Chapter 6. Before You Install a New WordPress Theme

For (?)

So, now you’ve downloaded a new theme and are ready to install it. There are just a couple very important things we should do before we can make that happen: verify it is clean and free of malware, and back your site up (which we’ll go over in our next chapter.)

WordPress Surgery 101

Not to be melodramatic about it, but to help you remember this important step we should think of installing a new theme as WordPress surgery. In fact, you are opening up your WordPress installation and replacing a piece of it with a new piece. If you install and activate an infected theme, you could be setting yourself up with some serious problems.

Wash your hands

I cannot stress this enough, but you really should be very cautious about the computer you are using to access your website, be it via the Admin Panel, the cPanel, or using an FTP (file transfer protocol.) I have personally seen a user log into their client’s infected WordPress site, do some work, then log into their own WordPress site and end up infecting their own site with the same malware.

The risk of uploading, downloading and transferring infected files can be greatly reduced by using an active and robust anti-virus program on your Mac and PC. They can also protect your computer from key loggers, root kits and myriad other forms of malware that can steal your logins and other information.

If you bought a PC, you may be under a false sense of security in that “it comes with anti-virus protection.” But that is not 100% true, nor is it 100% reliable. Some anti-virus software that comes pre-bundled on your new PC expires and stops updating after 90 days (check the paperwork that came with the machine.)

Also, while Microsoft has some anti-virus programs in place. It is debatable how effective they are for today’s level of threats. I personally recommend MalwareBytes or Sophos anti-virus programs for PCs, though there are numerous options out there.

If you own a Mac, you are likely under the false sense of security in believing the out-right lie that “Macs can’t get viruses.” This is more worrisome than a PC user running outdated anti-virus software since you are the new big target and can be helping to spread malware. Thankfully you have awesome free solutions that works very well: Sophos Anti-virus for Mac, and MalwareBytes for Mac. I install both on every Mac I own.

The rise in popularity of the Mac is also making them a bigger viable target for people to write Mac-specific malware. Just do a web search for “Mac malware” or “Mac viruses” and see for yourself.

If you run your site from a mobile device—uploading images, files and other assets to your website from your mobile device—you also need protection from malware. At time of writing, Apple does not allow apps to do system-level scanning for malware on iPads and iPhones, but Android and Windows do.

In all cases:

• make sure you have an anti-virus program installed and up to date.
• make sure that you regularly scan your computer for malware. Some anti-virus programs only look for problems during the scan. Sophos is one that is actively scanning all downloads (even during web browsing) in real time, and even every USB drive you stick in your computer.

Now that your computer is clean and protected…

Scan Your Site for Malware and Black Hat SEO

This should be done prior to you switching themes. If your current theme is compromised, and you switch it out with a new theme and leave the old theme on your server, you can still have an exploit in the old theme. Even if you are going to delete the old theme, you need to know if it has been compromised so that you can properly clean up the database. The best way to scan it with Sucuri is when it’s activated—before you switch themes.

Ok, I promise this is easy. So easy you don’t even need to log into your Admin or cPanel. Just visit Sucuri SiteCheck and enter your website’s URL into the area labeled “Scan your website for free.” After about a minute, you should see a “SiteCheck Results” page that (hopefully) looks like this:

Screen capture of the SiteCheck Results page for Sucuri.net. If there are problems, you will see them listed out below this box.

Anything that is in error, found to be suspect, or a known threat will be listed in red text. Sucuri isn’t a company that hides the information and makes you pay to see it—it’s all very transparent with Sucuri, even going so far as to list the details and actual code of the threat.

If you find your site has been compromised, I highly recommend you sign up for one of their plans to get your website cleaned up. I have seen a handful of infected and hacked sites get cleaned up by Sucuri in less than four hours, many of them in two hours. Unless you are a professional in this area, cleaning it up yourself can lead to a very long day and possibly a broken website with lost data. Not only that, you might not clean up the back door hackers typically install, so it will just happen again.

Pro Tip: You can scan any website in the world using Sucuri, not just WordPress sites, and not just your own. Meaning, Sucuri is a great tool for scanning websites before you visit them. Not every website you visit, but the ones that you feel may be a little suspect. If you are a designer, developer or agency that builds and maintains websites for clients, I highly recommend you take a few moments and have Sucuri scan each of them.

Managed Hosting Protection

If you are using managed hosting, you may already benefit from periodic malware scans by your host. Some managed hosting plans only scan the backup files, others check the production files. Check with your plan to see whether scanning for malware is included, which files they scan, and more importantly, what they do if they find something.

Now that you are cleaned up and the operating room—your computer and website—is ready, let’s backup your website so we can start doing some real work!