How To: Prevent A Malware Nightmare In WordPress

WordPress is fairly secure and they provide frequent security updates when they know there’s been trouble. But what can you as a site administrator do to harden WordPress even more?

Happy Halloween, Everyone! Today we’re gonna show you some of the steps we take to secure and prevent malware attacks on your website. At Thee Design Studio, we are aware of the threats that lurk out on the internet that want to turn websites into zombies.

Hackers and malware propagators are going back on the offensive. Actually, they never stop. These folks are relentless in their pursuit of disruption and according to a report released in 2007, malware has caused over $13 billion in damages during the years of 1996-2006. No current estimate for this trend can be found because of the exponential and untamed growth of malicious code. Scary.

Do you ever wonder about how these hackers start out? Most likely as script kiddies that start by infecting ordinary people’s blogs and websites to gain experience. All of your hard work of building your site and your readers and your voice and your traffic and your revenue and your reputation is compromised by one of these jerks. Lucky for us, WordPress is fairly secure and they provide frequent security updates when they know there’s been trouble. But what can you as a site administrator do to harden WordPress even more?

Hello Hacker!

Hello Hacker!

1. Move wp-config.php into The Root Folder!!!

The wp-config.php file contains all of your WordPress configuration information and settings. You can pretty much tap out if hackers gain access to this file. From here, they can inject malware into your website’s pages, or even worse, delete all your content and replace with their own.

A smart safety feature in WordPress allows you to move the wp-config.php file one level above the WordPress root. On most LAMP host servers, wp-config.php is located in:


Use your FTP client to connect into your server, and then move your wp-config.php above the public_html directory so that it is located here instead:


This way, wp-config.php is no longer in the public-facing root folder, thus disabling the scripts and bots that hackers use to infect your site.

There’s nothing more to this feature, WordPress automatically knows to look for your wp-config.php file one folder above. I wish someone would have told me this sooner, it may have saved my blood pressure from sheer terror as I watched a whole handful of my sites get whacked one after another.

Vigyázat! Caution! Achtung! Увага!

This will not work if you installed your blog in a subdirectory (e.g. public_html/blog) or as an add-on domain in cPanel (e.g.public_html/

2. Delete The Main Admin Account

The default Administrator account on WordPress has a username of ‘admin’. If you leave this as your default username, you have made the work twice as easy for hackers. You should never use this as the main account. Always choose a different username when installing WordPress.

If you have been using the ‘admin’ account, go into the Dashboard » Users » Add New User screen. Create a new user with the role of Administrator. Now log out, and log back in as the new user.

Go to the Users screen again and delete ‘admin’. WordPress allows you to transfer all of the content created by ‘admin’ to your new user account before confirming deletion.

Another benefit of getting rid of the admin account and switching to, say, your real name, is that it is better for SEO as well. This way when somebody searches your name you will rank higher with than you will with

3. Update WordPress, Plugins, and Themes

WordPress is so easy to update core files, plugins, and themes, to their latest versions. It’s so easy that it can be easy to forget. But WordPress makes it abundantly clear that you should take heed to the warnings located all over the dashboard. Spending a few minutes installing updates can save you from the destruction and embarrassment of getting hacked.

Plugins and themes should be updated religiously. All plugins and themes from the WordPress directory integrate with the automatic update feature. Many premium plugins and themes also have automatic updates, which is a great reason to invest in a high-quality theme for your WordPress.

If you are in the market for a new site and are curious to see how a properly developed WordPress website can promote your business online, Call 919-341-8901 for a free consultation or fill out our inquiry form and one of our web design specialists will be in contact with you soon.