How to protect your site from viruses and malware

It’s important to stress that Envato does thorough examinations and inspects all the themes featured on their market, and this is especially true when it comes to the safety aspects.

Moreover we, the theme authors, conduct additional tests to eliminate the possibility of there being any malicious content.

If any malicious content does appear to exist on your site, the most likely point of entry can be either the server, in which case you should handle this directly with your hosting provider, and the second possibility is that the malicious content originates from your computer, and it was transferred along with some of your content.

Naturally, there are some safety measures everyone can take to additionally secure their WordPress website. In order to protect your WordPress site from hacking, contracting some malicious software and endangering of your admin account, you should undertake certain safety precautions.

Changing your admin user name

In order to do this, you should add a new user with administrator privileges. Navigate to Dashboard > Users to create a new user profile.

After you have done this, log into your WordPress backend with the new admin profile, and delete the first admin account.

Password-protecting the wp-login.php page

You can create an additional prompt for logging in when you wish to access your dashboard. This is achieved via Apache’s htpassvd function.

Here’s how you can go about this:

⋅ A － Create and empty out the database called htpassvd for one level above your public_html.

Your user name and password will look like this: jonhdoe: $apr1$RRLHqkDB$hTW3sTF9U3VJQVB9pHD9R0

Now copy this line into your .htpassvd database.

⋅ C － You can paste the code found below to your .htacess database located in your main WordPress directory (usually public_html). Place the cod to the very top, above everything else.

ErrorDocument 401 default

<Files wp-login.php>
AuthName "WordPress Admin"
AuthType Basic
AuthUserFile /home/CPANELUSERNAME/.htpasswd
require valid-user
</Files>

Change the CPANELUSERNAME with your actual user name – this is the most commonly used user name most people use for accessing the cPanel and as such it would be a good idea to alter it.

Now when you access your wp-admin or wp-login.php page, you will get an additional login prompt. You’ll need to fill this in only once per session, and you can even save your credentials in your browser so you don’t have to enter it every time you login.

Using a strong password

Nowadays there’s no reason to get tempted to create a simple, easily memorable password – there’s plenty of means to save your passwords in your browser, browser extension and so on. So the best option is to go for a bit more complex solution for your password. If for whatever reason you still wish to use a password you can easily memorize, you should at least try making it a bit more complex by incorporating unusual words, using at least one capital letter, numbers and special characters (e.g. ! @ ^ * - ( )). Here’s a simple example: say you wish to use jimmy as your password – by adding a few simple characters you’ll still keep the straightforwardness, but you’ll make the password more secure, so your password can look something like this: ^ Jimmy21 ^.

Always keeping WordPress, themes and plugins up to date

Most new WordPress releases contain fixes and improvements in regards to safety, so it’s always a good idea to update your WordPress whenever there’s an option. By not choosing to update, you leave your site at a risk from potential attacks. The same goes for new versions of the theme you are using, as well as any 3rd party plugins your website may utilize.

Limiting the usage of multiple plugins and themes

Old plugins which have not had new patches and update releases in a long time are best avoided – these plugins might have security issues and could be vulnerable to malicious content. In addition to this, you should always make sure to delete any plugins you are not using anymore from your WordPress. This will free up some more resources. We advise using plugins only in the event you find a plugin absolutely necessary. This will lighten up your resources and make your website faster overall. The lesser amount of additions your web location utilizes, the lesser the risk of potential safety holes.

Additional tips:

⋅ A － Always make local backups. You can never have enough backups, and it’s a better alternative than relying on just the backups stored by your web host. You should obtain all your databases via FTP, especially everything located in vp-content\upload, and create a backup copy using phpMiAdmin.

⋅ B － Another important thing is to pick a web hosting provider who seriously takes your security. Choose a host whose top priority is safety, as all the measures you take become meaningless unless the host also does their part.

⋅ C － Never set the permits to 777. The permissions for your data set should not exceed 644. Permits for the map should not go over 755. Using the 777 permits for your datafiles is considered a safety risk, and you should avoid using them at all cost. In the event your host requires you to use them, look for another provider.

⋅ D － Finally, you can also choose one of the safety plugins for WordPress in order to add an extra layer of security to your website. Here are some examples of safety plugins:

• Sucuri Security

• All In One – WP Security & Firewall

• WordFence Security