Malware (malicious software) is any software intentionally designed to cause damage to a computer, server, client, or network. This guide explains what website owners can do to avoid malware.
In this guide
Malware (short for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or network. Malware comes in various ways, including computer viruses, worms, Trojan horses, ransomware, spyware, adware, and many more.
Malware is commonly used by people with malicious intent to steal personal, financial, or business information. Malware can be used against individuals to gain information such as personal identification numbers or details, bank or credit card numbers, and passwords.
Malware often comes from:
- Security defects/vulnerabilities in operating systems, applications, or plugins.
- Free copies of plugins and themes you would normally need to pay for.
- Over-privileged users: a user on your site who has been granted a full admin role when a lower privilege level, such as Editor or Author, would be more appropriate for the tasks they need to perform.
- Over-privileged code: software that has been granted more privileges or access rights than necessary for its intended functionality.
WordPress.com sites on our Free, Personal, and Premium plans are safe from malware. Our cutting-edge firewall and other security measures keep your site secure.
The risk of malware appears on higher-level plans because these sites can run custom code (including plugins and third-party themes) that can introduce vulnerabilities. We protect against this with the security features of Jetpack (such as backups and security scanning), but this cannot ensure your site is 100% immune to malware or other security issues.
To keep your site safe from malware, consider the following advice:
- Only install plugins, themes, and other code from safe and reputable sources like WordPress.com plugin and theme repositories, WordPress.org, or directly from a well-known developer’s website.
- Read our tips for choosing plugins here.
- If you are unsure of the origins of a plugin or theme, do not install it on your site.
- If a plugin or theme has bad reviews (or no reviews at all), take caution before installing it on your site.
- If you find a site that offers “free” versions of premium or paid plugins and themes, do not download or install them. These sites are often used as bait to trick you into installing a version of a plugin or theme modified to include malware.
- Ensure you regularly update your plugins and theme (and enable automatic updates when supported) so you’re always using the most secure version.
At other WordPress hosts, the site owner is typically responsible for setting up malware and security scanning with a third-party plugin. Here at WordPress.com, we handle this on your behalf (as described in the next section). Therefore, some security plugins cannot be installed on WordPress.com because they interfere with the built-in processes that are already protecting your website.
This section of the guide applies to sites with the WordPress.com Business and Commerce plan, and the legacy Pro plan. If you have a Business plan, make sure to activate it. For sites on the Free, Personal, and Premium plans, upgrade your plan to access this feature.
Your site is automatically backed up once per day. Along with this process, we automatically scan your site daily for malware and other security vulnerabilities via Jetpack Scan, our security tool enabled on all WordPress.com sites.
We have dedicated teams that actively monitor these scans and help with resolving them. These resolutions include removing malicious code, removal of dangerous plugins or themes, and, where possible, replacing compromised plugins with a safe version. We also attempt to mitigate major security issues with popular third-party plugins and themes so that known exploits cannot be used even if the software has not been updated.
To view the scanning history showing a record of all previously active threats on your site, take the following steps:
- Visit your site’s dashboard.
- Navigate to Jetpack → Scan.
- Scroll through the security threats, where you can expand more details about the threat:
If we detect malware on your website, we act quickly to remove the affected files or directories. This may result in changes to the appearance or functionality of your site, so we will notify you via email if this happens. If a malware threat comes from a third-party plugin or theme on your site, we recommend reporting the issue to that plugin or theme’s developer who can provide an updated version that does not contain malicious code.
Please bear in mind that deliberately hosting malware violates our terms of service.
⚠️
If you plan on moving your site from another host to WordPress.com, please ensure it is free from malware and other security issues before migrating.
