Don’t Believe The Hype: Why WordPress Malware Isn’t Your Biggest Threat

Scanning your WordPress sites for Malware is the most important thing you can do to protect your site.

This approach is common and is actually the USP (Unique Selling Point) of several popular WordPress security plugins and services.

Conventional wisdom and marketing emphasises to us all that scanning for malware is pinnacle of WordPress security greatness.

In this article I’ll argue that incessent Malware scanning isn’t going to keep your WordPress site secured.

I want to challenge your approach to WordPress site security and hope that by the end of the article your focus will have shifted a little.

Instead of endless “scanning for malware” treadmill, along with the anxiety that this produces in us, I want to show you there’s an alternative. And it’s a hugely effective way to keep your WordPress sites secure, and your data (and your customers’ data) safe.

Malware Scanning Is Super Important If You’re Already Hacked!

So yes, malware scanning is hugely important when you’re already compromised. You gotta find and eliminate the infection!

But let’s be absolutely clear here, statistically speaking, your site probably isn’t hacked. Yet.

Give me any random WordPress site and I’ll bet that “no”, it hasn’t been hacked. Afterall there are more non-hacked websites than hacked sites, so we’ve got better than a 50:50 chance.

So why on earth do we need powerful security plugins like ShieldPRO? What’s all that malware scanning for then?

Firstly, it’s important to realise that “under attack” and “hacked” are 2 different things. While you may not be compromised, if you’re not already under attack, I’d be very, very suprised.

So while I’d bet that you’re probably not hacked yet, the odds are good that if your site isn’t hacked today, it’ll be hacked eventually without robust security practices and defenses in-place.

The strategies and tools we need to handle both these scenarios (hacked and under attack) are different. ShieldPRO comes with all the powerful tools that work for both, but we’ll get to that a little later.

So What Is The Most Important Aspect Of WordPress Security Protection?

The clue is in the question – “PROTECTION“.

You’ll have heard the phrase that “prevention is better than cure”. This is a real thing.

It’s not a marketing ploy or persuasion tactic. It’s one of the rare times you can say ‘true fact‘ without sounding a little silly.

It is why, for example, Smallpox has been eradicated from planet earth, and why vaccines are the fastest way out of a global pandemic. <insert conspiracy theory counterargument here>

So it is, too, for WordPress site security.

It’s much easier and far cheaper to prevent a WordPress site from getting hacked and keep it clean, than it is to clean up after a site has been compromised.

If you’ve ever had to clean up a hacked site, you’ll know this to be true.

So Is Malware Scanning Important?

Of course, malware scanning is important. And ShieldPRO has strong malware scanning capabilities.

But it is depends on what you’re using you malware scanner for.

Malware scanning has 2 primary purposes:

  1. To quickly detect hidden malware scripts, allowing you to eliminate infection more easily.
  2. To let you know your website is vulnerable.

You see, many of us get it backwards. We think our website is vulnerable because we have malware.

But it’s the other way around: we have a malware infection because our website is vulnerable!

So if your favourite WordPress security plugin touts their primary feature is that they’re the #1 malware detector for WordPress, then you should also double-check with them that they actually prevent infection in the first place.

Sure you can detect and remove malware, but if you haven’t eliminated the root cause, you’re playing whack-a-mole with malware scripts.

Life’s too short for that.

I would never say, and certainly don’t imply, that malware scanning isn’t necessary as part of a holistic WordPress security strategy. We’ve made huge investments into our malware detection and repair engine within ShieldPRO because we know it’s important.

Being able to detect malware reliably, and eliminate it quickly, is critical in our efforts to secure WordPress sites after they’ve been compromised, and Shield fulfills this role for us.

But once malware has been discovered and cleaned, your work is only beginning. You’ll need to plug the hole that allowed the malware to get in there in the first place.

So, rather than set your primary goal to be detecting and eliminating malware, you’ll want to shift your focus a little and ask yourself…

What’s the Best Way To Stop Hacking in WordPress?

We said this earlier – good prevention is the path to robust WordPress security.

To prevent WordPress malware infections, we must understand how it happens in the first place.

There are a couple of angles to answering this. The most common answer you’ll hear is that vulnerable plugins and themes are single biggest vector for WordPress compromise.

This is true. But it’s not the whole story.

Let’s Play: Hacker Role Play

So let’s pretend you’re a WordPress website hacker and your stated goal is:

hack as many WordPress sites as you can all day, every day, and infect them with your malware scripts.

Here are some of your likely thoughts:

  • Firstly, you’d have a think about your target market – i.e. there are millions and millions of WordPress websites. Win!
  • Next, in order to hack 30,000+ websites every day you will need either:
    • a whole lot people to do a lot of manual work, or
    • automated bots and scripts to do all the hard work for you quickly
  • Since you don’t have the resources to hire people, you decide to build automated bots and scripts.

At this point you’ve decided to create automated bots to do your hacking for you. But there are a few things you must take into consideration when you design these bots:

  • You must “discover” the WordPress sites. Not all sites are WordPress, so you have to first find potential targets. So you’ll have your bots probe the websites to determine if they’re actually WordPress sites.
  • You have a library of publicly known (and maybe even non-public) WordPress plugin and theme vulnerabilities you’re going to exploit to gain access. So you narrow down your list of WordPress sites based on which sites have these vulnerable plugins/themes installed. This involves a lot more probing on the site.
  • You’ve now got a good list of sites to attack.
  • Attack!

Of course this layout is for illustrative purposes. But the principle of what’s happens in the real world is no different.

Some bots may not probe for discovery first, and instead go straight for the vulnerability itself, only to find it’s not present. But this can be considered a probing/exploit attempt, too.

In the end you’ll have lots of bots probing lots of websites.

Back To Preventing Malware and Hacking…

The first stage in hacking at scale is probing, with the use of bots/scripts, by either checking what the site has, or by directly targeting known vulnerabilities and hoping to get a hit.

If you track 404 errors on your own WordPress sites, you’ll see for example, there are often many requests to URLs that simply don’t exist. You’re being probed.

If we can detect these probing bots, determine that they’re sending requests for nefarious purposes, then we can completely block them from accessing our sites altogether.

This is true prevention and it works far better, and much more efficiently than repeatedly cleaning-up our sites after they’ve been compromised.

And this holds true not only for malware infections, but any possible compromise to your WordPress sites.

So your #1 goal shouldn’t be “find the best malware cleaner” – it should be: “find the best prevention against WordPress site hacking and compromise”.

How Does ShieldPRO Prevent WordPress Site Hacking?

The main area of focus of Shield Security for WordPress is in prevention.

We believe strongly that if we can prevent problems in the first place, we free ourselves and our WordPress sites to focus on the work that’s most important.

ShieldPRO achieves this by doing its utmost to detect bad bots and block them.

  • We use our exclusive, custom built AntiBot Detection Engine to detect bad bots. Detecting bad bots isn’t simple, because they do everything they can to hide their malicious intent. Shield builds up a profile for each IP address based on their activities and depending on their reputation, blocks certain requests.
  • Use our exclusive “NotBot” javascript snippet to quickly and reliably identify bots vs humans.
  • Gathers 25+ distinct “bot signals” to monitor, track and score visitors to build a unique “bot” profile.

Once we’ve accessed a visitor and determined it to be a bot, and more specifically, a bad bot, we prevent that visitor from performing certain requests against the site. And, depending on the Shield configuration, we can block that bot from sending any requests to the site entirely.

ShieldPRO prevents 10,000s of WordPress sites from being hacking every single day by standing in the way of malicious bots.

Of course, Shield will also scan for malware and filesystem modifications, vulnerable plugins and all the other usual suspects, but this “after-the-fact” scanning is no match for preventing such things in the first place.

Is Your WordPress Protection Focused On Prevention, or Cure?

If you ask yourself nothing else after reading this article, it should be whether your existing WordPress Security strategy is focused on prevention, or focused on cure.

We’ve argued that the biggest positive impact on your security lies in preventing the problems in the first place, and that ShieldPRO is built with this strategy in-mind.

While you might have the best or most expensive malware scanning engine on the market, if it’s consistently picking up threats, then you may not have the best WordPress protection available.

Source :