This article outlines the most common ways malware infects WordPress sites and provides actionable steps to prevent and mitigate those threats. While these best practices apply to all WordPress sites, sections marked Not Needed at Pressable describe protections already handled by Pressable’s managed WordPress hosting environment.
Compromised Admin Accounts and Credential Weakness
Why It Matters
The majority of infections on Pressable begin with a compromised admin account. Attackers often gain access through weak or reused passwords, stolen credentials, or phishing attempts. Once they have admin access, they can install malicious plugins or inject code into the site’s database using tools such as “Code Snippets.”
Common Entry Methods
| Method | Description |
|---|---|
| Weak or Reused Passwords | Attackers exploit credential stuffing (using passwords leaked from other sites) or brute force attacks against reused or simple passwords. |
| Phishing and Social Engineering | Admins are tricked into revealing credentials or approving malicious requests. |
| Malicious Collaborators or Shared Accounts | Overly broad user access or shared credentials can result in misuse or compromise. |
How to Mitigate
- Use strong, unique passwords for every WordPress account.
- Enable two-factor authentication (2FA) on WordPress logins using a plugin such as WP 2FA.
- Regularly review user roles and remove unused or shared admin accounts on the WordPress site and collaborator accounts attached to your Pressable account.
- Use separate editor accounts for day-to-day content updates instead of logging in as admin.
- Monitor login activity for unusual patterns or repeated failures.
| Pressable Enhancement |
|---|
| Pressable enforces 2FA on Pressable dashboard accounts, but this does not extend to WordPress logins. Add WordPress-level 2FA for full protection. |
Malware Hidden in Your Database
Why It Matters
Once attackers control an admin account, they can install a “code snippet” plugin (which allows you to add custom code to your site without editing theme files) and insert malicious PHP directly into the site’s database. Because this code resides in the database, file-based scanners often miss it.
How to Mitigate
- Limit who can install or edit plugins.
- Review
wp_optionsand other database tables for suspicious or autoloaded entries. - Use scanners capable of analyzing both files and database content.
- Restore from a known clean backup if reinfection persists.
- Maintain least-privilege access for all user roles.
| Pressable Enhancement |
|---|
| Pressable provides a free Jetpack Security license for every site. Jetpack scans files but not the database. Consider adding a secondary scanner that includes database checks if malware is suspected. You can also always contact Pressable support. |
Vulnerable or Nulled Plugins and Themes
Why It Matters
Outdated, poorly maintained, or pirated (“nulled”) plugins and themes are the top technical cause of infection. Nulled plugins are illegal copies of premium plugins with licensing removed, and they often contain malicious code.
Common Sources of Risk
| Source | Description |
|---|---|
| Outdated Plugins or Themes | Software with known vulnerabilities that haven’t been updated to patched versions. |
| Nulled (Pirated) Plugins | Illegal copies of premium plugins, often containing hidden malware or backdoors. |
| Abandoned or Unmaintained Code | Plugins or themes no longer supported by their developers, leaving vulnerabilities unpatched. |
| Plugins from Untrusted Sources | Software downloaded from unofficial sites or repositories outside WordPress.org or verified vendors. |
How to Mitigate
- Update all plugins and themes regularly. If you’re worried about updates breaking your site, you can test them on a clone first.
- Remove any unused or inactive plugins.
- Only install from trusted sources (WordPress.org or reputable vendors).
- Review changelogs and developer reputation before installing.
| Pressable Enhancement |
|---|
| Pressable’s WordPress core files are read-only and symlinked from a secure, non-web-accessible location. File integrity checks on core are unnecessary, though plugins and themes should still be verified. |
File Upload Abuse
Why It Matters
Unvalidated file uploads can allow attackers to add malware or executable scripts to the server.
Common Attack Methods
| Method | Description |
|---|---|
| Malicious File Uploads | Attackers upload PHP scripts or other executable files disguised as images or documents. |
| File Extension Spoofing | Files with double extensions (e.g., image.jpg.php) that bypass basic validation. |
| Plugin Vulnerabilities | Poorly coded upload forms in themes or plugins that don’t properly validate files. |
How to Mitigate
- If a plugin adds its own upload feature, review its documentation to confirm it validates MIME types and file extensions. WordPress automatically checks basic file types when uploads are handled through its media tools.
- Limit upload capabilities to trusted roles only.
- Avoid plugins that allow arbitrary file uploads.
| Pressable Enhancement |
|---|
Pressable’s NGINX configuration already blocks PHP execution in the /uploads/ directory, preventing execution of malicious scripts even if uploaded. |
Backdoors and Hidden Files
Why It Matters
Attackers often conceal backdoors inside plugin or theme directories to regain access after cleanup.
How to Mitigate
- Compare plugin and theme files to originals from WordPress.org or vendors.
- Run malware scans to detect unknown files or obfuscated code.
- Remove all unused plugins and themes entirely.
You can verify plugins as follows:
- Connect to the site via SSH
- Use the following WP CLI command:
wp plugin verify-checksums --all
| Not Needed at Pressable |
|---|
| Core integrity checks are unnecessary on Pressable because WordPress core is read-only and centrally maintained. |
Cross-Site Scripting (XSS), Injection, and REST API Exploits
Why It Matters
Vulnerabilities in plugin or theme code can let attackers run malicious scripts or escalate privileges.
How to Mitigate
- Keep all plugins and themes updated. Pressable provides automatic updates for WordPress core.
- Sanitize and escape all inputs in custom development (ensure user-submitted data is safe).
- Restrict REST API endpoints (WordPress’s interface for external applications) to authenticated users when possible.
Brute Force and Credential Stuffing Attacks
Why It Matters
Credential stuffing refers to automated login attempts using username and password combinations stolen from other breached websites, exploiting users who reuse passwords across accounts. Automated bots target login pages to guess credentials or reuse leaked passwords.
How to Mitigate
- Use strong passwords and enable 2FA.
- Use plugins that implement brute force protection, such as Jetpack.
- Review login activity for repeated failed attempts.
| Pressable Enhancement |
|---|
| All Pressable sites include Jetpack Security, which provides brute force protection. |
| Not Recommended at Pressable |
|---|
| We don’t recommend outright disabling XML-RPC. Some plugins (including Jetpack) and other services still require XML-RPC for certain features. Modern WordPress has addressed the older XML-RPC vulnerabilities that initially led to recommendations to disable it entirely. |
Social Engineering and Phishing
Why It Matters
Attackers may attempt to trick users or staff into sharing credentials or approving harmful actions.
How to Mitigate
- Educate site users about phishing and impersonation.
- Verify unexpected requests for credentials or admin actions.
- Never share Pressable or WordPress credentials through unsecured channels.
Account sharing should be avoided whenever possible. Pressable’s free collaborator account feature makes it easy to provide everybody with their own Pressable and WordPress access, and includes granular permission levels.
If you do need to share a password, use a secure service like QuickForget.com to share the info.
| Pressable Enhancement |
|---|
| Pressable support requires users to log in to their Pressable account before the support team will perform any action. Support agents can only complete actions allowed by the user’s permissions. This prevents impersonation and unauthorized site changes. |
Supply Chain and Third-Party Integrations
Why It Matters
Compromised dependencies or vendor accounts can spread malware through updates or integrations.
How to Mitigate
- Use only reputable third-party vendors.
- Audit external scripts and dependencies.
- Remove integrations or APIs no longer in use.
- Avoid loading assets from unverified CDNs.
Compromised Developer or CI/CD Accounts
Why It Matters
If a developer’s GitHub or deployment system is compromised, attackers can push malware to production unnoticed. CI/CD (Continuous Integration/Continuous Deployment) systems automate code deployment, which means compromised credentials can allow widespread damage quickly.
How to Mitigate
- Rotate access tokens and SSH keys regularly.
- Require signed commits and code reviews.
- Store secrets outside of source control.
- Limit CI/CD pipeline permissions to the minimum needed.
Detection and Recovery: What To Do If You Suspect Malware
If you suspect your site has been compromised, here’s what to look for and how to respond.
Signs of Infection
- Unknown admin users or plugins appearing unexpectedly.
- Unusual spikes in CPU, memory, or traffic.
- Unexpected redirects or spam links appearing on the site.
What To Do
- Contact Pressable Support
- Clone the site or enable maintenance mode for investigation.
- Run a Jetpack Security scan for file-level issues.
- Check the database for suspicious values or code snippets.
- Restore from a known clean backup if reinfection persists.
Why Pressable Provides an Advantage
| Feature | Benefit |
|---|---|
| Locked-Down WordPress Core | Symlinked, read-only core files ensure integrity and prevent tampering. |
| Free Jetpack Security License | Includes malware scanning and brute-force protection. |
| Automated Daily Backups | Simplifies recovery after a compromise. |
| APM Insights and Server Logs | Identify performance anomalies that may indicate malicious activity. |
| Enforced 2FA for Pressable Accounts | Prevents unauthorized access to the Pressable dashboard. |