WordPress does not get infected because it is bad software. It gets infected when it is left unprotected, outdated, full of low-quality plugins or hosted without proper isolation. For a Greek business, an infected WordPress site is not only a technical issue. It can mean lost forms, Google warnings, spam from the server, SEO drops, blacklist problems and lost trust.
Protection is not one security plugin and done. It requires a plan: updates, backups, permissions, plugin review, WAF, monitoring and a recovery process. The official WordPress hardening guide starts from the right principle: security is risk reduction, not an absolute guarantee.
Where malware usually enters
The most common entry points are outdated plugins, nulled premium plugins, old themes, weak passwords, admin accounts without 2FA, writable files, poor hosting isolation, exposed backups and vulnerable forms or builders. The problem is not only WordPress core. The plugin and theme ecosystem is huge and uneven.
Patchstack’s 2025 mid-year WordPress vulnerability report stated that Patchstack published 4,462 vulnerabilities in the first half of 2025, representing 66.60% of named vulnerabilities recorded during that period. It also reported 3,044 plugin vulnerabilities and said plugins were responsible for 89% of all vulnerabilities. That does not mean every plugin is dangerous. It means plugins must be selected, updated and monitored.
The nulled plugin mistake
Nulled plugins are one of the most expensive ways to save money. A premium plugin from an unknown source can contain a backdoor, spam injector, fake admin user, redirect malware or code that activates later. Even if it appears to work, there is no update channel and no guarantee about what is inside.
For a serious site, plugins and themes should come from WordPress.org, known vendors or developers who can support the code. The WordPress hardening guide is clear: do not get plugins or themes from untrusted sources.
Basic defense
The first defense is updates. Core, plugins, themes and PHP should stay on supported versions. Before updates, take backups. For a business site, use staging so checkout or forms do not break live.
The second defense is access control. Strong passwords, 2FA, few admin accounts, correct user roles and disabling file editing from the dashboard reduce risk. The third is permissions and hosting. Plugin files should not be broadly writable. Hosting should provide account isolation, modern PHP, WAF/ModSecurity where possible and clean backups.
Monitoring and backups
A backup that has not been tested is not a backup. You need daily or more frequent backups depending on the site, off-server storage and restore testing. For e-commerce, backups need extra care because you do not want to lose orders created after the last snapshot.
Monitoring should check uptime, file changes, suspicious redirects, new admin users, blacklists, Google Safe Browsing, cron jobs, unknown PHP files in uploads and unusual email sending. The earlier the issue is found, the lower the cleanup cost.
What to do if infected
If the site is infected, do not just click update and hope. First take a forensic backup of the current state so you can understand what happened. Then secure the site, change passwords, review admin users, clean files, compare core with clean versions, replace plugins and themes from official sources and check the database for injected scripts.
After cleanup, close the entry point. If you do not find how the attacker got in, the site may be reinfected. Finally, check Search Console, sitemap, robots.txt, canonical tags and indexation. Malware often leaves SEO spam pages or redirects behind.
A practical defense line
Protecting WordPress from malware is a process, not a button. Fewer clean plugins, frequent updates, proper hosting, 2FA, backups, monitoring and serious maintenance reduce risk dramatically. A cheap, unprotected WordPress site can cost far more than its monthly care.