Hey there, I’ve been a web designer and developer for a while now. When I first started out I thought my only job was to design decent looking websites that function properly on the web. As time went on, and my company built up a solid clientele I realized server maintenance and optimization would be a big part of my job since I was the only web guy in house.

It was at this time that we also started working heavily in WordPress installations. WordPress, while powerful is also pretty vulnerable to malware attacks.

We had around 40 WordPress websites hosted and around 50 basic HTML/CSS websites hosted when we got smacked with a malware attack. The malware leeched through every site we had on the server injecting it’s filth into certain files and, in some cases, creating new files in obscure folders in our WordPress sites. I had no idea what was happening until I seen the dreaded red screen telling me my site was blacklisted by google on account of malware. I spent weeks trying to find the malware myself in the almost 100 websites we had hosted. It seemed our entire business ground to a halt while we tried to fix the issue. Eventually we had to hire a third party company to apply firewalls to all of our WordPress websites in order to ensure that our clients didn’t experience anymore issues on account of malware. We spent and still spend hundreds of dollars a month trying to keep our sites secure and safe.

Looking back on the whole thing, I realize there’s ways to keep your websites secure and safe while not spending hundreds of dollars a month. I’m not going to cover everything you could possibly do but I am going to talk about the things I learned in my experience.

If you host multiple websites make sure they’re separated into their own hosting accounts.

One of the things that left us vulnerable to the malware attack and the following malware leeching was that we had all of our hosted websites in one shared hosting account. We had all of our websites in sub folders of our primary hosting account and once the malware found a backdoor into one website it then could leech to every other folder in the hosting account which took down all of our websites. It’s more secure, cheaper in the long run, and more efficient to allot each website it’s own hosting plan. You might be able to get away with running all your websites through a single shared hosting account for a while but at scale it just doesn’t work as well. Your sites are more vulnerable, slower, and when the malware bug finally hits your operating cost will go through the roof.

Get an SSL Certificate for your website

Some hosts include this in their hosting plan which is nice. An SSL Certificate will secure your website while also giving you a nice SEO boost. Websites that are protected with an SSL Certificate are viewed as more secure and more reliable and Google and the other search engines will give you a nice little bump for that.

If you’re using WordPress, download the Sucuri Malware Monitoring Plugin

This is a free plugin you can download straight out of the plugin marketplace. This plugin will scan your WordPress installation and tell you if there are any files in the installation that were edited, added, or removed. This is an extremely helpful tool that allows you to ensure your website is clean. It’ll also inform you if your website has been blacklisted by any of the popular search engines and give you a link to the page that’ll help you fix that situation. On top of the WordPress Core File Scan function, there’s a malware scan tool you can use to scan the entire site, including your content files.

Use strong, secure passwords for everything

There are malware bots that will scan the depths of the web for forms on websites. That includes your WordPress login page and any other form you may have on your website. Once it finds these forms it’ll use brute force attacks or other attacks to try and guess your username and password. If you’re using a common username like “admin” or “root” and a password like “password”, these bots will guess your login info in seconds and have access to your entire WordPress dashboard which is deadly. When creating passwords for your database, WordPress dashboard, FTP Users, etc. Make sure you’re creating strong passwords that are unlikely to be guessed. Most of the time the user creation pages have a gauge that’ll inform you if the password is secure or not.

These 4 tactics used in conjunction with each other should be enough to keep your website or websites safe from potential malware attacks.