WordPress is a powerful and flexible platform for building websites, but its widespread use makes it a common target for hackers.
As a WordPress site owner, one of your main priorities should be securing your site from unauthorised access and malware injections.
Failure to do so can lead to severe consequences such as data theft, loss of reputation, and even legal issues.
Based on recent conversations regarding securing WordPress, this article will explore how to remove malicious code embedded in plugins and widgets and implement a simple yet effective security measure, the DISALLOW_FILE_EDIT constant.
Understanding and Identifying Malicious Code in WordPress A typical attack vector in WordPress is the injection of malicious JavaScript code into themes or plugins.
These scripts can redirect visitors to harmful websites, steal sensitive information, or perform other nefarious activities such as installing backdoors, defacing your site, or launching DDoS attacks without your knowledge.
One example from the discussion was malicious code found in a widget added via the Elementor plugin. Malicious scripts can hide in HTML content, seemingly ordinary widgets, or media-like images.
In the example above, malicious code was inserted within a section created by Elementor, a popular page builder plugin. The malware inserted harmful scripts within content areas, leading to potentially damaging redirects or data theft.
How to Fix It?
Remove the Infected Content: If the malicious code is tied to a specific widget or section, you should immediately delete the entire infected section. In the Elementor case, deleting and recreating the affected widget and section can often remove the malware from the site’s visible content.
Scan Your WordPress Site for Malware: Use security plugins like Wordfence or Sucuri to scan your WordPress installation. These plugins can identify malware files and sometimes clean them automatically.
Check Your WordPress Database: Hackers can also hide malware within the database. You should manually inspect your posts, pages, and options tables for unusual scripts or strange entries.
This involves reviewing the content of these tables, looking for any unfamiliar or suspicious code, and comparing it to known good versions of your site’s content.
Once you have cleared your website of malware, it’s crucial to take proactive steps to prevent such attacks. This approach will give you control and reassurance over your site’s security.
Implementing DISALLOW_FILE_EDIT for Extra Security
Once they gain access to the WordPress dashboard, attackers use one common technique: editing theme or plugin files directly from the WordPress backend. By adding a single line of code to your WordPress configuration file (wp-config.php), you can turn off this feature and reduce the risk of attacks:
Copy paste the below PHP Code:
define('DISALLOW_FILE_EDIT', true);This constant prevents users (including potential hackers who gain access to your admin account) from modifying files via the built-in WordPress theme and plugin editors.
The theme editor is located under Appearance > Theme Editor, and the plugin editor can be found under Plugins > Plugin Editor.
Here’s how you can implement DISALLOW_FILE_EDIT:
Access Your WordPress Files:
You’ll need to access your site files through an FTP client like FileZilla or use the file manager provided by your hosting provider’s control panel.
Edit the wp-config.php file:
In the root directory of your WordPress installation, you’ll find a file called wp-config.php. Download it or open it directly in a file editor.
Insert the code:
Add the following line to the wp-config.php file (preferably near the top, just above the comment line that says, /* That’s all, stop editing! Happy publishing. */):
Copy/ Paste the below PHP Code:
define('DISALLOW_FILE_EDIT', true);Save and Upload:
Save the changes and re-upload the file if necessary. Once you have done this, you will no longer be able to edit theme or plugin files from within the WordPress dashboard.
Additional Security Measures
In addition to using DISALLOW_FILE_EDIT, there are other steps you can take to harden your WordPress site:
Keep WordPress, Themes, and Plugins Updated: Always ensure that your site is running the latest version of WordPress, and keep your themes and plugins up to date. Many vulnerabilities are patched in updates, so running older versions puts you at unnecessary risk.
Use Strong Passwords and Two-Factor Authentication: Ensure all user accounts have strong passwords. Enforce two-factor authentication (2FA) to add an extra layer of security for logging in.
Limit Login Attempts: Use a plugin like Limit Login Attempts Reloaded to limit the number of failed login attempts and prevent brute-force attacks.
Install a Security Plugin: Security plugins like Wordfence, iThemes Security, or Sucuri Security can monitor your site for suspicious activity and provide an extra layer of protection.
Perform Regular Backups: Use a backup plugin like UpdraftPlus to regularly back up your WordPress site. This way, in case of an attack, you’ll have a recent version of your site that you can quickly restore.
Disable Unnecessary plugins: Hackers can exploit unused plugins. Please remove any plugins you no longer need and make sure that only trusted, updated plugins are active on your site.
Conclusion
Securing your WordPress site is essential to protecting your data and visitors.
Implementing basic security practices, like removing malware-infected sections and using DISALLOW_FILE_EDIT to turn off file editing, reduces your site’s vulnerability to attacks.
Always stay vigilant with updates, security scans, and strong login credentials to keep your site safe.
By understanding where vulnerabilities may arise and actively taking steps to mitigate them, you can enjoy WordPress’s benefits without exposing yourself to unnecessary risk.
