I recently came across malware in my WordPress installation even though I am running the latest version of WordPress and not running any other plugin apart from JetPack. I tried removing the malware and updating all the WordPress files only to get infected again a few days after. So Far these steps have mitigated the malware from infecting  and/or penetrating my site.

.htaccess conditions

I added these rules to my .htaccess file. This will append or replace the existing rules of WordPress as well as the WordFence Plugin if you use it,

Installed WordFence and Really Simple SSL Plug-in

I installed WordFence to scan and replace WordPress core files. I only use the free version, though there is a premium version available with more automation features. I also installed a SSL certificate on my server and installed Really Simple SSL to force HTTPS on my main site.

Updated passwords and changed DB table prefix

If you haven’t already, I updated all database and user passwords in my current WordPress installation as well as changing the default database table prefix (wp_) to something obscure.

Set file and directory permissions

Set directories to 755 and files to 644. I simply run these commands via SSH

Limit or disable access to XML-RPC

I use .htaccess to limit access to the xmlrpc.php file since I use the WordPress app. You can opt to simply deny access to the file all together if you don’t plan on using it.


%d bloggers like this: