Complete peace of mind

Secure your Website with our Comprehensive Guide to WordPress Security!

WordPress is the most widely used CMS on the Internet, with over 43% of sites using this content manager and a current market share of 63.6% compared to other content managers or SaaS web services.

Tutorial seguridad WordPress
Seguridad WordPress
Although WordPress’ popularity has its benefits, such as having a large community of developers and experts focused on its security, it also means there are a large number of installations vulnerable to attacks by malicious users.

The existence of such a large volume of installations in turn makes it very attractive to malicious people who create tools (robots) to snoop around the Internet looking for vulnerable WordPress sites.

Don’t let malicious users tamper with your WordPress website!

If your WordPress is hacked, the costs can be substantial. Not just because you have to pay technical staff to clean up your website, you also have to consider the loss of sales and potential customers, and the damage to the reputation of your site, business or brand.

Follow our security guide and act now to cut the risks of suffering hacking to your WordPress website. Don’t risk your reputation, sales, and potential customers because of a hack.

At Webempresa, after 19 years’ experience in the hosting sector, we strive to offer our clients secure, satisfying hosting for WordPress. Follow our security guide and act now to minimize the risk of suffering WordPress hacking.

Easier still?

Our obsession: Security · Support · Speed

Our priority is to ensure your security and to provide you with exceptional support and speed of performance on your WordPress website. Our team has worked hard on this guide to provide you with valuable information about the risks you face and how you can reinforce your site’s security measures.

We’re excited to share our knowledge and to support you in your WordPress experience! Amamos lo que hacemosWordPress

Seguridad, velocidad y soporte

WordPress and security

Most important of all

Risks are ever-present

Your WordPress security will never be 100%. Malicious actors are continually innovating and bugs are frequently found in the plugins.

There are a lot of things you can do to minimize the risk though.

Remember that maintaining security requires continuous effort which you must not neglect. We’re here to help you with this process.

Is WordPress insecure?

WordPress security is a recurring concern among users. Note, though, that WordPress is no less secure than other content managers.

You need to keep it up to date, use a theme obtained from a reliable source, use strong passwords, and have a security system installed on your computer to minimize the risk of being attacked.

According to a study conducted by, 33.74% of sites aren’t updated with the latest version of WordPress, which is worrying. It is essential to take measures to update and to improve site security.

Avoiding being negligent with your website security is crucial. It would be like leaving your auto with the keys in and the engine running in a shopping mall. Unthinkable!

Take care of your web projects

You are the weakest link

Cuidado con tu conexión a internet

Be careful with your Internet connection

The security of your Internet connection is crucial to protecting your WordPress website.

Connecting to the Internet using an Ethernet cable instead of Wi-Fi is advisable. If you decide to use Wi-Fi, make sure you use WPA-2 security and change your access password for router administration.

Use a strong password and avoid connecting to your WordPress website from untrusted external devices, such as a hotel computer.

It’s also important to disable WPS on your Wi-Fi connection, as this makes it easier for attackers to get your connection password.

Free Wi-Fi: high price for security

Avoid connecting to open or public Wi-Fi networks as these entail security risks.

If you have to use them, having updated security software, such as antivirus software and firewall, or connecting through a trusted VPN, is critical.

Lots of security programs include a private VPN, and you can also buy a specific service such as CiberProtector.

Use a VPN if you connect regularly from unsecured networks, because this will increase your security substantially. You are better off using your mobile phone’s 4G connection than connecting to unknown Wi-Fi networks.

Proxy? No, thanks

Using a proxy server to browse the Internet isn’t advisable, especially if it is a free one.

Although some people may recommend using a proxy to browse anonymously, it doesn’t guarantee the security of your connection or the privacy of the content you visit.

When you use a proxy, all your traffic passes through a server controlled by a stranger. This means private data from your browsing, such as access to banks, shopping platforms, etc. could be spied on and stolen.

Using extra security measures to protect your privacy and data, such as a VPN, is better than relying on a proxy.

SSL to encrypt data

One recommendation is to install an SSL certificate on a WordPress website and access it through HTTPS protocol to ensure that the data is transmitted in an encrypted form.

Using HTTPS means all the information sent to the server is encrypted. This prevents third parties with access to the same network from intercepting private information.

You can learn more about this in the article What is an SSL certificate and how does it protect my data.

A standard SSL certificate, such as Let’s Encrypt, can be a very suitable option to ensure encryption of your browsing data.

Contraseñas seguras

Always use strong passwords

Use strong passwords to protect your accounts and personal data. This is critical.

Avoid using obvious or easily guessed passwords such as “12345” or “password”. Although this might sound obvious, a lot of people still use them, unfortunately.

A good password should contain uppercase and lowercase letters, numbers and special characters, and it should be at least 12 characters long.

This is an example of a strong password: 7sP3@$zjT1b3_?=J

You can create an easy-to-remember password by combining words or phrases meaningful to you, with numbers and special characters, or by using our free strong password generator.

Never store passwords in your browser. Use an encrypted password manager to save them securely.

The use of two-factor authentication, or 2FA, is also recommended. This adds a second layer to your logins.

Double the security by using double authentication

Two-factor authentication is an essential tool to increase the security of your accounts and protect your personal data.

It’s easy to set up and use, and it gives you an extra layer of security by requiring a second factor to access your accounts.

Use 2FA on all the platforms that offer it, especially in password managers and in your email, because lots of passwords or reminders are sent by that route.

Don’t lapse into laziness, enable two-factor authentication to protect your data effectively!

Your computer or device

Make sure you keep your computers and devices clean and protected when you connect to your WordPress administration.

Malicious users often find a way to get in through compromised devices or computers using malware, Trojans, or keyloggers. These let them capture your login passwords and cause havoc on your computers.

Keep your computers and devices infection-free and up to date to protect your WordPress website.

Seguridad en tu equipo

Updated operating system and browser

Keep your operating system and browser up to date to protect your computer from potential vulnerabilities.

Configuring automatic updates to keep them in their stable versions at all times is recommended.

Avoid browsing suspicious websites. They may try to install unwanted programs on your computer. Don’t use pirated operating systems or programs from dubious sources, because they could contain Trojans.

Always download programs from the developer’s official website.

Antivirus and firewall

To keep your computer and devices secure, it’s important to have up-to-date antivirus software and a firewall.

Antivirus software helps detect and remove viruses and malware. The firewall helps protect your computer or secure mobile devices from external attacks.

Keep the security options enabled on your antivirus and run a full scan of your computers regularly.

If your antivirus software doesn’t include a firewall, you should consider installing one. If you use Windows, you can install “Windows Defender” as your antivirus software and use the built-in Windows firewall.

You can see how to use Windows Defender to scan for malware at this link: Using Windows Defender.

You can also see how to enable or disable the Windows Firewall at this link: Enable and disable the Windows firewall.

User control

Connect to your computer with login data with user privileges, instead of administrator.

This will reduce the chance of unwanted applications being installed on your machine. If someone else has to use your computer, create guests or users with restricted permissions to protect your information. The physical security of your computers and devices is just as important as the online security of your WordPress website.

Access control

Use unique, strong passwords for each of your services, such as WordPress management, your webmail, or your hosting control panel.

Avoiding the use of FTP is advisable, because this is a common way for attackers to obtain access information and get into hosting control panels.

If you have no choice other than to use FTP though, go for SFTP or FTPS to protect your data using encryption.

Isolate your work environment

Consider using a virtual machine if you only have access to one computer for work.

This lets you move your workspace from one device to another with ease, as well as make backups and carry out other useful tasks.

It will also help you separate your personal life from the professional, to prevent any problems with your personal device or equipment affecting your work.

What really matters

Taking care of your WordPress

Keep your WordPress up to date!

When a new version of WordPress is launched, it doesn’t just fix errors or add new features, they do it to correct security problems that have been detected too.

Having an old version of the tool is like opening a door to malicious users, because they will specifically take advantage of known security flaws to attack.

Update your WordPress every time you see an update notification in administration; it’s very simple and will just take a minute.

If you can’t update the WordPress version from web administration for any reason, you can also update it manually. Check out the article Updating WordPress manually to see how to do it.

As always, make a backup before updating, to avoid setbacks.

Take care of the theme you are using

You can install the Security Scanner plugin to warn you of any new vulnerabilities that appear in your WordPress installation’s plugins.
You can use both free and paid themes, but always make sure you use the latest version available.

If the theme you are using is in the directory, WordPress administration will display any updates automatically. For paid or free themes downloaded from other websites, you will usually have to check back from time to time to see if they have published new versions to fix security problems.

Again, NEVER use themes from download managers or suspicious pages: they can come hacked as standard.

Only install themes from or its developers’ websites.

Admin user, NO thanks

Don’t use the admin user to access your WordPress administration: If a hacker wants to get into your website’s administration, the first thing they will do is try to use the “admin” user.

What is best is to create a new user with administrator privileges (remember to use a strong password).

Once you have done that, log out and reconnect with the new user you created.

Then access the user manager, edit the “admin” user and change its administrator privileges to subscriber or delete the “admin” user all together.

If you delete it, make sure you reassign the posts and pages that were assigned to the “admin” user to another existing user.

This change means a malicious actor won’t only need to know an administrator user’s password, but their name too.

If you are an advanced user and prefer to make the account change directly, you can do that by following the steps in our article Changing the WordPress user from phpMyAdmin.

Make regular, automated backups

Some hosting providers already make automatic backups but, just in case, it’s a good idea for you to make regular copies of your website.

The copy-making frequency will depend on the quantity of information you add.

It’s important to make backups before actions such as updating plugins or WordPress, installing new plugins, making changes to the database, etc…

Unwanted results occur sometimes and if your last copy is a recent one, you won’t lose your previous work.

There are plugins for WordPress that enable you to automate this task, such as XCloner, which we talk about in our blog.

Make the backups to external storage, such as Dropbox, external FTP accounts or Amazon S3, or download the copies you make, because if someone deletes all the data from your website, you’ll lose the backup itself too.

To avoid space problems in your hosting account, delete the backups after you download them.

Additional protection with Captcha and two-factor authentication

Using additional authentication options will add an extra layer of security to your WordPress.

WordPress administration

We recommend protecting access to your WordPress administration with a Captcha authentication form or two-factor authentication such as Latch.

We talk about the two options in our blog articles Increase WordPress security using two-step authentication and Protect and lock your WordPress dashboard with Latch.


Web forms are commonly used to SPAM using bots. To prevent this, you need to protect comment creation with a Captcha.

You can use the Akismet plugin to protect against spam. This is installed by default in WordPress.

We also have an article on this. Don’t miss Keep spam at bay in WordPress with Akismet.

Make sure you maintain the essential users and keep them with minimal privileges
Users created on your website with administrator privileges will most likely have a weak password, so compromising your WordPress security. Granting users just the essential privileges reduces the chances of compromised security.

If in doubt, you can reset all your WordPress user passwords easily. You just need to follow the steps in the article WordPress security: How do you reset all passwords?.

Check regularly which users actually exist and eliminate any that are unused or that should not have access to your WordPress.

Hide the WordPress version number

Each WordPress version has a number of known vulnerabilities that malicious users try to exploit. Hiding the version of WordPress you are using will make identifying those vulnerabilities more difficult.

It’s the wp_head() function that displays the version number in your WordPress on your website, which includes a call to the wp_generator() function.

You need to include the following line in your WordPress functions.php file to hide this information:

remove_action('wp_head', 'wp_generator');

Plugins are wonderful, take care of them!

La mayor parte de los ataques que recibe WordPress se realizan a través de los plugins.

Al igual que sucede con el propio WordPress, las actualizaciones suelen corregir problemas de seguridad, por lo que debes mantener tus plugins actualizados.

Puedes hacer las actualizaciones desde la administración de WordPress de forma automática y, al igual que en el anterior punto, es muy recomendable realizar una copia de seguridad antes de actualizar.

Limita el uso de plugins

Utiliza solo los plugins que vayas a necesitar: no es una buena idea instalar plugins en grandes cantidades ya que cada uno podría ser una puerta de entrada para hackear tu WordPress.

Quédate solo con los plugins imprescindibles y si has instalado un plugin que ya no utilizas… ¡desinstálalo!.

También es importante que utilices plugins fiables. Lo ideal es que utilices el propio buscador de plugins que tienes en la administración de WordPress o que los descargues de la página oficial de plugins.

Si se trata de un plugin de pago asegúrate de que lo descargas desde la página de sus desarrolladores.

Nunca (repetimos, NUNCA) instales un plugin que hayas obtenido desde un torrent (red P2P), un gestor de descargas o una página sospechosa tipo “super-plugins-depago-gratis” ya que es muy posible que con el plugin venga un “regalo” en forma de código malicioso.

Es preferible pagar por la licencia de un plugin que quedarnos sin web.

The majority of attacks on WordPress come through its plugins.

Just like WordPress itself, updates usually fix security issues, so you need to keep your plugins up to date.

You can update them from WordPress management automatically. As in the previous point, making a backup before updating is highly recommended.

Limit the use of plugins

Use only the plugins you are going to need. It’s not a good idea to install large numbers of plugins, as each could be a gateway to hacking your WordPress.

Just keep your essential plugins, and if you have installed a plugin you don’t use any more… uninstall it!

Using reliable plugins is also important. Ideally, you should use the plugin search engine in WordPress administration or download them from the official plugin page.

If it is a paid plugin, make sure you download it from its developers’ page.

Never (repeat, NEVER) install a plugin you have obtained from a torrent (P2P network), a download manager or a suspicious page of the “super-paid-plugins-free” type, because it’s quite possible that the plugin will come with a “gift” in the form of malicious code.

Paying for the plugin license is preferable to losing your website.

Look at the number of plugin downloads (the more the better) and at the latest update date (if it’s from 2 years ago, that’s suspicious ).

If you want to try a plugin, make a clone of your website and try it on that, never on your real, published website.

Limit failed login attempts

One of the most common ways malicious users use to access WordPress administration are brute-force attacks.

This consists of trying to access the administrator with all the possible user and password combinations. These attacks are usually based on password dictionaries, so it is important to use complex or strong passwords.

Limiting the number of failed connection attempts from a single IP address can reduce the risk of illicit access.

The majority of security plugins already let you set this limit, but if you prefer not to use them, there are plugins for this specific purpose such as Automattic’s BruteProtect. You can find further information on our blog: Limiting failed connection attempts to the dashboard.

We block IP addresses automatically in our hosting when we detect several failed attempts to access administration or the WePanel dashboard.

Audit your WordPress

Use tools to check various important sections of your WordPress security.

Webempresa offers a free security analysis for WordPress from

With wpdoctor you can automatically check if you are up to date with many of the points covered in this guide:

It lets you know if you’re not using the latest version of WordPress and its most important plugins.
It checks whether access to the administrator is protected against brute-force attacks.
It shows you what information can be collected from your installation and tells you how to hide it.
You can check the health of your WordPress with Google Safe Browsing:

Or also directly in Google Console (formerly Webmaster Tools):

Make sure to keep essential and least privileged users

It is very likely that the users created on your website with administrator privileges have a weak password, thus compromising the security of your WordPress. Granting users only the essential privileges reduces the chances of security being compromised.

When in doubt, you can easily reset all your WordPress user passwords. You just have to follow the steps in the article Security in WordPress, how to reset all passwords?.

Periodically check which users exist and remove those that are not used or should not have access to your WordPress.

Protection for your websites

The first line of defense: Hosting

Now you are aware of the lurking dangers and the security measures you need to apply to minimize the risk, it’s time to talk about hosting. Having bulletproof WordPress won’t be much use if the server hosting it is like a sieve. A hosting service needs to provide server-level security elements; it should be your first line of defense.

Use a professional web hosting provider

Check the features of the hosting service you are planning to buy for your website and make sure security is one of its top priorities.

Operating system

We recommend you choose Linux over Windows. Both platforms have security issues and are often subject to attacks by malicious actors; however, Linux continues to have some advantages thanks to its developer community.

Linux isn’t risk-free but, so far, it is capable of solving security problems much faster and more efficiently than Windows.

Hosting, línea de defensa
¿Tu hosting está al día en seguridad?

Is your hosting up to date on security?

Here are some of the measures you should consider in a shared hosting service.

The correct permissions for your hosting should be:

  • 644 for files.
  • 755 for folders.

If you don’t have these by default, you can start thinking about changing your hosting.

Use of an isolation system by the hosting service, so bad behavior or hacking of one website hosted on the server doesn’t affect the rest.

Use of real-time monitoring applications that analyze all the files read or written to disk, to make sure they have no malware or suspicious code.

Use of systems to prevent Denial of Service (DDoS) attacks.

Preventive measures against brute-force attacks on WordPress.

Use of a WAF (Web Application Firewall). This lets you set security rules which will stop the majority of attacks on WordPress.

Then, even if any your website plugin has a vulnerability in its code, the WAF will probably prevent an attack.

¿Tu hosting está al día en seguridad?
Copias de seguridad automáticas
Server-level configuration that prevents listing of directories (which a user can use to see the files in a given web folder) or find out the PHP version running, as this seriously compromises security.

Protecting databases. The right thing to do, among other measures, would be to allow access to databases only from the server itself, not from remote computers.

MySQL port closed: Ideally the MySQL port is closed, and if you need to access it from home, get them to enable access only from your IP address.

You will need a fixed IP address or a DynDNS account for this.

Updated software: As with your WordPress and its plugins, it’s important for the software the server uses to be updated, because old versions can also be vulnerable.

An added value a hosting service can offer is making automatic backups of your data, so if you need to go back to a previous website state, there is always a backup.

But remember, the fact that your hosting service already makes automatic backups doesn’t exempt you from making your own copies.

Copias de seguridad automáticas
Copias de seguridad automáticas
There would be no reason to expect the copy available on your hosting service to match the exact date of the website state you want to recover.

These are just a few of the measures we apply in Webempresa that let us and our clients sleep more peacefully.

We monitor all our services 24 hours a day, and our technical team gets alerts when suspicious activities are detected, so we can act immediately and in coordination with the client.

Our system administrators regularly update the rules protecting the WordPress sites hosted on our servers against security vulnerabilities or flaws.

Tracking new ways of attacking WordPress needs to be a daily, ongoing task – you can’t let your guard down!

For expert minds

More fuel for intermediate and advanced users

There are lots of security measures you can apply to protect your WordPress, and we don’t want to overwhelm you with complicated changes. If you are an advanced user though, and you want to keep working on your WordPress security, here are some more improvements you can apply.

Enable auto-update in your WordPress

A big improvement was made in WordPress version 3.7 by adding the auto-update to WordPress.

If you keep this option enabled, you ensure installation of security updates as soon as they become available.

You can configure automatic WordPress core updates from the wp-config.php file. You just need to add the following lines for each of the configurations:

//All core updates disabled 
define( 'WP_AUTO_UPDATE_CORE', false );
//All core updates enabled 
define( 'WP_AUTO_UPDATE_CORE', true );
//Only minor updates enabled 
define( 'WP_AUTO_UPDATE_CORE', 'minor' );

Plugin and template updates are best done manually, because they can be more sensitive and could lead to errors on the website if WordPress version compatibility isn’t properly verified.

Protect files that could compromise your website’s security

Various files can compromise WordPress security.

Some of the files added when you install WordPress are merely informative, but the information in them can be useful to attackers.

You can see how to protect them in our blog: Files that compromise WordPress security.

Protect the wp-login.php file

If you don’t allow front-end user registration and login to WordPress, it’s advisable to protect access to wp-login.php or only allow access from authorized IP addresses (if you connect using fixed IP addresses).

Would you like to learn how to protect it? We show you how in this article: How to protect the wp-login.php file.

Caution! You should only do this if visitors to your website don’t need to identify themselves as users.

For example, you shouldn’t protect the wp-login.php file in an online store.

Install a WordPress security plugin

These types of plugins will help you increase security in various ways, ranging from protecting access to administration to probing your WordPress files for malicious code.

There are lots of options, such as:

iThemes Security (previously known as Better WP Security)
If you are interested in the features Wordfence offers, we present them in this article: How to improve WordPress security with Wordfence Security.

Remember to disable the statistics (wfhits table) to avoid overloading your WordPress.

A valuable Wordfence option is checking of basic WordPress files to find out whether they have been modified.

Be careful when configuring these types of plugins, because you could block your own access with these tools.

Before installing any plugin of this type, make a backup. You can then go back to the previous state if you hit any problems.

Don’t go crazy installing plugins!

Bear in mind that installing all the security plugins you can find won’t make your WordPress more secure, and having several plugins modifying files that are key to your WordPress operation, such as the .htaccess file, could lead to unexpected behaviors.

Add an X-XSS-Protection header

You can increase security against XSS attacks by adding this header. We explain all about this header in X-XSS-Protection header to prevent XSS attacks on IE and Chrome.

After adding the header, whether in the .htaccess file or in the functions.php file, be sure to check that your website is working as expected.

If you see that it affects your website operation in any way, remove the code you added to undo the change.

Remember always to make a backup of the files you are going to edit.

Additional protection through wp-config.php

If you want to prevent the file code from being modified from WordPress administration, you can add the following line to the wp-config.php file

define('DISALLOW_FILE_EDIT', true);

If the website has already been created and you don’t need to add new plugins or templates, you can also disable installation of themes and templates by adding:


User-agent blocking

You may need to block some applications sometimes, such as certain robots, by setting user-agent blocking in the .htaccess file.

This will prevent a specific user-agent accessing your website.

Here are some example user-agent blocking codes:

RewriteEngine On RewriteCond %{HTTP_USER_AGENT} ^.*(Baiduspider|HTTrack|Yandex).*$ [NC] 
RewriteRule .* - [F,L] 
SetEnvIfNoCase user-Agent ^Baiduspider [NC,OR] 
SetEnvIfNoCase user-Agent ^Yandex [NC,OR] 
SetEnvIfNoCase user-Agent ^[Ww]eb[Bb]andit [NC,OR] 
SetEnvIfNoCase user-Agent ^HTTrack [NC]    Order Allow,Deny  
Allow from all  Deny from env=bad_bot

Modify your WordPress login URL

Access to administration in websites made with WordPress is via the URL or by default

Attackers are aware of this access and try to exploit it by launching brute-force attacks.

Changing this administration access URL will prevent those brute-force access attempts.

Learn how to do this by checking out the article Modify the WordPress login to avoid brute-force attacks.

At Webempresa we already incorporate security measures aimed at protecting access to /wp-admin and /wp-login.php against these types of attacks for our clients, so you don’t need to implement these types of security measures.

Protect your database by changing the default table prefix

The database is where you save all your WordPress installation information.

You can imagine how very attractive it is to crackers and spammers, who try to send automated codes to access your data.

Many users forget to change the database prefix when installing WordPress.

This makes it easier for malicious actors to plan a massive attack by targeting the default database table prefix, which is: wp_.

We recommend changing the default prefix when installing WordPress.

If you already have it installed, you can easily change the prefix with the Brozzme DB Prefix & Tools Addons plugin.

Remember to make a backup of the database before you make any changes.

Add an X-Content-Type header

This header will prevent users from trying to replace css or js files with executable files.

It can be prevented using the simple change we explain in the article: X-Content-Type-Options header to prevent security problems.

Add an X-Frame-Options header

Adding this header will prevent your website from loading in a frame or iframe.

You also prevent clickjacking-type attacks with this and they won’t be able to impersonate your website by loading it from an external location.

If you let this happen, someone could place your content in another domain and you could have problems with Google if it sees this as duplicate content.

We explain all the details in the article X-Frame-Options header to improve your website security

Disable XMLRPC to prevent DoS attacks

This functionality is widely used in denial of service attacks. They launch lots of spoofed pingback requests to numerous WordPress sites, saying they have been mentioned on your website.

These WordPress websites will go to check whether you have really linked to them by downloading your page, and when you receive so many download requests together from so many websites, your website will crash.

You can avoid this in two ways:

1. Completely disable XMLRPC functionality. The problem with disabling XMLRPC is that you lose some useful features, such as pingbacks and trackbacks.

2. Have a Web Firewall (WAF) that protects you through advanced rules to count all the XMLRPC requests you receive and, if this number gets too high, block all that traffic. We have this option successfully deployed at Webempresa.
If you decide to disable XMLRPC, you can do that manually or using the XMLRPC Disable plugin.

To do it manually, you need to add this line in the functions.php file:

add_filter('xmlrpc_enabled', '__return_false');

Referrer blocking

You may also consider you need to block connections coming from a certain referrer, for which you could use any of the following codes:

RewriteEngine On RewriteCond %{HTTP_REFERER} [NC,OR] 
RewriteCond %{HTTP_REFERER} RewriteRule .* - [F]
SetEnvIfNoCase Referer "" bad_referer 
SetEnvIfNoCase Referer "" bad_referer   
Order Allow,Deny Allow from ALL Deny from env=bad_referer

This blocking lets you block access to your website from a link located in a given domain.


This is one of the most significant and best-known WordPress vulnerabilities.

It directly affects templates and plugins not authenticated by the official repository and is usually integrated into pirated or illicitly obtained templates or plugins.

The malware aims to add links to other websites to your website, where these normally link to sites with malicious purposes.

It can also be used for other purposes, because this infection can communicate with control servers to perform other tasks (sending SPAM, hosting other content, carrying out attacks on other websites, etc.)

The infection is usually in a short line of code such as the following:


As you can see, what it does is to include a script calling code hidden in a .png file, which in theory should be a simple image.

How do you avoid it?

The primary measure to avoid this vulnerability is to avoid downloading plugins or templates from unproven sites. Our recommendation is always to download from the official repository.

If your site gets infected, we recommend installing the Wordfence security plugin. This includes an option to analyze images as if they were PHP code.

Be wary if you see PHP files in directories where there should only be images, such as the/wp-content/uploads directory, for example.

Further resources

Más recursos

Hosting Vitamins

Icono Velocidad Servidores Alta Velocidad
High speed servers
Icono Velocidad Servidores Alta Velocidad
Free Image Optimization
Icono Velocidad Servidores Alta Velocidad
Magic Caché
Icono Velocidad Servidores Alta Velocidad
Uptime 99.9% guaranteed
Icono Velocidad Servidores Alta Velocidad
Free SSL Certificate

Hosting Tutorials

Icono Velocidad Servidores Alta Velocidad
What is a hosting
Icono Velocidad Servidores Alta Velocidad
What is a domain
Icono Velocidad Servidores Alta Velocidad
What are DNS
Icono Velocidad Servidores Alta Velocidad
What is NGINX?
Icono Velocidad Servidores Alta Velocidad
What is a web server
Icono Velocidad Servidores Alta Velocidad
What is Apache
Icono Velocidad Servidores Alta Velocidad
What is GitHub
Icono Velocidad Servidores Alta Velocidad
Shared hosting
Icono Velocidad Servidores Alta Velocidad
Shared or Dedicated Hosting
Icono Velocidad Servidores Alta Velocidad
Difference between web server and hosting
Icono Velocidad Servidores Alta Velocidad
What is a VPS
Icono Velocidad Servidores Alta Velocidad
WordPress ddbb connection error
Icono Velocidad Servidores Alta Velocidad
What is web cache