & Troubleshooting plugin. This tool even enables you to troubleshoot in the backend while your site remains live and visible online! 

Step 5: Install a fresh version of WordPress

Since a wrong line of code or a missing file can cause WordPress to crash, uploading fresh WordPress core files can potentially fix the problem. Start by downloading a new WordPress version. 

Open up the zip file on your computer and remove the wp-content folder and wp-config.php file. It’s critical that you don’t replace these because they contain settings, plugins, themes, and other valuable data that’s specific to your website. As always, it’s also important that you have a backup on hand before you make major changes.

Now, connect to your site via FTP and replace the rest of the WordPress files. Once that process is finished, load your site and see if it’s working. If it is, great job! The problem is solved.

What to do if WordPress keeps crashing

You should now have a good idea of how to recover your site after a crash. If WordPress keeps crashing, here are some things to consider:

Ensure regular backups are in place

An easy-to-use WordPress backup and restoration system is the single best tool you can have on your side if your site’s experiencing issues. While it won’t solve the root cause of crashes (unless the issues can be solved by restoring a clean backup), it will make it easier to keep your site running and troubleshoot issues until there’s a fix. 

Automated solutions like Jetpack VaultPress Backup are ideal in this situation, because even an experienced, careful developer can make mistakes when taking or restoring backups manually. 

Some backup plugins offer weekly or daily backups. But if you’re experiencing frequent issues or just have lots of regular activity on your site (comments, sales, new posts, etc.), you’ll want to look for a real-time solution. This is once again where Jetpack VaultPress Backup shines — it saves every change on your site and keeps a detailed WordPress activity log so that you can restore to a specific point in time and never lose your work. 

Backups are also an essential part of good WordPress site security — they allow you a way to recover from hacks and safeguard your files. But to make the most of this, backups should be stored off-site, on another server than where your site is hosted. This way, if the server is compromised, you can still access your backups and recover a clean version of your site. Jetpack VaultPress Backup stores files on a secure infrastructure used by WordPress.com and WordPress VIP clients. In other words, it’s fast, reliable, and secure. 

Finally, backups are great, but if you can’t easily restore one, it’s not a complete solution. Make sure you test the restoration process of your chosen backup system. Jetpack VaultPress Backup can restore your site (even if it’s completely down), in just a click or two. 

Update software in a staging environment

It’s important to update WordPress core, along with your themes and plugins, whenever new versions are available. These updates often include patches for security issues, and also ensure compatibility with other pieces of software on your site.

But the best and safest way to do this is using a staging environment. This is essentially a copy of your site that isn’t publicly accessible to your audience. You can test updates, code changes, and more without affecting your live site. Then, you can easily push those changes live when you know they’re safe.

Some hosting providers, like Bluehost, offer staging as part of their plans. But if your host doesn’t do this, you can always use a plugin like WP Staging. 

Restrict user privileges

Be selective when it comes to granting access to your WordPress site, especially with user roles that allow people to make major changes. For example, Administrators have full permissions, and can do absolutely anything on your site. In general, it’s best to have just one administrator — you! — but if you decide to have more, make sure they’re trusted and experienced.

After all, if someone has full access to your website, they can use it for nefarious purposes, perform actions you don’t want them to, and even take down the site entirely. 

So take some time to understand the permissions that come with each type of WordPress user role. Then, only assign the minimum necessary permissions required for each person to do their job. And if they stop working with you, remove their account.

You can edit user privileges in WordPress by going to Users → All Users.

Here, you can add new users, edit existing users, and change user roles by clicking on each individual account.

Check your browser and computer

If your site keeps going down just for you, it’s possible that there’s a problem with your computer or browser. In this case, your first step should be deleting your browser cache. This will ensure that you’re seeing the latest version of your site.

The instructions for this will depend on the browser you’re using. But let’s take a look at how to do this in Google Chrome.

In your browser, click on History → Show Full History. Then, choose Clear Browsing Data in the left-hand menu. Check the box next to Cached images and files, and click the Clear data button.

If you’re still having problems, you may also need to update the version of your browser you have installed. Again, check with your specific provider for instructions.

Talk to your hosting provider

If your site regularly goes down, it’s worth seeking your host’s help. It’s possible that the cause could be a misconfigured server, lack of resources, or outdated software version (like PHP). They can help you identify and solve these types of problems.

You may need to upgrade your plan if you’re using more resources than are allotted to your site or even switch hosting providers entirely. See our list of recommended WordPress hosts for guidance.

Use an activity log

We’ve talked about an activity log a few times throughout this post, and that’s because it’s incredibly helpful when it comes to identifying problems. With a good WordPress activity log, you can see what happens right before your site goes down each time.

For example, perhaps you have WordPress auto-updates enabled, and your website crashes each time a specific plugin updates. This is a sign that you’ll need to switch plugins, turn off auto-updates for that specific tool, or reach out to its developer.

Or maybe you start to notice activity that you didn’t authorize. Then, there could have been a security breach on your site that you’ll need to lock down.

Jetpack’s activity log is the best option for WordPress because it integrates so seamlessly. It shows you all the information you need to know, including each action taken, its date and time, and the user who performed it. It also works with Jetpack VaultPress Backup, so you can restore a backup from right before a certain action took place.

Recover and restore WordPress after a crash

When working on your WordPress website, small mistakes can cause a crash. Fortunately, there are plenty of quick ways to recover. By identifying the cause of the issue, you can get your site back up and running in no time.

To recap, here are five steps to recover and restore your WordPress site after a crash:

1. Restore a backup of your site using a plugin like Jetpack VaultPress Backup.
2. Retrace your last steps.
3. Deactivate plugins. 
4. Switch to a default theme.
5. Install a fresh version of WordPress.

With Jetpack VaultPress Backup, you don’t need to worry about website crashes since it’s easy to restore your site quickly. Better yet, you can back up all your site files, including customer data and database files in real-time. Get started with Jetpack today!

Your WordPress website is the product of countless hours of hard work, so it’s important to keep it secure. One essential part of your security setup should be a robust and reliable malware scanner. An effective WordPress malware plugin will help you quickly identify any malicious software that makes its way onto your WordPress website, and provide guidance on removing it. 

But, with lots of different WordPress malware scanner plugins available, it may be a challenge to determine which one is right for you. To help, we’ve reviewed six of the most popular options and set out some key things to consider when deciding on the best WordPress malware scanner for your website. 

A review of the best malware removal plugins for WordPress

1. Jetpack Protect

Jetpack Protect is an impressive, free WordPress malware scanning plugin that helps you keep your site secure and clean. It enables you to stay one step ahead of security threats by automatically scanning your site against over 37,000 types of malware — and you can activate its powerful protection with just one click! 

New malware is constantly being developed, but WordPress security experts update Jetpack Protect’s malware database as soon as new information becomes available — defending against the latest attacks and vulnerabilities. Jetpack Protect also alerts you to any security vulnerabilities within your plugins or themes, so you can take steps to secure your site. 

The plugin will notify you if it finds any malware or other security vulnerabilities within your website, and its powerful technology can scan your entire site, including plugins and themes. If it detects an issue, it will provide straightforward guidance to help you secure your site and remove any malware. Jetpack Protect uses clever decentralized scanning technology, which enables it to scan your site using Jetpack’s servers. This means that its daily scans can detect even the most complex malware without slowing down your site. 

Jetpack Protect is made by Automattic, the team behind WordPress.com, so it seamlessly integrates with your WordPress site. Automattic is also behind WPScan, allowing Jetpack Protect to scan against the same malware database used by some of the world’s leading brands, making Jetpack Protect one of the best WordPress malware plugins available.

Key features of Jetpack Protect:

• Powerful malware scanning against over 37,000 malware types 
• Automatic scans of your plugins and themes for known vulnerabilities
• A simple one-click setup
• Daily scans that help keep your site secure 
• Regular updates to the malware database by a team of dedicated WordPress security experts
• Recommended actions if a security issue or malware is identified

Pros of Jetpack Protect:

• As the daily malware scans use Jetpack’s servers, Jetpack Protect can scan your site without slowing it down.
• You can start protecting your site with just one click. It will automatically scan your site daily and notify you of any issues through your dashboard.
• Jetpack Protect uses the same malware database as WPScan, which is constantly updated by experienced WordPress security experts as soon as new malware or security issues are discovered.

Cons of Jetpack Protect:

• While the plugin offers advice on how to resolve any security issues, it doesn’t provide automatic malware removal. However, one-click fixes for most types of known malware, alongside real-time email alerts, are available through an upgrade to Jetpack Scan. You can switch within the plugin for only $9 a month.

Ease of use:

It only takes one click to activate Jetpack Protect’s advanced malware scanning. The plugin then protects your site automatically in the background, meaning you don’t have to remember to run scans. There’s detailed documentation available, and if you need support, you can access Jetpack’s team of WordPress Happiness Engineers.

Pricing:

Jetpack Protect is available for free from the WordPress plugin directory. 

2. Sucuri

Sucuri is a popular name in website security, and they offer a free WordPress plugin alongside premium services, such as a web application firewall and malware removal. Sucuri’s plugin scans your WordPress site and looks for any changes in the WordPress core files, and it also gives you access to Sucuri’s SiteCheck remote malware scanner.

Key features of Sucuri:

• File integrity scanning 
• Security event logs 
• Remote malware scanning 
• Email notifications of any issues 
• Blocklist monitoring
• A web application firewall (premium)

Pros of Sucuri:

• Sucuri provides an activity log of key events on your site, which you can use to help identify the cause of a hack or malware infection. 
• Sucuri’s premium plans include unlimited malware removal by a security expert.

Cons of Sucuri:

• Sucuri may not be able to spot all malware on your site. This is because the plugin’s malware scanners run remotely, so it can only check for malware in the source code of the public-facing pages on your site. Sucuri says that their WordPress malware scanner isn’t 100% accurate, as malware could be inserted into plugin files or other admin areas and, therefore, wouldn’t show up on your site’s front end.
• In the free version of the plugin, Sucuri only provides general advice for securing your site after a malware infection. It encourages you to subscribe to its premium services to remove malware. 
• Sucuri provides security services that can be used on any website, which means its malware scans are not tailored to WordPress. 
• Sucuri has features that can block Jetpack’s connection to your site. If you use this plugin, be sure to allow our IP addresses access to your site’s xmlrpc.php file.

Ease of use:

Sucuri is easy to install and allows you to schedule website scans. Sucuri offers support for the plugin through the plugin’s support forum.

Pricing:

The plugin is free of charge. Premium subscriptions start at $199 a year and include a web application firewall and unlimited malware removal. 

3. MalCare

MalCare is a WordPress malware scanning and removal plugin developed by a team of WordPress security experts. The plugin includes automatic malware scanning and a web application firewall to help prevent hackers from accessing your site. The premium version of the plugin offers automatic malware removal. 

Key features of MalCare:

• A malware scanner, which automatically scans your site daily
• A WordPress firewall
• Vulnerability detection
• Automated malware cleaning (premium)

Pros of MalCare:

• MalCare scans your entire site for malware daily. 
• MalCare temporarily and securely copies your files to its servers to conduct the malware scan, meaning that scans won’t slow down your site. 
• MalCare’s free version includes a web application firewall, which can help protect your site against hackers and brute force attacks. 
• MalCare will alert you by email if a plugin you’ve installed has a known security vulnerability, so you can take action to secure your site. 

Cons of MalCare:

• The free version of the plugin only tells you if your site is infected with malware, not where it is. You must upgrade to a premium plan to locate and remove the malware.
• Malcare can also block Jetpack from making requests to your site’s xmlrpc.php file, which is necessary for Jetpack’s connection to work. Make sure you allow our IP addresses to keep the connection working properly. 

Ease of use:

MalCare is easy to install and configure, and its automatic scans mean you don’t need to remember to scan your site. MalCare offers support for all users via email, alongside live chat support for premium users. 

Pricing:

MalCare offers a free plugin, which you can download from the WordPress plugin directory. Premium plans, which include malware removal, start at $69 a year. 

4. Wordfence

Wordfence is a popular WordPress security plugin that includes a malware scanner and a web application firewall that identifies and blocks malicious traffic. The plugin’s WordPress malware scanner automatically scans your whole site, including code injections, malicious redirects and backdoors. The plugin will also check the integrity of your core files, themes, and plugins against the official versions from the WordPress.org repository, then report any changes to you.

If Wordfence detects malware, it can help you replace any damaged core WordPress files with the official version and delete any files that have been added. Full malware removal is included at some of the higher, premium subscription levels.

Key features of Wordfence:

• An automated malware scanner
• Basic repair and deletion settings for removing simple malware
• A web application firewall, which helps prevent brute force attacks
• Two-factor authentication and login protection
• Access logs and real-time traffic monitoring
• Manual malware removal by a WordPress expert (premium)

Pros of Wordfence:

• Wordfence automatically scans your site and sends you daily emails if it notices any issues. 
• Alongside malware scanning, Wordfence includes additional features to help keep your WordPress site secure, including a firewall, access logs, and two-factor authentication. 

Cons of Wordfence:

• The free version of Wordfence only provides malware database updates every 30 days. Unfortunately, this means that the newest malware might not be detected. 
• Wordfence conducts its scans on your server, meaning it can have an effect on your site’s performance.
• The malware removal tools in the free version are limited to deleting and replacing files, which isn’t sufficient to remove more complex malware infections.
• Wordfence also has features to block access to the xmlrpc.php file. Wordfence uses CIDR notation to allow IP addresses access. You can learn more about how to allow those in our support article.

Ease of use:

Wordfence requires configuration to ensure that it fully protects your site. The daily alert emails sent by Wordfence sometimes flag legitimate changes as a concern, which can cause confusion for those unfamiliar with WordPress. Wordfence has comprehensive documentation and a learning center. Free users can access support through the plugin’s support forum while premium subscribers also have access to support via email.

Pricing:

Wordfence offers a free plugin that includes malware scanning and a firewall. Wordfence Premium costs $99 a year and includes daily malware database updates. Wordfence Care costs $499 a year, which includes installation and optimization of the plugin as well malware removal by a WordPress security expert. 

5. SecuPress

SecuPress is a WordPress security plugin that helps you analyze the security of your site. The plugin will give you a security grade and a list of recommended changes to help make your site safer, many of which it can take care of for you. In addition, the plugin’s premium version offers automatic malware scanning with daily malware database updates. 

Key features of SecuPress:

• Security audits that identify and automatically fix common security issues
• Brute force login protection
• A web application firewall
• Login protection
• Protection for your website security keys
• Malware scanning (premium)

Pros of SecuPress:

• It scans 35 different elements that could negatively impact the security of your site, and enables you to fix them in one click.
• SecuPress offers a wide range of security features in addition to malware scanning.

Cons of SecuPress:

• Malware scanning is not available in the free version, which is restricted to scanning for security vulnerabilities only.
• Automatic security scanning is not available in the free version of the plugin, meaning you must remember to run a scan. 
• Free security scans are limited to one per week. 
• SecuPress also blocks the xmlrpc.php file. Be sure to make sure Jetpack’s IP addresses are still allowed to access it, so that the Jetpack connection keeps working.

Ease of use:

The plugin is easy to install and set up. However, the security scan must be manually run in the free version of the plugin. Comprehensive documentation is provided, alongside email support for the premium plugin. 

Pricing:

A limited, free version of the plugin is available, but to enable malware scanning, you need to use SecuPress Premium, which starts at $69.99 a year. 

6. Titan Anti-Spam and Security

Titan Anti-Spam and Security is a security and malware scanner for WordPress that was created by a team of developers called Creativemotion. The plugin combines malware scanning with anti-spam protection. The free version includes automated malware checking against 1,000 kinds of malware and other security features, including file integrity scanning and brute force login protection. 

Key features of Titan Anti-Spam and Security:

• Malware scanning against 1,000 types of malware for free users
• Malware scanning against 6,000 types of malware for premium users
• File integrity scanning
• Anti-spam tools
• Brute force login prevention
• Additional security features, including a full firewall and advanced anti-spam tools (premium)

Pros of Titan Anti-Spam and Security:

• Titan Anti-Spam and Security combines anti-spam with basic malware scanning. 

Cons of Titan Anti-spam and Security:

• The free version of the plugin can’t detect all malware, as it only checks your site against a small library of 1,000 types of malware.
• The plugin runs its scans on your servers, so your site may slow down when a scan is running.
• The premium version unlocks malware scanning against 6,000 types of malware, which is still considerably less than some of the other plugins in this list, such as Jetpack Protect. 
• This tool conflicts with major plugins like Jetpack, which can hamper your ability to maximize site performance in other areas. 

Ease of use:

Several steps are required to set up this plugin, and it includes an intuitive wizard that helps you configure the plugin, so it works well on your site. The developer offers a support forum for all users, and email support for premium subscribers. 

Pricing:

The free version includes limited malware scanning against just 1,000 types of malware. Premium subscriptions start at $55 a year and unlock additional features, including malware scanning against 6,000 types of malware.

A comparison of the top malware removal plugins on WordPress

	Jetpack Protect	Sucuri	MalCare	Wordfence	SecuPress	Titan Anti-spam and Security
Made specifically for WordPress	Yes	No	Yes	Yes	Yes	Yes
Number of malware definitions your site is checked against.	Over 37,000	Not stated	Not stated	Over 44,000	Not stated	1,000 in free version. 6,000 in premium version.
Automated scans	Yes	Yes — site integrity only	Yes	Yes	No	Yes
Scans full site including admin files	Yes	No — scans public facing files only	Yes	Yes	Yes	Yes
Can scans impact website performance?	No	No	No	Yes	Yes	Yes
Frequency of malware definition updates	Daily	Daily	Daily	Every 30 days (free version) Daily (pro version)	Not stated	Not stated
Malware removal	No (Jetpack Scan can remove malware for only $8 a month)	Only in premium version.	Only in premium version.	Basic removal through deletion and re-instating files only.	Additional charge of $99 per removal on all plans.	No
Any limitations in the free version?	No — free version is fully featured.	Yes. Only general advice on removing malware is provided.	Yes. Information is not provided on where any malware found is located.	Yes. Malware definitions only updated every 30 days.	Yes. Malware scanning only available on premium plans.	Yes. Your site is only checked against a limited number of definitions.
Price	Free with no limitations.	Limited free version. Premium plans start at $199/year.	Limited free version. Premium plans start at $69/year.	Limited free version. Premium plans start at $99/year.	Malware scanning is available on premium plans that start at $69.99/year.	Limited free version. Premium plans start at $55/year.

What’s the best WordPress malware removal plugin?

The best WordPress malware removal plugin will depend on several factors, including your experience with WordPress and if you need other security features in addition to malware scanning. 

But it’s clear from the comparison table above that Jetpack Protect is the best malware removal plugin for WordPress. Jetpack Protect is free and offers advanced malware scanning that doesn’t slow down your site. It’s simple to set up and works automatically to scan your website for malware against a comprehensive database that’s constantly updated by Automattic’s WordPress security experts. 

And since it’s made by the people behind WordPress.com, it seamlessly integrates into your site. Jetpack Protect also works perfectly alongside the security features included in the Jetpack plugin and Jetpack’s other security packages, including Jetpack Security and Jetpack Scan.

Factors to consider when choosing the best malware removal plugin

How much does it cost?

It’s important to consider how much a WordPress malware plugin costs and if it provides enough value for its price. Some free malware plugins, including Jetpack Protect, offer robust malware protection at no cost. Jetpack Protect checks for malware against an extensive database that’s larger than many of those used by some paid plugins. 

Was it built for WordPress, specifically?

Some WordPress malware scanning plugins, such as Sucuri, use malware scanning technology that works on all websites, which means it hasn’t been developed specifically with the needs of WordPress in mind. 

However, Jetpack Protect is an excellent malware scanning plugin built by Automattic — the team behind WordPress.com and WooCommerce. This means Jetpack Protect was built specifically for WordPress and that its malware database is updated by WordPress security experts as soon as new information becomes available.

Does it provide any additional security features?

It’s important to consider if the WordPress malware plugin includes any additional security features, such as a firewall or anti-spam protection. And if it does, how robust are the features? You may find that using a dedicated malware scanner, such as Jetpack Protect, provides the highest level of malware protection for free, and works seamlessly with other security tools, including Akismet Anti-Spam, Jetpack, and Jetpack Security. 

Is it easy to use?

You should consider how easy the WordPress malware scanning plugin is to use. Some plugins, such as Jetpack Protect, are designed to be simple to use and can be set up with just one click. Then, it automatically scans your site for malware each day. 

You should also think about how easy it is to interpret the malware scan results. For example, some plugins will only tell you that you have malware, not where it is or how to remove it. But others, including Jetpack Protect, will give you recommended fixes to banish the malware from your site. 

Can it scan your entire WordPress site?

Some WordPress malware scanners can only check the public-facing pages of your website for malware. This means that they cannot check your entire site for malware.

Site-level malware scanners, such as Jetpack Protect, offer greater protection as they can scan your entire WordPress installation, including plugins, themes, and media files. But, if this detailed scanning happens on your server, it can temporarily slow down your website, so it’s important to check where the scan takes place. 

Some WordPress malware plugins like Jetpack Protect can offer site-level scanning without impacting performance by using external servers to conduct the scan. 

How robust is its malware database?

A malware scanner is only as good as its malware database. Some plugins use a relatively small database or only update it every 30 days, which means they may not be able to identify the latest malware. Other plugins have a much more extensive database, which is updated daily. 

Jetpack Protect utilizes the same database as the industry-leading WPScan, which is trusted by some of the globe’s largest brands to keep their site secure. Its database is updated by a dedicated team of WordPress security experts as soon as new malware or vulnerabilities are discovered. This means that Jetpack Protect can detect the newest malware and give you clear recommendations on how to deal with any infections. 

Frequently asked questions about WordPress malware removal

What is malware on WordPress?

Malware is short for “malicious software” and it’s a general term for harmful software. Once malware is installed on your WordPress site, hackers can use it to damage it, take it offline, steal data, or gain access without consent. 

It’s essential to ensure you regularly scan your site for malware using a free WordPress malware scanner plugin like Jetpack Protect.

How do I know if I have malware on my WordPress site?

If your site becomes infected with malware, you’ll often notice that it starts behaving strangely. Some signs of malware infection include:

• A decrease in speed or performance
• A security warning when visitors try to access your site 
• Changes to your site content or new, malicious links 
• Problems logging into your site
• Odd behaviors, such as lots of popups 

It’s important to take action as soon as you know your site has a malware infection. But not every malware infection is easy to spot, and the only way to know for sure if you have malware on your site is to scan it using a WordPress malware plugin like Jetpack Protect. Regular scans will help ensure you spot malware as soon as possible and receive helpful guidance on how to resolve any issues and get your site back to normal. 

What makes a good WordPress malware removal plugin?

A good malware removal plugin should be easy to use and scan for malware daily without you having to do anything. It should have an extensive malware database that’s updated as soon as a new piece of malware or security vulnerability is discovered. The plugin should also scan your site in a way that doesn’t impact your speed, and be able to scan the entirety of your site, including themes, plugins, and media files. 

A good WordPress malware removal plugin should then give you clear information about the location of any malware it finds, along with easy-to-follow guidance about how to remove it. Jetpack Protect is one of the best malware plugins for WordPress as it offers all of these features for free. 

How much does a malware scanning plugin cost on WordPress?

WordPress malware scanners can be either paid or free, but the top plugin in our review, Jetpack Protect, is free. It was developed by Automattic, the team behind WordPress.com, and is perfect for WordPress site owners who want to have the most robust and reliable malware protection available, including automatic scanning and recommended fixes. 

Is it easy to set up a malware scanning plugin on WordPress?

This depends on the plugin. Some require you to make several changes to your website and to manually interpret scan results. But the top plugin in our review, Jetpack Protect, can be set up in just one click and doesn’t need any complicated configurations. Jetpack Protect also clearly tells you if it’s found malware and gives you recommended fixes, so you can get your site back to normal.