skip navigation
Manchester Digital
skip mega-menu

Quick Links

Get Involved
What We Do Join the Community This Month at MD Our Newsletter #MDTechCommunity Slack Channel Industry Events Partner Opportunities
Support
Research and Insights Manifesto for the Northern Tech Economy Startup Support Sectors Relocate Member Offers
Programmes
Apprenticeships Digital Her Startup Activator Skills Festival Sector Insights Training

Who We Are

The Team
The Board

About

News

Events

Directory

Jobs

Join

Programmes

Startups

Apprenticeships

Get in Touch

Posts
Add Post

How to improve WordPress Security in the face of rising malware threats

#cybersecurity #web security #wordpress #cyber security #onlinesafety

3+ Year Member
View Profile
View More Posts

Recent cyber attacks on several prominent UK retailers, which employed ransomware to disrupt their operations, underscore the critical need for robust website security in today's digital landscape.


WordPress, which powers over 40% of the internet, has become a significant target for cyber threats, placing organisations at heightened risk as attacks grow more sophisticated and focused. 


Cybersecurity specialists reported that in 2024, the highest ever recorded amount of WordPress sites compromised by malware, with plugins responsible for 96% of all identified vulnerabilities; this trend is expected to escalate in the current year (2025). The most prevalent forms of malware found on affected systems included injected malware and redirects, along with SEO spam.

 

Image sourced from Sucuri.net


Why are WordPress websites common targets?


With WordPress being one of the most commonly used Content Management Systems across the modern web, it’s only expected for bad actors to take advantage of its popularity.  


  • Open source: the code is publicly available making vulnerabilities easier to identify.
  • Plugin ecosystem: many plugins are not well-maintained or have known security flaws.
  • Out-of-date updates: many businesses who own websites delay or even ignore updates completely.
  • Not renewing licences: many premium plugins and themes are based on a subscription basis, and by not renewing them means they will never get updated, making them vulnerable.
  • Incorrect file and folder permissions: file permissions are a set of rules your web server uses to control access to the website’s files.  If these are not set properly, it puts the site at a high risk.
  • Predictable login credentials: one of the most common types of attack is a Brute Force attack, taking advantage of unprotected access to the admin directory.  This attack utilises password attempting tools of leaked password, so a combination of weak passwords that almost never get changed again.
  • Insecure hosting: some hosting providers offer inexpensive services, which might seem like a great deal, however this comes at the cost of the platform's security.


Common Types of Malware affecting WordPress

It is important to understand what are the most common types of malware affecting WordPress sites at the moment.


  • Backdoor attacks: These create hidden access points that bypass security protocols on your site.
  • Compromised file managers: Exploits vulnerabilities in file manager plugins.
  • Core file changes: The modification of critical WordPress files for long-term control.
  • Forced website redirects: Users are immediately redirected to malicious or spammy websites which can end up in a nasty unending cycle.
  • Hidden crypto mining code: Where your website and hosting server can be used to mine cryptocurrency.
  • Hidden SEO spam: Injects spammy links into the content of your web pages to manipulate search rankings.
  • Malicious JavaScript code: This common practice steals user data or alters site behaviour, for example by displaying fake Cloudflare notices instructing users to inject malware unknowingly.
  • Pharmacy spam attacks: A method used to promote illegal pharmaceuticals through your site whether this is directly on page content or via a popup.


Key Steps to Prevent Malware Attacks and Securing Your Website

To ensure a WordPress site remains safe from malware and hacking attempts, it's vital to adopt security measures which are very effective and greatly reduce any risk of a compromise.  With cyber threats on the increase, they can have a devastating impact for businesses, such as economic costs, loss in revenue and damage to brand reputation.  This can cause a lack of trust to prospects and clients, not to forget the serious impact it can have on your search ranking position.


There are many ways to secure a website, but most of the best practices fall within three main categories:

Access Control

Enforce strong passwords for all of your WordPress users and have a policy in place where you force a password renewal every 6 months to help mitigate any brute force attacks.


Implement two-factor authentication (2FA) to establish a stronger login system, where users can prove their identity in two different ways before granting them access.


Review your user roles and permissions and ensure only a select few have Administrator privileges, such as Editor or Author roles which are enough for making changes to the website.


Changing the default login URL for WordPress will massively reduce the risk of unauthorised access to the website.  By customising the URL where users access the backend of WordPress will obscure the default entry from bots and attackers who scan the internet for common login pages.

Technical Measures

Implement solutions to protect your site such as a Web Application Firewall (WAF) which can filter and block known malicious traffic, actively scan plugins and themes for potential threats.


Ensure the core WordPress files and any free and licenced plugins are kept up to date regularly.  When a new release is available you want to ensure that your website installs that latest version so your site avoids vulnerability.


Using a Content Delivery Network (CDN) like Cloudflare can help protect your website against common malicious attacks such as a Distributed Denial of Service (DDoS) attack.  These disrupt the normal traffic of a server or network by overwhelming it with a flood of internet traffic.

Recovery and Backup 

Unfortunately, numerous companies choose low-cost unmanaged hosting services without realizing that these plans often do not include backup or recovery options. At Dawn, we offer managed hosting services that encompass these features and more, included in all our clients' hosting plans.


To safeguard against potential disasters, it is essential to implement regular backups on a rotating schedule, verify the backup process, and ensure that the data remains secure and can be restored whenever necessary.

Be constantly prepared


Website security is a continuous process that calls for ongoing attention to detail and monitoring. As malware and other cyberattacks become more prevalent, your defences should also adapt.


Investing in security within the development stages, as part of a long-term program, helps avoid expensive cleanups and reputational harm, which are crucial factors for your website.


Contact our experts if you are worried about the security of your own website or thinking about moving your hosting to a more dependable, secure hosting environment managed by real experts.


Related Posts

Add Post View All
Posted by ConCom Web Design
Multilingual Websites with Joomla! CMS for Henniker Scientific
Posted by Battalion Digital Limited
Fridai - the Future of Gaming
Night Sky Glamping Abersoch Website
Posted by ConCom Web Design
NightSky Glamping Website Live
Posted by UKFast
UKFast Adds to C-Suite with CMO Appointment
Posted by Skylab
Skylab Named As WordPress VIP Silver Agency Partner
Posted by Skylab
WordPress Multisite
Posted by Woodhurst Consulting
Getting the whole picture
Posted by Datum Datacentres
Physical security in a digital world
Posted by Higher Ground Marketing
The Lean UX approach
Posted by Design By Day
Design By Day Launches Refreshing New Website for Joseph Holt

Subscribe to our newsletter

Sign up here