WordPress websites are often targeted by hackers seeking to exploit security vulnerabilities. Web forms are one of the avenues that hackers use to gain entry into a site and steal sensitive information. In this post, we’ll show you how to secure your WordPress forms and ensure the safety of your website and data.
The post “The Ultimate Guide to WordPress Form Security” first appeared on WP Mayor.
Security Ninja is a comprehensive WordPress security plugin that protects your site in different ways. Read our hands-on Security Ninja review to learn more about how it works to protect your site.
The post “Security Ninja Review: Easy-to-Use WordPress Security Plugin” first appeared on WP Mayor.
There’s a lot of work that goes into building and maintaining an online store. Therefore, it’s important to make sure that you know how to back up your WooCommerce store to avoid losing critical data, like your orders, products, and database.
The good news is that there are multiple solutions you can use for backing up WooCommerce. The best option will depend on a handful of factors, like whether you want to use a plugin and the type of backups you want to create.
In this post, we’ll discuss the importance of backing up your WooCommerce store and how often you should do it. Then, we’ll walk you through the methods you can use to back up your store and restore it. Finally, we’ll answer some common questions about this process.
There are a number of reasons why you should regularly back up your WooCommerce store. For starters, it will help you protect your data in case of a technical issue or human error.
If you’re updating your site, installing a new plugin, or making any other changes to your content, there’s a chance that something will go wrong. If it does, it’s important that you have a current version to restore.
The same is true for cyber attacks. You’ll want to have a safe copy of your website to roll back to in the event that a hacker infiltrates and infects your site with malicious code or malware.
Another reason to back up your store is to keep a record of your data. This can be useful for auditing purposes, or if you need to reference past orders when dealing with queries and complaints.
In summary, backups help ensure that you can always access your data, even if your WooCommerce site goes down and you’re unable to log in. Hosting issues, cyberattacks, and unexpected outages are all things that can cause downtime.
How frequently you back up a WordPress site depends on how often you add or change data. Static or small websites may only require backups periodically — daily is a good option.
But WooCommerce sites are a different story. Not only is there usually a lot more activity, it’s all the more important to protect data like orders and customer submissions. You don’t want to lose a single one.
For this reason, WooCommerce stores shouldn’t really settle for anything less than real-time backups, which save a new copy every single time an order is placed, a product is updated, or anything else happens on the site.
You can manually back up a WordPress site at regular intervals. It’s not the most efficient process, but does allow you to avoid using a plugin. But for real-time backups, you’ll want to use a tool like Jetpack Backup.
Jetpack continuously monitors your WooCommerce store for changes. Whenever you update your content, a snapshot of this change will be safely stored. These happen automatically, so you never have to remember to take a backup. And if you ever need to restore a copy, you can do so in just a few clicks — no code or server edits required!
When it comes to creating a WooCommerce backup, there are two main areas you’ll need to consider: your database and your files. The database contains all of your critical data — if you lose this, you’ll lose your entire store.
Your WooCommerce database contains:
Meanwhile, your files contain all of your media. If you lose these files, you’ll lose all of your product images and videos.
Another important area is your settings, which include your shipping methods and payment gateways. Your store’s settings will typically be included in your database and files, so you won’t need to create a separate backup for them.
There are several methods that you can use to back up your WooCommerce database. The best solution will depend on a handful of factors, like your experience level and the type of hosting plan you use. Let’s take a close look at each option.
The quickest and easiest method for backing up your WooCommerce database is to use a plugin like Jetpack Backup, which includes:
Once installed and activated on your website, you can access the tool by navigating to Jetpack → Backup from your WordPress admin area.
Here, you can manage all of your backups. You can also restore your site to any past state while keeping your customer data and orders current.
If you don’t want to install a plugin on your website, you can back up WooCommerce through your web host. The options that are available to you will depend on your hosting plan.
Many providers offer backups as part of their packages, while others make them available as a premium add-on. It’s best to check with your web host to see which options are included with your plan and upgrade your service if necessary.
The actual steps involved in backing up your WooCommerce store will depend on your host, but the process will be similar. You can start by logging into your hosting control panel.
If your web host uses cPanel, navigate to the Files section and select the Backup application.
On the next screen, you’ll see some backup options:
If you want to back up your entire site, select the Download a Full Account Backup button. Note that you might want to save it to your local device, as some providers will automatically delete backups after 48 hours.
Alternatively, you can scroll down to the Download a MySQL Database Backup section.
Here, you can locate your WooCommerce database from the list. Then, select the link to begin the download process. The backup will be stored as an .sql file on your computer.
If your hosting provider doesn’t use cPanel, you may still have options for backing up your WooCommerce database. Let’s use SiteGround as an example.
To get started, log into your account and navigate to Websites. Next to your domain name, select Site Tools. Then, go to Security → Backups.
After naming your backup, click on the Create button. Once your backup is complete, you can view it from the Manage Backups log located on the same page.
Keep in mind that, by choosing this option, you’re relying completely on your host. It’s very possible that something goes wrong and your backups aren’t stored or completed correctly. Hosting providers typically only back up your site on a daily or weekly basis, and only store backups for a certain period of time. If something goes wrong, this could mean that you don’t have what you need to get back up and running.
And, if your store goes down because of a hosting issue, you don’t have an alternative option for accessing and restoring your backups.
A third option for creating a WooCommerce backup is to use the manual approach. This method can be a little tedious and time-consuming. As such, we only recommend it as a last resort.
You’ll need to back up your WooCommerce files and database separately. You can do this using a cPanel File Manager or File Transfer Protocol (FTP) client, and phpMyAdmin.
In the following tutorial, we’ll cover FTP and phpMyAdmin, since we’ve already discussed how to back up your site via cPanel.
To get started, you’ll need to download an FTP client like FileZilla.
Once you launch the FTP client, log in to connect to your site. You can find your FTP credentials in your web hosting account. You’ll need your hostname, username, password, and port number.
After you successfully connect to your site, navigate to the public_html folder, right-click on it, and select Download.
You can store and save your files as a ZIP folder on your device. The next step is to back up your database.
You can use phpMyAdmin to manually back up your WooCommerce database. To get started, log into your hosting account and navigate to phpMyAdmin under Databases.
On the next page, you can find a list of databases. Choose your database, then select all of the tables and click on the Export tab.
Next, you’ll need to choose a backup format. You can keep it as the default SQL.
When you’re done, click on the Go button to download the database. Then, you can move the database backup to the folder that contains the site files you downloaded earlier.
Beyond the time required, manual backups run the risk of human error. If you find yourself needing to restore a backup, the last thing you want is to realize that your backup is faulty. Plus, manual backups mean you may not have a copy of the most recent site changes or store orders. It’s for these reasons that we generally don’t recommend relying on manual backups.
Regardless of the method that you used to create your WooCommerce backup, you should be able to restore it in a few simple steps. The best option will depend on the solution you used to back it up.
Let’s take a look at how to restore your WooCommerce backup based on the three main methods we’ve discussed in the last section.
If you have Jetpack Backup installed and activated on your site, you can restore your WooCommerce backup in just one click. The great thing about using Jetpack Backup is that all of your orders will be saved — regardless of the point you restore to. There are two main options to choose from.
The first is to restore it to a particular event. To do this, navigate to your WordPress.com account (which you can do even if your site is down!) and go to your Activity Log. On this screen, you can use the filters to search by date or activity type.
Once you find the event you’re looking for, you can select the Actions button next to it, followed by Restore to this point.
This will open the Restore Site panel. Here, you can select any items you don’t want to restore. If you want to retrieve all of the content, you can simply click on Confirm Restore.
A progress bar will appear, showing you the current status of the process. Once the restoration is complete, you’ll receive a notification via email.
The second option is to restore your site to a specific day. In the WordPress dashboard navigate to Jetpack → Backup.
Here, you’ll see the latest backup of your site. To choose a particular day, you’ll need to click on Select Date from the calendar at the top of the page.
Once you find your preferred date, you can select Restore to this point.
On the next screen, leave the selected options as-is. If you want to exclude certain items, you can uncheck the accompanying boxes. When you’re done, click on the Confirm restore button.
Once again, a progress bar will appear. When the process is complete, you’ll see a confirmation message.
If you backed up your site via your web host, you can usually restore it in the same way. If your provider uses cPanel, log into your site and navigate to Files → Backup.
This is the same page you used to back up your site, but this time you’ll need to click on the Choose File button under Restore a MySQL Database Backup.
Select the .sql file that you downloaded as your backup, and click on the Upload button to restore it.
Once the process is complete, you should see a message informing you that the database was successfully restored.
As we mentioned earlier, you can use the Backup application in cPanel (if your hosting provider offers it) to restore your content. Since this is not always an option, we’ll show you how to manually restore your store using FTP and phpMyAdmin.
Let’s start by restoring your WooCommerce files. Connect to your server via FTP, using the credentials offered by your hosting provider.
Once you’re connected to your server, the remote site panel will display your site directory. Navigate to your public_html folder, then drag and drop the files from the local site panel to your remote site panel.
If you stored your files in a ZIP folder when backing them up, you’ll need to extract them before restoring them. This can take some time, depending on the size of your WooCommerce store.
Next, you can manually restore your database using phpMyAdmin. To get started, log into your hosting cPanel account, then navigate to phpMyAdmin from the Database section.
From the list on the left, select your database, then the Import tab.
On the next screen, you’ll need to click on the Choose File button and select the file that you backed up from your local device or server. Next, make sure that the format is the same as the backup you downloaded (SQL by default).
When you’re done, click on the Go button. As with the files, this restoration process can take some time.
Creating backups in WooCommerce is fairly straightforward. To ensure that the process goes as smoothly as possible, there are some tips and best practices that you can use.
The first is to create a backup schedule that suits your needs. Ideally, you’ll want to choose real-time backups so that you have a stored version every time you make changes to your site.
Another tip is to create offsite backups. Why? Because keeping your backups on the same server as your store can create a singular point of failure. If something happens to your store or server, you may also lose your backups.
To prevent this, we recommend keeping copies of your site on a third-party platform. Some popular options include Google Cloud Storage, Amazon S3, and Dropbox. Keep in mind that if you use Jetpack, the plugin will automatically store your backups in a separate, secure location.
If you have to retrieve a backup of your WooCommerce site, you might also want to restore it to a staging environment before moving it to your live site. This way, you can test the restored version to make sure that everything looks and functions as it should.
Finally, you might want to periodically test your backup solution to verify that it’s working properly. If you’re using a plugin, you’ll want to make sure that you’re keeping it up to date. Not only can this help strengthen your security, but it minimizes the chances of compatibility issues.
So far, we’ve looked at how to create and restore WooCommerce backups, but you might still have some questions about the process. Let’s answer some of them.
The location of your WooCommerce backups will depend on the method you used to save them. If your hosting plan includes backups, you can access them via cPanel (or a control panel equivalent). These backups are stored on your server.
If you manually back up your WooCommerce store or use a plugin, you can usually access your backups from your local device and/or off-site locations of your choice. For instance, if you use an FTP client, you can store backups on your computer, and then upload them to a third-party platform like Google Drive or Dropbox.
Backups from Jetpack are stored on dedicated servers — the same world-renowned infrastructure used for WordPress.com — so you never have to worry about their security.
You can also use the plugin to create manual backup so that you always have a safe and updated copy in an additional location.
If you’re looking for the best backup solution, you might want to consider using Jetpack Backup. This premium tool automatically backs up your WooCommerce site so you don’t have to worry about handling it yourself. It also performs real-time backups every time you make changes to your store.
There may be times when you just want to back up a certain section of your store. Perhaps you don’t want to take up more storage space than necessary or you don’t have enough time to do a complete backup.
Fortunately, you can just back up your WooCommerce products. You can do this manually or by using a plugin.
To do it manually, navigate to the Products tab of your admin dashboard. Next, select all of the products and click on the Export button located at the top of the screen:
This will take you to the Export Products screen. Here, you can select the columns, product types, and product categories that you want to export. If you want to include all of the data, you can leave it as-is.
When you’re done, click on the Generate CSV button.
The CSV file will be downloaded to your computer. You can then move this file to an off-site storage location.
Another option is to use a plugin like Product Import Export for WooCommerce. With the free version, you can export products based on simple, grouped, or external/affiliate types.
By default, WooCommerce does not let you export orders. Fortunately, you can use a plugin like Advanced Order Export for WooCommerce to do this.
This plugin lets you export any custom field that’s assigned to your WooCommerce orders and products. You can also choose from multiple data export format options, including CSV, XML, and JSON.
Additionally, you can rename labels, reorder columns, and apply filters. The tool lets you export order data, a summary of order details, and customer information, which you can then save to the location of your choice.
After you install and activate the plugin, you can navigate to WooCommerce→ Export Orders. Then, click on the Export now tab to configure your settings.
You can filter orders by data type and enter certain date ranges. You can also name your export file and select a format. On the right-hand side, you can choose to apply a wide variety of filters for your products. For instance, you can base it on order statuses, custom fields, and more.
When you’re happy with your changes, you can select the Save settings button at the bottom, followed by Export. This will download a file in the format that you selected.
Your WooCommerce store is packed with data, including orders, customer information, and product details. With so many potential threats putting your WordPress site at risk, it’s important to know how to perform a WooCommerce backup.
As we discussed in this post, there are several ways to back up and restore your WooCommerce store. The easiest option is to use a plugin like Jetpack Backup. You can also perform manual backups, though this can be very time-consuming and therefore is not ideal.
Are you looking to create regular WooCommerce backups without much effort? Download Jetpack Backup today!
A critical factor in running a successful WordPress website is implementing monitoring and security measures. After all, a hacked site can cause a lot of headaches — regardless of whether your site is used for business or personal purposes. It can impact your revenue, risk your visitors’ information, and wreck your reputation.
A typical entry point for hackers is the WordPress login page, which will be our focus today. What follows is a rundown of 14 ways to harden WordPress login security so malicious actors won’t breach your site.
Before we get to the list of security tips, let’s first briefly discuss why you might want to secure your WordPress login page — from brute force attacks or otherwise — in the first place.
Keeping a secure WordPress login page is essential for your website’s long-term success and overall performance.
So you know why you need to create a secure WordPress login, but how can you accomplish it? We’ve gathered 14 ways to secure your WordPress login page properly so you don’t have to leave the safety of your data or customer info to chance.
You can get a handle on most security concerns in just a few minutes by installing a high-quality WordPress security plugin. While many plugins specialize in protecting specific aspects of a site or against certain kinds of attacks, a more comprehensive approach is best for the average site. An all-in-one security plugin will include features like audit logs, malware scans, firewalls, and login security tools in a single solution.
And at the top of the list of our recommendations is Jetpack Security.
Jetpack Security works by taking care of numerous security tasks automatically. And with both free and paid features, a level of protection is available to everyone with a WordPress website. It has a strong range of features that can work to prevent security breaches, but also help you diagnose and recover from any incidents you experience. These include:
While you can move through the rest of the steps outlined here on your own, using a plugin like Jetpack Security will streamline the login hardening process.
Another way to make your login page more secure is to hide it from prying eyes. By default, the login address for all WordPress sites is http://www.yourwebsitename.com/wp-admin, which is basically like giving a burglar your home address. So anything you can do to obscure this is a good idea.
Changing the WordPress login URL is a great way to put barriers in place to make the hacker’s job more difficult. You can find a plugin that does this for you, but you can also do it yourself.
For this, you’ll need FTP access to your website. Once you’ve got that, just follow the instructions in our tutorial: WordPress Login URL: How to Find, Change, and Hide It.
You can also bolster your site security by upgrading to a stronger password. Implementing strong password measures makes it much less likely that a hacker or bot will be able to “guess” it. Though “fluffy21” might be easy to remember, it’s much too easy to guess — especially if “Fluffy” is the name of a beloved pet.
Instead of picking passwords based on names, ages, or pets, creating one that combines letters and numbers, uppercase and lowercase letters, and a couple of symbols are much better. You can build a strong password in a couple of ways:
By default, anyone can access the login page for your WordPress site. And while you can hide or change your login URL, as we previously discussed, hackers may be able to find it if the wp-admin folder is still accessible.
That’s why adding another layer of protection before accessing the login page is a good idea. And you can accomplish this by password protecting the wp-admin folder. If your web host uses cPanel, this process is relatively easy.
Log in to your hosting provider account, access the cPanel, then go to the Directory Privacy folder.
While viewing your site’s files, navigate to public_html/wp-admin. There should be a visible checkbox that reads password protect this directory. Check the box. Then create a new username and password for accessing the wp-admin folder. Save your changes.
Try to log in to your site as usual. You should now have to input another set of credentials before being granted permission to log in to WordPress.
Note: this process would be identical, even if you moved the location of your login page. Password-protect the folder in which your login page resides, even if it’s not wp-admin.
Another thing you need to do to secure the WordPress login page is to limit login attempts. Hackers can use bots to make repeated login attempts until they crack the code — i.e., figure out your password and gain access to your website. Unfortunately, WordPress allows unlimited logins by default.
To prevent this potential access point, you can limit login attempts. A plugin is the best way to accomplish this. In fact, Jetpack Security offers Brute Force Attack Protection as a part of its all-in-one security solution.
Brute force attacks can be incredibly disruptive to how your website functions, even before hackers gain access. For instance, they can slow your site down considerably — or cause it to stop responding altogether. Repeated login attempts may eventually succeed and the hacker can then go on to inject malware, insert links, or otherwise cause mayhem. These attacks can also put your personal information at risk.
The Brute Force Attack Protection feature included in Jetpack Security provides the tools necessary to block attacks and prevent malicious hackers from gaining access to your data. It works by blocking malicious IPs before they ever get to your site. It also provides a count of total attacks and enables you to whitelist known IP addresses.
You can also extend the security of your login form by adding a security question (or two) to the login process. So, instead of just inputting a username and password, users must also answer a security question to gain access.
This single step makes your website much more difficult to hack. And it’s relatively easy to implement.
The No-Bot Registration plugin is a great way to accomplish this. Download it by going to Plugins → Add New, then type in the plugin’s name. Once it appears, download and activate it.
Once activated, go to Settings from the WordPress dashboard. Here you can set up the plugin and configure the rules for when security questions are used (on registration, login, or forgotten password pages).
This is much more user-friendly than a CAPTCHA, as it only requires answering a simple and logical question.
Next, you can enable two-factor authentication. Many websites and apps use this popular security option, including Gmail. It works by sending an SMS code to your phone that you’ll need to input before you can complete the sign-in process.
This is used to verify your identity and ensure access is only granted to authorized users. Every layer of authentication that you add to the process makes it significantly more difficult for someone to hack your site. Even if a bad actor gets access to your login information, it’s unlikely that they’ll be able to thwart the 2FA process.
The easiest way to add two-factor authentication to WordPress is using a 2FA plugin. Several security plugins include this feature, but again, Jetpack Security comes through strong with Secure Authentication.
Secure Authentication allows you to log in using your standard WordPress.com credentials and also disable or bypass the default login form entirely. Plus, you can opt to make two-factor authentication a requirement for all users to give your site further protection.
Another avenue of protection is to install an SSL certificate. Getting an SSL certificate for free is easy, so it’s a security measure no one should skip over.
SSL is how most websites secure their data. And you can tell when a site is secure as the “HTTP” in the URL field will have an “S” added, so it reads “HTTPS.” Browsers will often use other visual indications, like a green lock icon, to let visitors know your site has an active SSL certificate in place.
Beyond the security implications, visitors may not continue to navigate your site if they see that it’s unsecured. Plus, sites with SSL certificates tend to rank better in search engines and some browsers will even display a warning to visitors if you don’t have one.
Don’t skip this step. Learn how to get a free SSL certificate.
Login hints can be genuinely helpful for real WordPress users, but they can sometimes give away too much information about your username and password to hackers. When you attempt to log in to a WordPress site and get the username wrong, you’re met with an error that reads, “The username is not registered on this site. If you are unsure of your username, try your email address instead.”
Something similar happens if you type in the right username or email address, but the wrong password.
To remove login hints, you need to add a few lines of code to your site’s functions.php file.
function no_wordpress_errors(){
return 'There is an error.';
}
add_filter( 'login_errors', 'no_wordpress_errors' );When someone — real or bot — inputs an incorrect username or password, they’re greeted with the message, “There is an error,” rather than the default.
Hackers also find entry points into WordPress sites via outdated installations. Every time WordPress is updated, all the bug fixes and security holes that were repaired are posted online. If your installation is outdated, hackers have an instruction manual for breaching your site.
When new WordPress core updates roll out, you must back up your site and install the update as quickly as possible.
But that’s not all you need to be mindful of. Third-party software — i.e., plugins and themes — are potential weak points, too. They’re even more essential to keep updated as plugins and themes are made by various development companies with different standards and approaches.
This is also why you must be selective about the plugins and themes you install. If your go-to social sharing plugin hasn’t been updated in two years, it may be time to find one that updates regularly.
A quick way to improve the login page’s security is to hide the WordPress version number. At the very least, this will make hackers look more thoroughly to determine which security holes to exploit. And you can remove it rather easily.
Locate the functions.php file and (after you’ve backed up your site) add the following line of code to the file:
remove_action('wp_head', 'wp_generator');Another step you can take is to hide your WordPress login username. A lot of the time, the emphasis is on creating a super-secure password — which is excellent — but you need to think of your username, too. Often, it’s available to the public — an opportunity hackers can exploit.
The quickest way to hide your username from the view of prying eyes is to remove it from appearing on blog posts and within author archives.
To remove your username from blog posts, you simply need to go to Users → Profile → Nickname while logged into WordPress. From here, you can change the nickname so that your username is no longer visible to site visitors. So instead of seeing “blogperson02,” they’ll see your first name, first and last name, or another nickname you configure.
To remove your username from appearing in the author archives, you’ll need an SEO plugin like Yoast SEO.
Install Yoast like any other plugin, then go to the SEO → Search Appearance → Archives menu in the WordPress dashboard. There’s an option here to disable author archives. Do this, then click Save Changes.
It’s common to stay logged in to your accounts when you use them often. But this can create potential breaches, especially if several people have accounts on your site. Implementing an auto-logout timer is a great way to close those security holes.
When a session is left unattended, it will be logged out automatically. By default, WordPress will log out users after 48 hours. Checking the “Remember Me” box keeps users logged in for 14 days. You can change these time frames a bit by using a third-party plugin. One that’s dedicated to this feature is Inactive Logout.
Once installed, navigate to Settings → Inactive Logout → Basic Management. Then select the duration of idle time you want to trigger a logout.
Lastly, deleting accounts no longer in use can also help improve your WordPress security. Having several open accounts on your site means each is an access point to private data. And if you’re not regularly updating passwords for these accounts, they could present significant weaknesses.
To avoid this, delete old and unused accounts. Make doing so a part of your regular site maintenance plan.
You should also only provide privileges to users who need them. Not every user needs Editor or Admin privileges.
Likewise, keep an eye on the accounts listed. Sometimes, hackers will create a fake account. If one appears, delete it right away and bolster the rest of your security measures. Learn what to do if your WordPress website has been hacked.
Owning a website means bearing a level of responsibility for its content and users. Of course, this is doubly the case if you collect customer information. But no matter how you use your WordPress site, bolstering security around the login page is a great way to keep your data safe for the long haul.
And the tips presented here should help you become efficient at WordPress security maintenance in no time.
Ready to take the first step? Get started with Jetpack Security.
It’s no surprise that WordPress powers 43% of the web. Since it’s open source, people from around the world are constantly contributing to improvements. Plus, because of its huge library of free and premium plugins, it’s pretty simple for someone with limited development knowledge to build a fairly complex site.
But, like with anything, WordPress site owners need to be constantly vigilant of cyber criminals who seek to take advantage of security gaps. And one of the biggest threats is malware.
That’s why learning how to remove malware from WordPress sites is so important. When you can identify when your WordPress site is infected, you can act quickly to clean it and prevent it from happening again in the future.
In this post, we’ll discuss the importance of detecting and removing malware on your WordPress site. Then we’ll walk you through how to do so — with and without a plugin. We’ll provide tips for protecting your site against malware in the future and then wrap up with some Frequently Asked Questions (FAQs).
Malware is a piece of software designed to harm or damage a computer system. It can come in the form of a virus, worm, Trojan horse, or spyware. Despite some strong security measures, WordPress sites are vulnerable to malware attacks.
There are many different ways that malware can get onto your WordPress site. The most common method is through malicious plugins or themes. Other ways include vulnerabilities in the core WordPress software or other software on your server.
Once the malware has infected a WordPress site, the person behind the attack can do a lot of damage — delete files, inject spammy links into your content, and even steal sensitive information like passwords and credit card numbers. Not only can this attack lead to unnecessary downtime, it can also hurt your reputation and lead to loss of business.
Without some sort of malware scanning tool, you may not immediately notice when your site has been infected. And the longer malware goes undetected, the more damage it can do. This is where the best WordPress security plugins come into play. They can detect and eliminate threats before serious damage occurs.
If you’re looking for a high-quality, free tool that monitors your site for you, Jetpack Protect is an excellent solution. It scans your site automatically for more than 28,700 vulnerabilities and provides recommendations for securing your WordPress site.
There are no complicated settings or confusing terminology. You can just turn it on, then rest easy knowing that you’ll be alerted the second that malware or vulnerabilities are found.
This is a great option for small businesses and new websites that want to better secure their WordPress site. Keep in mind, however, that the sole focus of Jetpack Protect is malware and threat identification, not removal. Keep reading for ways to remove malware from your WordPress site.
The easiest and quickest way to detect and remove malware from WordPress sites is to use a plugin. Fortunately, there are a handful of options to choose from.
We recommend Jetpack Scan, which automates the entire process of WordPress malware removal, saving you significant amounts of time and energy. Plus, it’s super easy to set up on your website. It can be purchased on its own, but works best as part of Jetpack’s wider WordPress Security plan that provides comprehensive coverage. Note that it takes the functionality included with Jetpack Protect one step further, with one-click malware fixes.
First, if you haven’t already, you’ll need to install the Jetpack plugin and purchase Jetpack Scan. Once the tool is activated, you can scan your WordPress site for malware.
To do so, navigate to Jetpack and click on the Scan button.
Jetpack will now scan your site for any known malware threats. This process will likely take just a couple of minutes.
Ideally, no malware is detected, and your scan returns a “No vulnerabilities found†result.
But if any malware is found, you’ll see a list of issues under Malware Threats Found. To remove the malware, simply click on the Remove threat button next to each one.
That’s all there is to it! The plugin will automatically clean malware from WordPress for you. Again, this process will take just a few minutes at most.
If Google has detected malware on your website, it will likely display a warning to prevent visitors from trying to access it. This is a major problem because most potential visitors won’t proceed past this message.
So, once you’ve identified and cleaned malicious code from your site, the last step is to remove these warnings. If your site has been flagged, you can file a review request with Google. Then it’s just a matter of waiting for a response.
It’s really important that you don’t miss this step. See our full guide on how to remove your WordPress site from Google’s blocklist.
Although it’s usually faster (and easier), you don’t have to use a plugin to remove malware. There are some instances where a plugin may not be able to remove the threat, and in that case, it’s definitely a good idea to know the manual approach.
It’s important to note that this approach involves a number of steps and requires a decent amount of time. It’s almost always better to use a malware removal plugin, if you can.
The first thing you’ll need to do is put your site into maintenance mode. This process hides your website content from visitors and shows a message telling them that your site will return soon.
You can put your site into maintenance mode using a plugin like WP Maintenance Mode & Coming Soon.
This free tool lets you easily enable maintenance mode on your site in just a few clicks. After you install and activate it, you can navigate to Settings → WP Maintenance Mode.
Next, select Activated as the Status. When you’re done, click on the Save settings button at the bottom of the screen. Your site will now go into maintenance mode.
Having a backup of your WordPress site is always a good idea. It can help you recover your site if something goes wrong or you accidentally delete something.
There are two aspects you’ll need to back up: your database and your files. The database is where your content, settings, and user information are stored. Your files are everything else, like your themes, plugins, and images.
The best way to do this is with a WordPress backup plugin like Jetpack Backup. Not only does it provide an easy way to download your files and database on demand, it also automatically backs up your site in real-time. So, in the future, every single one of your changes will be saved.
However, you can back up your WordPress site manually, using File Transfer Protocol (FTP) tools and phpMyAdmin. This method is just more technical and time-consuming.
Once you’ve prepped your site, the next step is identifying any malware. This involves searching your database, files, and source code.
One way to do this is to use a malware scanner tool like Malwarebytes.
If you’re looking to identify malware manually, you’ll need to go through each of the key areas of your site to look for signs of infection. In your database, you can search for common syntaxes often used by cybercriminals (you can refer to Step 9 for some popular examples of malicious PHP).
If you’re scanning your source code for malware, there are two main types of attributes to look for: script and iframe. Lines that start with “script=>†or “iframe src=URL>†and contain suspicious URLs or file names are common red flags.
If you have a corrupted WordPress installation, one of the best ways to clean your hacked site is to replace all of the core WordPress files with a fresh set. When doing this, you’ll only keep your original wp-config.php file and wp-content folder.
First, download a fresh copy of WordPress from WordPress.org.
Unzip the file, then delete the wp-config.php file and wp-content folder. These are the only two folders you should delete — everything else should be left intact.
Next, you can use your File Manager or FTP client to upload the remaining files to your server. This step will overwrite your existing installation. Learn how to bulk upload files via FTP.
It’s also a smart idea to compare your wp-config.php file to the original offered by the WordPress Codex. This step will make it easier to identify and locate anything that has been added (like malicious code).
From the WordPress Codex, download a fresh copy of the wp-config.php file. Open the file as well as your existing wp-config.php file in a text editor to compare them. There are some legitimate reasons your file may be different from the original — especially when it comes to information about your database — but take the time to look for anything suspicious and remove it if necessary. When you’re done, save the cleaned-up file, then upload it to your server.
Next, you’ll want to re-install a clean version of your WordPress theme. But if you’re using a child theme (a copy of your theme with the functions and styling of its parent, plus custom edits), you don’t want to lose all of your work. Therefore, you’ll need to reinstall a clean version of your theme while keeping your child theme intact.
From your WordPress dashboard, navigate to Appearance →Themes, then deactivate your parent theme. Next, go to your File Manager or FTP and delete your parent theme folder.
If you’re using a theme from the WordPress repository, head there, search for your theme, then download the latest version. If you’re using a premium theme, or a free option from elsewhere, you’ll need to download your theme files from that source. From your dashboard, navigate to Appearance →Themes, then select Add New → Upload Theme.
Select the zipped file you just downloaded. After uploading it, click on the Activate button.
Now you can activate your child theme. Your site should now be running the latest version of the parent theme, with all your customizations from the child theme intact.
The next step is to look at any files that have been recently modified. To do this manually, you can connect to your site via FTP or File Manager, then sort your files based on the last modified date column:
Make a note of any files that have recently been changed. Then go through each of them to review the code for suspicious additions. These could include PHP functions such as str_rot13, gzuncompress, or eval.
If your WordPress site has been infected with malware, there’s a chance that it created malicious content in your database tables.
To clean your tables, log in to your phpMyAdmin dashboard — available through your hosting provider — then navigate to the database table that has been infected with malicious content to remove it. You can determine which tables have been affected using a scanner tool (like Jetpack) or by comparing the original files to your current ones.
Note that you should create a backup of your site first, and you can find the original files in previous backups. You can then look for commonly-used functions (see the next step), suspicious links, etc. If you locate any, you can manually delete that content.
Save your changes, then test your website to verify that it’s still working correctly. If you don’t want to modify your database tables manually, you can also use a tool like WP-Optimize.
While it’s not a malware removal plugin, it can clean and optimize your database. But, if you want to use a plugin to detect and clean WordPress malware, we recommend a dedicated solution like Jetpack Scan.
When hackers gain entry into your site, they’ll often leave behind a hidden ‘backdoor’ (a way to get back in). This entry area is usually embedded into files that are similarly named to your regular WordPress files, only placed in the wrong directory locations.
To identify and remove hidden backdoors from your WordPress site, you’ll need to search popular files and folders, including wp-content/plugins, wp-content/uploads, and wp-content/themes.
When checking these files, there are a variety of PHP functions to look for, including:
exec
system
assert
base64
str_rot13
gzuncompress
eval
stripslashes
preg_replace (with /e/)
Move_uploaded_file
These functions don’t inherently indicate malicious activity. But the manner and context in which they’re used can sometimes indicate and introduce risks.
For example, malicious PHP usually:
As with database tables, we recommend comparing your existing files to the originals to determine whether there’s a legitimate reason for the code to be there.
Note that editing WordPress files can break key functions of your site, so it’s best to only do this if you have experience working with them. Otherwise, we recommend using a plugin like Jetpack Scan or hiring a professional.
Learning how to remove malware from WordPress sites is incredibly useful. But it’s better to know how to prevent malware from infecting your website in the first place. Let’s discuss some actions you can take!
One of the most important things you can do to prevent malware attacks on your WordPress site is to change your password and database credentials regularly. Doing this can make it much more difficult for hackers to access your site.
To change your password, log in to your WordPress dashboard and go to Users → Profile.
From here, you can scroll to the Account Management section and select Set New Password.
When you’re done, click on Update Profile at the bottom of the screen. Once you’ve changed your password, be sure to log out of all active sessions on your website. These include any devices or browsers you may have used to access your WordPress site.
You should also regularly change your WordPress database credentials. To do this, you’ll need to edit your wp-config.php file. This file is located in the root directory of your WordPress installation and can be accessed via FTP or File Manager.
Once you’ve opened wp-config.php, look for the following lines:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'database_name_here' );
/** MySQL database username */
define( 'DB_USER', 'username_here' );
/** MySQL database password */
define( 'DB_PASSWORD', 'password_here' );
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );You’ll want to update the DB_NAME, DB_USER, and DB_PASSWORD values with new ones. Once you’ve done that, save and close the file.
For these values to work, you’ll also have to update them on your server so that they match. To do this, you can log in to your phpMyAdmin account and navigate to your database. Next, open the users table and select Edit.
You can update the credentials as necessary. When you’re done, click on the Go button.
Outdated software is one of the most common ways hackers gain access to WordPress sites. Therefore, another way to prevent malware attacks is to keep your website updated. This step helps ensure your site has the latest security features and patches.
To update WordPress core, log in to your dashboard and click on Updates. If there’s a new version of WordPress available, you’ll see a notice at the top of the screen.
You can click on the Update button to install the latest version.
Updating your plugins and themes is just as important as updating WordPress itself. Most plugin and theme developers release security updates regularly.
You can do this by logging in to your WordPress site and checking the Updates tab. You’ll see any available plugin or theme updates under the main WordPress version updates.
Then, select the Update Plugins or Update Themes button to install the latest versions. If you want to automate this process, you can also use the Jetpack’s Automatic Plugin Updates feature. It will automatically install new versions of WordPress, plugins, and themes as soon as they’re released.
You’ll need to install and activate the Jetpack plugin to enable this feature. Once you connect it to your WordPress.com account, you can navigate to Jetpack → Settings → Writing.
Next, scroll to the Automated Updates section at the bottom of the page, then select which types of updates you want to enable: WordPress Core Updates, Plugin Updates, and/or Theme Updates.
When you’re done, remember to save your changes. You can also manage updates on your Activity Log page. You can select the Update All button to run them all at once.
You should also regularly scan your WordPress site for malware using a plugin like Jetpack Scan. Jetpack Scan will review your site for known malware and send you an email if they find anything wrong.
Once you download and install the plugin on your site, you can access the malware scan tool by clicking on Jetpack → Backup & Scan in the WordPress dashboard. There, you can see the current status of your site, and run a new scan if you’d like.
To prevent malware attacks and practice good overall security for your WordPress site, we suggest installing an automated backup plugin like Jetpack Backup.
Jetpack Backup is the best WordPress backup plugin because it saves your website in real-time. If anything changes — a page is updated, a post is published, a product is purchased, etc. — the latest backup file will reflect that. Plus, it integrates seamlessly with Jetpack Scan.
So, if malware is found on your site, you’ll get a notification from Scan letting you know. Then, you can immediately restore a backup from right before the hack happened — even from your mobile device, if you’re on the go! — and skip all the complicated malware removal steps above.
At this point, hopefully, you have a solid understanding of how WordPress malware detection and removal work. To ensure we covered the key areas, let’s wrap up with some FAQs!
There are several signs that your WordPress site has been infected with malware. First, you may notice your site loading slowly or displaying error messages.
Second, you may see new users or files appearing on your site that you didn’t add. Finally, you may find that your website is on Google’s blocklist or is being blocked by visitors’ antivirus software.
If you see any of these signs, it’s important to take action immediately to clean up your WordPress site. Ignoring a malware infection can lead to severe consequences, including data loss and website downtime.
There are a few different ways that malware can infect a WordPress site. First, it can come in through a WordPress plugin or theme vulnerability.
It can also be uploaded by a hacker who gains access to your site through an insecure password or other method.
You always have the option of hiring an outside firm to remove malware from your site, but it usually gets pretty expensive. Instead, you can identify and remove malware from WordPress using a plugin like Jetpack. This is a fast, easy, and reputable solution.
If you’re an experienced developer, yes, you can manually remove malware from WordPress. This is a tedious process that has the potential to cause major errors on your site. You should proceed with caution if you choose this option.
WordPress is a flexible and powerful CMS, but because it’s so popular, hackers will sometimes target sites that use it. One of the most significant risks facing WordPress websites is malware.
As we discussed in this post, there are multiple methods to detect and remove malware in WordPress. The easiest and fastest solution is to use a plugin like Jetpack. Alternatively, you can conduct malware removal manually. We also recommend regularly updating your WordPress software and creating backups to prevent issues in the future.
Looking for a hands-off, trusted way to automatically monitor your site for malware and vulnerabilities? Try the free Jetpack Protect plugin.
Do you want to take advantage of one-click malware removal and a library of additional security features? Get Jetpack Security today!
Brute force attacks happen when hackers try to access your site files by constantly trying new passwords. If they succeed, they could steal your private data, add malware, or even take down your website completely.
Fortunately, you can easily prevent these brute force attacks. By simply updating your login information or enabling two-factor authentication, you can make it harder for hackers to enter your website. Another effective method is to install a brute force protection plugin like Jetpack.
In this post, we’ll explain what brute force attacks are and how you can prevent them. Then, we’ll recommend the best plugins for brute force protection.
Brute force attacks happen when hackers use trial and error to access your website. This usually involves guessing your login information using automated software. Essentially, hackers will try many different passwords and username combinations until they find yours.
Other forms of hacking usually exploit vulnerabilities on your WordPress website. For instance, hackers can access your data through out-of-date software, plugins, or themes. Even an old PHP version can leave your site vulnerable.
On the other hand, brute force attacks rely on weak login credentials. If you have a guessable password like “123456,†hackers can use automated software to enter your site.
Brute force attacks are more common than you might think. In fact, they’re becoming more of a threat than ever before. Towards the end of 2021, the rate of brute force attacks increased by 160 percent.
If your website suffers from a brute force attack, hackers can:
Needless to say, you’ll want to protect your website against these dangers. Although the default WordPress settings don’t offer extra protection against brute force attacks, you can take some steps to prevent them from happening.
Now that you know about brute force attacks, let’s discuss how to protect your WordPress website from them.
Since brute force attacks involve guessing login information, you can secure your WordPress website by updating your credentials. First, you should consider choosing a unique username.
In older versions of WordPress, the default username was “admin.†Now, new account holders can choose their usernames when they first log in. But you might need to update your username if you have an older account.
To see what your current username is, open your WordPress dashboard. Then, navigate to Users → Profile. You’ll find your username under the Name section.
If you already have a unique username, skip to the next steps. If you see admin as your username, you’ll likely want to change it. Unfortunately, you won’t be able to directly edit your profile in the dashboard.
One of the simplest ways to change your WordPress username is to create a new user. Then, you can assign it a unique username and give it the same administrative privileges. The only downside of this method is that you’ll have to use a new email address.
First, go to Users → Add New. On this page, create a new username and enter your email address. Be sure to set the user role as Administrator.
If you want to use the same email address, you can simply add a plus sign with additional letters after the username. For instance, if your normal email address is “exampleemail@gmail.comâ€, you can use “exampleemail+wordpress@gmail.com.†WordPress will consider this a new email address, but it will use the same inbox.
Next, you’ll need to log out of WordPress and use the new username to log back in. Then, go to the All Users page and click delete underneath the admin user role.
During the deletion process, you’ll need to move its content to the new username. To do this, select Attribute all content to [new username]. This is a critical step — otherwise your content will be deleted.
Finally, click on Confirm Deletion. If you want to start using the same email address assigned to the admin username, you can update that now.
If you want to change your existing username, you’ll need to do this through your WordPress database. Note that making changes to the database can be dangerous, so it’s best to do this if you already have experience in this area. To change your username, take the following steps:
Now, you can log in with the new username!
Another way to protect your site against brute force attacks is to use a strong password. Since hackers use botnets (robot networks) to randomly guess passwords, it can help to have a one with a unique string of numbers and letters.
These are the characteristics of a strong password:
To update your WordPress password, navigate to Users → Profile. Then, scroll down to Account Management.
Next, click on Set New Password. Once you do this, WordPress will automatically generate a strong password for you. This will be a complex credential that’s hard to guess.
You can use this password or create your own. As you type, WordPress will indicate how strong or weak your new password is.
To make sure your new password is secure and random, you can use a password generator. This tool can automatically create a password with uppercase and lowercase letters, as well as numbers and symbols.
After pasting your new password into the text box, scroll to the bottom of the page. Click on Update Profile to save your changes. For maximum protection against brute force attacks, consider changing your WordPress password every four months.
When you log in to your WordPress site with just a password, this is called single-step authentication. You can also implement two-step, or two-factor, authentication.
With two-step authentication, you’ll provide two forms of verification to log in to your site. You’ll still enter your password, but you must also confirm your identity on your phone or another device.
Jetpack makes it easy to add secure authentication to your website. First, install and activate Jetpack in WordPress. Then, in the Jetpack dashboard, click on Manage security settings.
Scroll to the bottom of the page and find the WordPress.com login section. Here, turn on Require accounts to use WordPress.com Two-Step Authentication.
Then, find the Two-Step Authentication page in the Security tab. You can choose to set up your two-factor authentication with an app or SMS.
If you choose the first option, you’ll need to download an app like Google Authenticator (iPhone | Android). WordPress will provide a QR code, which you can scan with the app and then enter the generated code.
When you click Set up using SMS, you’ll have to enter your phone number. Once you verify the code sent to your phone, you can start using two-factor authentication.
Now you can verify your identity every time you log in to WordPress! This setup can offer increased protection against brute force attacks.
After taking some basic steps to protect your login page, you can also benefit from installing a brute force protection plugin. The right tool can automatically block brute force attacks before they impact your site.
As you’re trying to choose the best plugin for brute force protection, you should keep a few factors in mind. To protect your website, you’ll want to find a plugin that works behind the scenes to prevent and stop brute force attacks.
Here are some basic features you should look for in a brute force protection plugin:
Additionally, many brute force protection plugins provide general security for your website. For example, Jetpack Security not only prevents brute force attacks but performs malware scans, creates automatic backups, and screens for spam.
Jetpack is also one of the easiest brute force protection plugins to configure. After installing and activating Jetpack, you can turn on Brute force protection in the dashboard.
With this one click, you can enable Jetpack to prevent brute force attacks!
Installing a plugin can be the most effective way to prevent brute force attacks. Still, you might not know which option is right for your website. Although there are many brute force protection plugins, four stand out as the best!
When you download Jetpack, you can access brute force attack protection and many other security features. Jetpack also offers performance and growth tools, so you can choose a plan that’s perfect for your needs.
If brute force attack protection is all you need, the great news is that it’s completely free!
Key features of Jetpack’s brute force attack protection:
Pros:
Cons:
Ease of use:
With Jetpack, you can implement brute force attack prevention in a single step. After installation, just visit the main Jetpack dashboard to turn on the feature. Then, you can simply allow Jetpack to do the work without any maintenance.
Pricing:
Any WordPress user can start using brute force protection for free with Jetpack.
Sucuri is a tool specializing in website monitoring, protection, and performance. By implementing a Web Application Firewall (WAF), Sucuri can block brute force attacks on your website.
Key features:
Pros:
Cons:
Ease of use:
Compared to other plugins, Sucuri has a more complicated setup process. To start using Sucuri, you’ll need to purchase a plan and set up a firewall. This involves integrating your cPanel account and manually changing your DNS records.
Pricing:
With Sucuri, brute force protection requires a premium plan. This feature comes with all of its subscription options, which start at $199.99 per year.
Wordfence Security is a plugin that provides a firewall and security scanner all in one. This tool offers many forms of login security, including two-factor authentication, allowlisted IP addresses, and reCAPTCHA keys.
Key features:
Pros:
Cons:
Ease of use:
Wordfence provides a very simple setup process for first-time users. After installing and activating the free plugin, it will prompt you to enter an email address where Wordfence can send alerts. Then, you can add brute force protection by implementing a firewall and login security features.
Pricing:
Even the free version of Wordfence Security comes with built-in brute force protection for unlimited sites. If you need advanced support, you can purchase a premium plan. These start at $99 per year.
iThemes Security ensures that you can start protecting your website from brute force attacks in under ten minutes. With this plugin, you can quickly customize your login page with two-factor authentication and password requirements. Plus, iThemes will automatically add your site to its Brute Force Protection Network.
Key features:
Pros:
Cons:
Ease of use:
After installation, the iThemes plugin will take you through a step-by-step setup process. Here, you can enable both local and network brute force protection. You can also choose to add two-factor authentication for extra security.
Pricing:
iThemes Security is a free WordPress plugin. If you’d like to use the real-time security dashboard, you can purchase the premium version, starting at $80 per year.
| Jetpack | Sucuri | Wordfence Security | iThemes Security | |
| Limit login attempts | Yes | Yes | Yes | Yes |
| Two-factor authentication | Yes | Yes | Yes | Yes |
| Real-time reports | Yes | Yes | Yes, with premium extension | Yes, with premium extension |
| IP blocking | Yes | Yes | Yes | Yes |
| reCAPTCHA | Yes | Yes | Yes | Yes, with premium extension |
| Network brute force protection | Yes | No | No | Yes |
| Ease of use | One-step activation | Requires manually changing DNS records | Simple tabs for managing your firewall, scans, and login security | Setup wizard to configure login security and user groups |
| Price | Free | $199.99-$499.99 per year | Free-$950 per year | Free-$199 per year |
Now that you know all about brute force attacks and how to prevent them, let’s answer some questions!
Brute force protection can be free if you download a brute force protection plugin like Jetpack. Other providers like Sucuri require a paid subscription.
Setting up brute force protection will vary based on the provider you choose. Some options require you to configure a firewall, which can be complicated. Alternatively, Jetpack is a plugin that makes this process simple. After activation, you can turn on brute force protection with just one setting.
There are many general security measures you can take to protect your website. First, consider performing consistent updates for the core software, themes, and plugins. You can also keep your data secure by backing up your website.
Another simple security measure is blocking spam. It’s also a good idea to delete unused plugins and monitor your site activity. Finally, make sure you regularly scan for malware and take immediate action if anything is found.
Without the right protection, your website can fall prey to brute force attacks. Fortunately, a brute force protection plugin is a simple addition to your site. With the right security measures, you can stop hackers from stealing your data.
To review, here’s how to implement brute force attack protection in WordPress:
After following these steps, you’ll be able to keep your information private and secure! Then, it’s just a matter of keeping your software up to date, backing up your files, and monitoring your website for spam and suspicious activity.