The only working antivirus for WordPress. WordPress protection against basic threats, viruses and attacks Wordpress virus protection

WordPress is one of the most popular content management systems (CMS) used by people either for simple blogging or for other purposes such as creating an online store. There are many plugins and themes to choose from. Some of them are free, some are not. Often these themes are downloaded by people who have customized them for their own benefit.

1. Theme Authenticity Checker (TAC)

Theme Authenticity Checker (TAC) is a WordPress plugin that scans the source files of each installed WordPress theme for hidden footer links and Base64 codes. Once detected, it displays the specific theme path, line number, and a small piece of malicious code, allowing the WordPress administrator to easily analyze this suspicious code. [Download ]

2.Exploit Scanner

Exploit Scanner is able to scan your site's files and database and is able to detect the presence of anything questionable. When using Exploit Scanner, remember that it will not help prevent a hacker attack on your site and will not remove any suspicious files from your WordPress site. It is there to help identify any suspicious files uploaded by a hacker. If you want to delete them, you will need to do it manually. [Download ]

3. Sucuri Security

Sucuri is a well-established malware detection and security plugin in general. The main features of Sucuri are monitoring files uploaded to WordPress site, blacklist monitoring, security notifications and more. It also offers remote malware scanning with the free Sucuri SiteCheck Scanner. The plugin also provides a powerful site firewall addon that can be purchased and activated in order to improve the security of your site. [Download ]


Anti-Malware is a WordPress plugin that can be used to scan and remove viruses, threats, and other malware that may be present on your site. Some of its important features offer custom scans, full and quick scans, automatic removal of known threats. The plugin can be registered for free at gotmls . [Download ]

5.WP Antivirus Site Protection

WP Antivirus Site Protection is a security plugin for scanning WordPress themes along with other files uploaded to your WordPress site. The main functions of WP Antivirus Site Protection are scanning every file uploaded to the site, updating the virus database on an ongoing basis, removing malicious code, sending notifications and alerts by email, and much more. There are also features that you can pay for if you want more “tightened” security for your site. [Download ]

6. AntiVirus for WordPress

AntiVirus for WordPress is an easy-to-use protection plugin that will help you scan the WordPress themes used on your site for malicious code. Using this plugin, you will be able to receive virus notifications in the admin panel. There is also a daily scan, according to the results of which you will receive an email if anything suspicious is found. [Download ]

7. Quttera Web Malware Scanner

The Quttera Web Malware Scanner will help you scan the site and protect it against the introduction of malicious code, viruses, worms, trojans and other computer evil spirits. It offers several interesting features such as scanning and detection of unknown malware, blacklisting, scanning engine with "artificial intelligence", detection of foreign external links and much more. You can scan your site for malware for free, while other services cost $60/year. [Download ]


If you are looking for a way to protect your site against cyber attacks, then you should try the Wordfence plugin. It provides real-time protection against known attacks, two-factor authentication, blocks the entire infected network (on detection), scans for known backdoors, and many other things. The services mentioned are free, but other features are offered for a fee. [Download ]

I was hacked. You know, like a page on VKontakte. But they did not beg for money, but created a lot of "left" pages with links to different sites. Then I thought about protecting my blog. And I found the perfect solution.

The first thing I did was to contact technical support with a request to restore my site the day before the hack, and within ten minutes I had my normal blog.

Then I installed a lot of plugins to protect WordPress from being hacked. But the blog has become terribly slow. Pages loaded in five to ten seconds. It is too long.

I started looking for plugins that do not load the system so much. I read reviews on these plugins and increasingly began to stumble upon All In One WP Security. According to the description, I really liked it and I decided to put it on my blog. And he still protects me, because I have not seen anything better.

What All In One WP Security can do (wordpress protection all in one):

  • Makes database backups, configuration file wp-config. and .htaccess file
  • Changing the address of the authorization page
  • Hides WordPress Version Information
  • Admin panel protection - blocking in case of incorrect authorization
  • Robot protection
  • And many more useful things

I can safely say that the All In One WP Security plugin is the best protection for a wordpress site.

Setting Up All In One WP Security

Having entered the Settings section, the first thing to do is to make backup copies:

  • database;
  • wp-config file
  • htaccess file

This is done on the first page of the All In One WP Security plugin settings.

Make a backup (backup copy) before starting work

I will go through only the most important points.

all in one wp security plugin settings items

Control Panel

Here we are met by the “Safety Meter” counter. It shows the level of site protection. Your site must be at least in the green zone. No need to chase the maximum bar - extra settings can disrupt the functionality of the site. Get the golden mean.

WordPress site protection counter

When you change the plugin security settings, you will see a green shield with numbers in each item - these are the numbers that are added to the total security score.

the figure is added to the total security score


WP Version Info Tab

Check the box Delete WP Generator metadata.

Removing WP Generator Metadata

This is done so that the version of the WordPress engine you have installed is not displayed in the code. Attackers know which version has vulnerabilities, and knowing the version of WordPress you have installed will be able to hack your site faster.


WP custom name

If you have a login to enter the admin panel admin, then be sure to change it. Admin is the most popular login. Many TsMSki offer it by default, and people are just too lazy to change it.
Attackers use various programs to hack websites. These programs pick logins and passwords until they find a suitable combination.
Therefore, do not use the admin login.

Display name

If your nickname matches the login, then be sure to change the login or nickname.


If you enter your password here, the plugin will show how long it takes to hack your site.
Recommendations for strengthening password strength:

  • Password must consist of letters and numbers
  • Use uppercase and lowercase letters
  • Do not use short passwords (minimum 6 characters)
  • It is desirable to have special characters in the password (% # _ * @ $ and verbose)
Password complexity


Authorization blocking tab

Be sure to include. If within 5 minutes someone enters the password incorrectly 3 times, then the IP will be blocked for 60 minutes. You can put more, but it is better not to do this. It may happen that you yourself enter the password incorrectly and then wait for months or even years :)
Check the box "Immediately block invalid usernames".
Let's say your login is hozyainsayta, and if someone enters another login (for example, login), then his IP address will be automatically blocked.

authorization lock options

Automatic logout of users

We put a tick. If you log into the site admin panel from another computer and forget to log out of the admin panel, then after a specified period of time the system will log you out.
I put 1440 minutes (that's 24 hours).

Options for automatically logging out users

User Registration

Manual confirmation

Check “Enable manual approval of new registrations”

Manual approval of new registrations

CAPTCHA on registration

We also tick the box. This cuts off attempts to register a bot-robot, since robots cannot cope with the captcha.

Registration Honeypot (barrel of honey)

We celebrate. And we do not leave the robots not a single chance. This setting creates an additional invisible field (type Enter text here). This field is visible only to robots. Since they automatically fill in all the fields, they will write something in this field as well. The system automatically blocks those registration attempts for which this field is filled.

Database protection

DB table prefix

If your site has been around for a long time and there is a lot of information on it, then you should change the database prefix with the utmost care.

be sure to back up the database

If you have just created your site, you can safely change the prefix.

Database table prefix

Database backup

Enable automatic backups.
Select the frequency of backups.
And the number of files with these backups that will be kept. Then they will start overwriting.
If you want these files to be additionally sent to your e-mail, then check the corresponding box. I have a separate folder in my mailbox for these purposes, all backups (of my and client sites) are sent there.

Database backup settings

File system protection

Here we change the file permissions so that everything is green.

php file editing

We put in the event that you do not edit files through the admin panel. In general, you need to make any changes to files through ftp-managers programs (like a filezilla). So in case of any "jamb" you can always undo the previous action.

We deny access. With this action, we can hide important information for hackers.

Black list

If you already have IP addresses that you want to deny access to the site, then enable this option.

Blocking users by IP


Basic firewall rules.

Firewall and Firewall is a software package that is a filter of unauthorized traffic.

These rules are added to the .htaccess file, so we back it up first.

Now you can put the necessary checkboxes:

Activate Basic Firewall Features Protecting Against XMLRPC Vulnerability and WordPress Pingback
Block access to debug.log

Additional firewall rules

On this tab, check the following boxes:

  • Disable directory browsing
  • Disable HTTP tracing
  • Disable comments through proxy
  • Disable malicious strings in requests (May break the functionality of other plugins)
  • Activate additional character filtering (We also act with caution, you need to look at how it affects the performance of the site)
      Each item has a button “+ More details” where you can read in detail about each option.

6G Blacklist Firewall Rules

We note both points. This is a proven list of rules that the WordPress site security plugin provides.

Firewall (firewall) settings

Internet bots

There may be problems with the indexing of the site. I don't enable this option.

Prevent hotlinks

We put a tick. So that images from your site are not shown on other sites via a direct link. This feature reduces the load on the server.

Detection 404

Error 404 (there is no such page) appears when you enter the page address by mistake. Hackers brute-force trying to find pages with vulnerabilities and therefore enter many non-existent URLs in a short period of time.
Such hacking attempts will be entered into a table on this page and by checking the box you will be able to block their IP addresses for the specified time.

404 error tracking settings

Protection against brute force attacks

By default, all sites on WordPress have the same address of the authorization page. And so the attackers know exactly where to start hacking the site.
This option allows you to change the address of this page. This is a very good protection for a wordpress site. Be sure to change the address. I did not check this box, because mine automatically changed this page for me during the installation of the system.

Brute force protection with cookies

I did not turn on this setting, as there is a possibility of blocking myself when logging in from different devices.

CAPTCHA for login

If there are many users on your site or you have an online store, then you can enable Captcha during authorization in all points.

Captcha protection during authorization

Whitelist for login

Log in to the admin panel only from your home computer and you are the only user of your site? Then enter your IP address and everyone else will be denied access to the authorization page.

WordPress is the most popular content management system used by millions of webmasters around the world. Of course, among these millions there are also dishonest specialists, hackers who have already managed to study the CMS so much that they can easily hack it to infect with a virus.

In fact, WordPress, as the most popular CMS, is attacked more often than others. Therefore, to protect you need to take some measures. In this article, we will tell you about plugins that can help protect WordPress from viruses.

Sucuri Security

Sucuri Security is one of the most popular solutions to help protect WordPress from viruses. The plugin has a good opinion of a large number of WordPress users and many sites are protected by it.

Plugin features include:

  • Logging of various actions related to protection.
  • Monitor website files for changes.
  • Scanning for malicious code.
  • The plugin will notify you if there is a risk of it being blacklisted by antivirus programs. This add-on works in conjunction with a large number of well-known and popular antiviruses.

Wordfence Security

This plugin perfectly protects the site from attacks by hackers, blocking their access to vulnerable parts of the project by their IP. The add-on is unique in that it records and saves in its database those IPs and networks that have ever attacked the site. Therefore, by installing such a plugin on the site, you get an accumulated database of hacker addresses, access to which will be closed to your site.

The plugin has a paid version that has more features that can protect WoprdPress from viruses.


The AntiVirus plugin works just like any computer antivirus - it periodically scans the site for suspicious files. The site administrator will receive a weekly email with a scan report. If the virus code, nevertheless, is detected, then the notification comes immediately. The plugin scans both the WordPress core and plugin files, themes, and the database.

Read also about checking the site for viruses.

Quttera Web Malware Scanner

A shareware plugin that can adequately protect WordPress from viruses by scanning site files for malicious code. The plugin recognizes a large number of viruses and easily finds them. You will also receive notifications if your site is blacklisted by well-known antivirus programs.

It's funny sometimes things happen in life. I came across a cool course on Udemy on modern ways to protect and hack sites. Upgrading my skill level, I missed the virus infection of my blog. Most likely, WordPress users have experienced the symptoms in one way or another, which I will describe next. If not, then you are lucky. I myself didn’t attach anything to sites for a very long time, thinking about how they still manage to infect their web resources. Back in 2014, I was surprised by messages on the forums that their site with an excellent attendance was simply infected and taken away.

And so, this morning, a letter arrived in the mail from my hoster, which puzzled me. Yes, I was pleasantly surprised that ihc monitors sites for malware, but the message that one file was changed at night without my knowledge and this suspicion of virus activity caused chaotic emotions. In fact, it was confirmation of my suspicions.

Some time ago, I discovered that the metric has clicks to sites that I just can’t write in my posts. When I tried to find these links stupidly through the blog search engine, I was redirected to Apache with an error message. Even then, suspecting something was wrong, I got into the file search.php active topic, in which I saw obfuscated code. Then it put me in a stupor, but due to lack of time, I did not delve further. As it turned out in vain. After all, this was one of the signs of infection.

An example of coded malware

I foolishly relied on the means of detecting malicious code from various services that litter the Internet. All of them "joyfully" informed me that the site was clean as morning dew.

Imagine a paradoxical situation - there is a non-working search function, there is an obfuscated php code so that the unlucky webmaster does not see the "gift", and anti-virus services are simply silent.

But back to our sheep, more precisely, to the sites. On all these sites I have two-level authorization. Maybe this saved the site from being taken away by a hacker. Two days after being infected search.php I received a notification from that some files have been changed and if I did nothing, it is recommended to check with the antivirus provided by the hosting itself. Well, now the opportunity to test this antivirus has turned up, it’s a pity that my favorite site got as a test subject 🙁

The result of the check, to put it mildly, rather puzzled me. Antivirus shoveled the site for about forty minutes and then sent its "verdict". 42 files were infected...

Here it was time to grab your head, thinking about how such a thing could have happened. It goes without saying that there was an exploit. But more about that later.

It was necessary to treat the site, but for this it had to be thoroughly investigated. Yes, it could have been done much easier - merge the database dump, transfer pictures from wp-content and re-upload all this to a freshly installed WordPress engine. But "easier" does not mean "better". In fact, without knowing what was changed, one would expect the hole to appear on the reuploaded site as well. And then it was just right to become a newly minted Sherlock Holmes in order to conduct a full audit of the site.

Finding malware is like being a detective

To be honest, I have not experienced such passion and interest for a long time. Yes, the hosting antivirus helped me in many ways, indicating in which files it found changes. But even he could not fully detect everything, since the code alternated with obfuscation and banal hex-coding using malicious js. It was necessary to do a lot with pens, using all third-party tools just as assistants.

So, we launch the code editor and look at the infected files. In fact, in the code they "fire" quickly enough due to their encryption. However, this is far from being the case everywhere. It happened that it was necessary to parse the php file code line by line and figure out what was wrong with it. I must say right away that it was with the theme files. In this case, the original theme files are very useful for comparison, if you are not sure exactly what this or that function is for (and a correctly written virus should inherit as little as possible).

But let's look at everything in order. I already posted a screenshot of the code obfuscated by the virus at the beginning of the article. Using the resource, you can decode it into a digestible form and study it. In my case, some files contained the injection. We erase all this to hell.

However, sometimes you may come across a short code with an include. As a rule, they become infected index.php and wp-config.php. Unfortunately, I did not take a screenshot of such code, since at that time I did not plan to write an article. From this code, it was clear that this was the code for calling a specific file encoded through js. To decode the hexadecimal code, we will use the service, with the help of which we will determine that the file is called at the address wp-includes/Text/Diff/.703f1cf4.ico(I omitted the full path, the essence itself is important). What do you think, is calling a simple icon file worth encoding, albeit relatively simple encoding? I think the answer is obvious and open this "icon" through the notepad. Naturally, this again turned out to be a fully encoded php. We delete it.

Having cleared the obvious files, you can move on to the not-so-obvious ones - the WordPress theme files. Here obfuscation is not used, you need to dig the code. In fact, if you do not know what the developer originally intended, then this task is very creative, although it can be solved quite quickly. If you haven't changed the theme code, it's easier to replace the infected files (the anti-virus identified them for sure) and move on. Or you can dig like me and find that very often such viruses are attributed to the file function.php absolutely left function, in which there will certainly be a code for accessing sql. In my case, it looks like this (formatting left unchanged):

$sq1="SELECT DISTINCT ID, post_title, post_content, post_password, comment_ID, comment_post_ID, comment_author, comment_date_gmt, comment_approved, comment_type, SUBSTRING(comment_content,1,$src_length) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb-> posts ON ($wpdb->comments.comment_post_ID=$wpdb->posts.ID) WHERE comment_approved=\"1\" AND comment_type=\"\" A ND post_author=\"li".$sepr."vethe". $comment_types."mes".$sepr."@".$c_is_approved."gm".$comment_auth."ail".$sepr.".".$sepr."co"."m\" AND post_password=\ "\" AND comment_date_gmt >= CURRENT_TIMESTAMP() ORDER BY comment_date_gmt DESC LIMIT $src_count";

Where this sample goes, we have already cleaned up. Therefore, we calmly look at which function this code is located in and delete this entire function - it was attributed to the malware. But, again, it is much easier and better to overwrite the entire file from the finished theme if you are afraid of breaking something.

Well, the final touch - check the number of site users. All my sites I have always led myself. Accordingly, there cannot and should not be any other users. However, given the infection, it is easy to guess that they will try to steal the site and create its own user with admin rights. In my case it turned out wp.service.controller.2wXoZ. We delete it.

A lot of work has been done, but is there an exhaust? Let's check again with an antivirus, which reports that no more viruses were found. Everything, the site is cured.


As you can see, curing a site is quite simple, although time-consuming. After treatment, it is necessary to prevent such situations in the future. Here you need to take just a few steps:

  1. Update WordPress itself to the latest version. It is possible that they used an exploit for an outdated engine.
  2. Check all plugins. Delete all unnecessary ones (which you put on the "future" and do not use) and check the relevance of those already working. However, even downloading a plugin from the WordPress repository does not give you a guarantee that the plugin will be clean. Cases have become more frequent when they buy out this or that plugin, make malware out of it, and when updating on your site, you will encounter the same “joys” as I do. In my case, I was infected just like that.
  3. Always check the subject. If public - update. Of course, it is better if you buy it on the same templatemonster, although this does not give 100% protection.
  4. Don't neglect tools like Wordfence. Although the free version of the plugin is very, very limited, at least you will know what is suspicious on your site.
  5. Once a month, do not be lazy to run the site through wpscan, to see what vulnerabilities appeared on it.
  6. Pay attention to the root of the site. There may be a file index.html.bak.bak. This also indicates that you have an infected site (you can immediately edit index.php, it is 100% infected)
  7. Do not trust public site antiviruses. There is little sense from them.

I tried to show by my example how you can cure a WordPress site. Antivirus on is just a malware scanner. But he also made things easy. Nevertheless, even if your hosting does not have such a service, you can identify and prevent infection using the above algorithm.

The security of your blog needs to be dealt with from the very beginning, not postponing it to a vague “spin up and get busy”. Moreover, now you have detailed instructions on how to protect a wordpress site from hacking, viruses and other troubles.

I used to think about security, but not so seriously. And after this article on the website, A. Borisova took the matter seriously. I found on the Internet all the problem areas of the system and methods for their elimination. It turned out to be a rather large article of 14 points!

How to secure a wordpress website

1. Change the standard login. First of all, hackers break through such popular logins as admin, user, moderator, administrator. If you use one of them, then you have done half the work for the attackers. The admin is especially often used - short, easy to remember, you can immediately see that it is an important bump, so site owners do not change it to something more complex.

There are many options for changing this login, but the simplest one is:

  • Go to the admin panel, go to the Users section - click Add.
  • Come up with a complex login for the new user (you can just set letters and numbers), and select Role - Administrator.
  • Log out of the current user (select Log out at the top right).
  • Log in with the new user you just created.
  • Work with this account: create new articles, edit old ones, add/remove plugins. In general, check whether he really has all the powers of the Administrator.
  • Delete user with nickname admin.

2. Set a complex password- this is exactly the case when you cannot use your standard password in the form of qwerty. You need to come up with a unique password, very complex, of 20 characters with different case, numbers and different symbols. If you are afraid to forget, write it down in a paper notebook. But don't store it on your computer. How to come up with a complex password can be found in this article.

A complex password should be not only in the wordpress admin panel, but also for other services related to the site: mail, hosting, etc.

3. Hide login- no matter how you try to come up with a super complex login, there is a loophole that allows you to see it and copy it. To do this, enter in the address bar, substituting your domain. If the link does not turn into /author/admin, where admin is your new login, then everything is in order.

But if your login is still displayed there, you need to urgently hide it using a special command in the functions.php file:

/* Change login in comments */
function del_login_css($css) (foreach($css as $key => $class) (
if(strstr($class, "comment-author-insert_valid_login")) (
$css[$key] = 'comment-author-enter_fictitious_login'; ) )
return $css; )
add_filter('comment_class', 'del_login_css');

Now we set up a redirect to the main page, for this you need to open the .htaccess file in the root folder (using filezilla), and here after the line

RewriteRule . /index.php [L]

Add this text:

RedirectMatch Permanent ^/author/real_login$

4. Keep WordPress up to date. New versions appear from time to time, notifications hang right in the control panel. Make a backup copy of the site, update and check if it works. The newer, the more difficult it is to hack the system - new levels of protection appear, and old hacking techniques do not work.

5. Hide WordPress version from prying eyes. By default, this information is displayed in the code of the pages, and attackers should not report it. Knowing your version, it will be easier for him to recognize gaps and hack the system.

So open functions.php for editing and then add this line:

remove_action('wp_head', 'wp_generator');

This simple function disables displaying system data.

6. Remove license.txt and readme.html from the root folder. They are not needed by themselves, but they can be used to easily read information about your system and find out the version of WordPress. They automatically reappear if you update wordpress. So clean up the files every time you install an update.

7. Hide the wp-includes, wp-content and wp-content/plugins/ folders. First, check if the contents of these folders are visible to outsiders. Just substitute your domain in the links and open the links in the browser:

  • http://your_domain/wp-includes
  • http://your_domain/wp-content
  • http://your_domain/ wp-content/plugins

If you see folders and files when you go to these pages, then you need to hide the information. This is done very, very simply - create an empty file called index.php and place it in these directories. Now this file will be opened during the transition, i.e. blank page without any information.

8. Don't install free themes- this is information from personal experience, although everyone writes about it. But I decided to bypass the system, and put a free theme from the Internet on my other site - I really liked it. And at first everything was fine.

After about six months, I began to check outgoing links from the site, and found 3 obscure links. I could not find them on the pages themselves - they hid them very cunningly. After studying the issue, I found information that this is a very common problem when code for remote placement of links is embedded in free templates. I had to spend the whole evening, but I fixed the problem and now everything is in order. But how much damage could it do!

9. Install the right protection plugins, but be sure to install from the official site or from the control panel.

  • Limit Login Attempts - to limit login attempts. If you enter your login and password incorrectly 3 times, access will be blocked for N minutes/hours. You set the number of attempts and blocking time yourself.
  • Wordfence Security is a plugin for checking a website for viruses and malicious code changes. To start, just install and click Scan. But after checking, it is advisable to disable it so as not to create an additional load on the site. Check your blog for viruses at least once a month.
  • WordPress Database Backup - automatically sends a backup copy of your website database to the mail. The frequency can be set independently - once a day or weekly.
  • Rename wp-login.php - Changes the login address to the control panel from the standard http://your_domain/wp-admin.
  • Anti-XSS attack - protects the blog from XSS attacks.

10. Check your computer for viruses– sometimes viruses come directly from your computer. So install a good antivirus program and keep it up to date.

11. Systematically back up– either using the WordPress Database Backup plugin, or manually. For some hosts, this happens automatically, so you can restore the site at any time in case of problems.

12. Work with a trusted host, because in many respects the security of the site depends on the quality of the hosting. I moved to Makhost a month ago, and the difference with the previous one is noticeable (the move was described in this article). I will not strongly recommend it, since I have not been with them for long, although a friend with them for a year cannot get enough of them. In general, do not take tariffs for 100 rubles for the sake of saving, then you can pay dearly.

13. Different mailboxes for the site and hosting. It is very easy to pull out a mailbox from WordPress, then you can hack it and gain access to data. And if the hosting is tied to it, it will not be difficult to change the password and take the site for yourself. So get a separate hosting box so that no one knows or sees it.

14. Connect a dedicated IP address, so as not to coexist with porn sites, sites under the filter or with viruses. So if you have the opportunity, get a separate IP so you don't have to worry about it. By the way, in the field of bloggers there are unconfirmed rumors that a dedicated IP improves positions in search results.

Now you know the simplest ways to protect a site on wordpress, and you will be spared banal threats. But besides this, there are many other dangers from which it is not so easy to save. Just for such serious situations, Yuri Kolesov created the course "