3 Steps to Protect Your WordPress Blog from Hackers

by Sherryl Perry on June 16, 2011

Share Button

Hackers like to target popular software programs. (Just ask anyone at Microsoft and they’ll agree.) There are WordPress plug-ins that you can install for additional security but there are also some basic steps that you can take to help decrease the chances of your WordPress blog from being hacked that don’t include installing plug-ins.

#1) Don’t Install WordPress into the Root Directory

When you install WordPress (on a self hosted blog), the default is to install the software into the “root” directory of your blog. Instead, create a new directory with an obscure name and install WordPress into that. This will make it more difficult for malicious programs to find WordPress on your site.

Warning: There are certain extra steps that you will need to perform if you do this including modifying your general settings and your index.php file. Also, if you’re using permalinks or other rewrite rules, the .htaccess file needs to be in the same location as the index.php file (i.e. not the ‘admin’ folder). So, you may want to buy the book that I recommend below or possibly hire a friendly geek to help. (I’m a Geek and my rates are reasonable. 🙂)

#2) Don’t Keep the WordPress Username ADMIN

Don’t keep the “admin” password. Use it to create a new logon with admin rights. Then, log in and delete the original admin password. This is for the same reason as tip #1. Hackers know the default username for a standard WordPress installation is ADMIN and they look for it. This is an easy tip to follow. I don’t think warnings are needed for this one but if anyone can think of a creative way to get in trouble with this one, please let me know.

#3) Keep Your WordPress Software Updated

Update your WordPress installations in a timely manner. (This is especially important if the update is addressing a security risk.) Again, malicious software can look for old versions and compromise them. It’s one thing to wait until there are no known problems with the upgrade process. I use the Thesis theme. So, I always search first to make sure no one else has had an issue. (I don’t have to remind anyone to always backup before upgrading do I?)

Recommended Reading to Get the Most Out of WordPress

When I first built my WordPress blog, I already had experience building HTML websites and sites using Joomla (another CMS –Content Management System program). Even so, as with any new program, I researched it before attempting to install it. (I’m definitely NOT a dive-in-before-you-find-out-how-deep-it-is kind of gal.)

Now, for those of you who read my blog, you know that my preference is always to search for low-cost and open-source solutions. (I do donate to the authors when I can.) However, while I was searching on WordPress tips, I came across the book “Digging Into WordPress” by Chris Coyier and Jeff Starr. I opted for the PDF version for $27. There’s a print version available for $75 and NO, I am not an affiliate. I just found it to be extremely valuable and it’s where I learned these three tips.

What security plug-ins do you use? Do you have more tips that you can share with us to keep our websites safe? What is your favorite resource for WordPress tips?

Share Button
Sherryl Perry
Twitter:
December 31, 2012 at 5:38 pm

Thanks for letting me know that you found my article about WordPress security useful. As for security plugins, I use Better WP Security. It’s very powerful and you don’t have to implement everything they suggest to make your site safer. (The only thing that I find slightly annoying is all of the notifications that you’ll get. You can tweak the settings but then if there is a hack, you may not be notified of it.)

The other plugin that you may want to install is “Prevent XMLRPC” which addresses a recently identified security vulnerability involving trackback spam.

NEERAJ October 17, 2012 at 1:44 pm

i am doing the first mistake…….installing wp in root directory….thanx for sharing sherryl

Sherryl Perry
Twitter:
October 20, 2012 at 7:26 pm

You’re welcome Neeraj. Thanks for letting me know that you found my article helpful. It’s much easier to install WP in a sub-directory on a new site than trying to deal with it afterwards.
Sherryl Perry recently posted..Sitizens Online Social Game – My Top Referral Traffic SourceMy Profile

Mark
Twitter:
October 16, 2012 at 1:21 am

Hi Sheryl,

Nice article but can I ask a question? Don’t you suggest using other wordpress plugin like limit login attempts? In my end, I am using that plugin in addition to extremely difficult password.

Sherryl Perry
Twitter:
October 16, 2012 at 3:42 pm

Thanks for bringing up plugins Mark. They’re very helpful and I could have easily made that tip #4. I used to use the Limit Login plugin along with WordPress Firewall2. I now use Better WP Security.
Sherryl Perry recently posted..What Google Authorship Means for SEOMy Profile

Mark
Twitter:
October 17, 2012 at 2:57 am

Yeah you are right there Sherryl. Plugins can help albeit they will slow down our website’s loading time.

Actually I created a post about protecting a wordpress blog from hackers just today too. lol. There I included this plugin, Limit Login Attempts.

If you have spare time please try reading it too.

Emilia September 21, 2012 at 5:15 am

The mere thought of losing access to my blog makes me cringe 🙁 These good for nothing hackers must be annihilated!!! But because no one has the ability to do it for good, let us make it a habit to take precautionary measures like increasing the strength of our password and being wary of anything suspicious. Thanks for the very informative share!

Sherryl Perry
Twitter:
September 23, 2012 at 11:47 am

Hi Emilia,
Thanks for joining the conversation. 🙂 I cringe over the thought of hackers too. Strong passwords and changing them regularly is so important. Having backups offsite as well as local is important too just in case someone does manage to access your site and do damage.

Recently Richard Bracke was a guest blogger here and he wrote an interesting article for us on cloud computing. I linked to it below. You might find it interesting.
Sherryl Perry recently posted..Is Cloud Computing Safe for Your Business?My Profile

Adam August 24, 2012 at 2:00 am

What I would have given for this information 2 years ago, Sherryl.

I poured my heart and soul into my first ever blog – a Vegan website – and spent months making it as best I could. One day I logged in to find a warning telling me that it’d been hacked and after speaking with some more computer literate buddies I learned that my beloved pet project was unsaveable.

To all those reading this post – it CAN happen to you, really easily, because sadly there are some malicious people out there. Following these 3 steps will go a long way to preventing any loss though!

ADam 🙂

Sherryl Perry
Twitter:
August 24, 2012 at 12:58 pm

Hi Adam,
It’s unfortunate that happened to you. No matter how much we think we’re protected, there are some very real risks out there. Recently, a blogging friend of mine had his two most valuable domain names stolen from him. (The usual safeguards that are supposed to protect us seem to have failed.) His first notice that he had lost his domains came in the form of an email from the person who stole them. (He was trying to sell them to the real owner.) After contacting the FBI, he was able to reclaim them. Lesson learned – we have to take extra steps to protect ourselves. In this case, his password was hacked. So, he now has established an even more secure one. (After hearing his story, I changed mine too. We both use GoDaddy as our domain registrars.)
Sherryl Perry recently posted..How to Grow Your Google+ FollowersMy Profile

Kristine August 7, 2012 at 6:16 am

I’ve been looking around for tips to keep my wordpress site secure and the information you provided here is just what I need. Thanks a lot!

Sherryl Perry
Twitter:
August 24, 2012 at 12:52 pm

Kristine,
First, I want to apologize for taking over two weeks to reply to your comment. (It’s been an insane month of techie issues but that is not a good excuse.) Thanks for letting me know that you found my tips for protecting your WordPress site from hackers valuable. I appreciate your taking the time to let me know.
Sherryl Perry recently posted..4 Tips You Should Know When You Start BloggingMy Profile

Sherryl Perry
Twitter:
August 6, 2012 at 11:56 am

Thanks for letting me know that you found my tips valuable. Just yesterday, I was on a blog where all the posts were created by “Admin”. That is such a common mistake and so easy to fix! I’m off to write my post for this week and I think this tip is worth mentioning again.
Sherryl Perry recently posted..Is Your Email Address Part of Your Brand?My Profile

Christian Esperar
Twitter:
May 10, 2012 at 9:59 pm

Hacking is too mainstream this day since there are many people started to try to build a blog. Using the default username/passwords is one of the common mistakes that all bloggers need to pay attention. Step#1 is kind of geeky for others since you will move it to other directories which is not common but this is definitely worth a try.

Sherryl Perry
Twitter:
May 11, 2012 at 12:34 pm

Hi Christian,
I don’t recommend undertaking step #1 if you already have WordPress installed. (It is “kind of geeky”.) It is something to keep in mind of new installs. Thanks for taking the time to weigh in on this.
Sherryl Perry recently posted..Does Twitter Drive Traffic to Your Website Blog?My Profile

Amit Shaw
Twitter:
May 1, 2012 at 4:45 am

Thanks for this superb tips Sherryl. Almost everything i am following.
I would love to share this with my frnds who want to start his new wordpress blog. It would be helpful for him.
Thanks.
Amit Shaw recently posted..Best iPhone Apps For Keeping Your Documents and Business in CloudMy Profile

Sherryl Perry
Twitter:
May 1, 2012 at 10:56 pm

I’m glad you found my post helpful Amit. When I decided to start my blog, I bought the “Digging Into WordPress” book (my affiliate link is in the sidebar under resources). I was very glad that I had invested in it because one of the first things I learned was to install WordPress into a directory rather than the root. That book is chock full of tips and I found it to be very well written.
Sherryl Perry recently posted..How to Ping Your Website Blog and When Not ToMy Profile

design company April 20, 2012 at 8:36 am

An outdated version of WordPress installed in the default directory is a lot easier to find and take advantage of than one that’s installed to a different directory.

Sherryl Perry
Twitter:
April 3, 2012 at 1:23 pm

Excellent! It’s good to know that my post helped you make your site more secure.
Sherryl Perry recently posted..Are Your Website Visitors Sticking Around Or Bailing Out?My Profile

Rahul kuntala
Twitter:
March 8, 2012 at 9:11 am

Thank you so much for providing this info. I’m glad to find this blog. Really helpful for every blogger.
Rahul kuntala recently posted..How to Get Your First 1000 Twitter FollowersMy Profile

Sherryl Perry
Twitter:
March 17, 2012 at 11:31 am

Rahul,
Thanks for dropping by and taking the time to let me know that you liked my post about protecting your blog from hackers. I apologize for such a late reply but your comment was trapped by my spam filter. (I have no idea why.)
Sherryl Perry recently posted..How to Ping Your Website Blog and When Not ToMy Profile

Amit Shaw March 8, 2012 at 9:02 am

Really helpful for us. 🙂 I’m glad you shared the valuable info with us. I appreciate your writing skills
Amit Shaw recently posted..12 Excellent Cloud-Based Tools To Be ProductiveMy Profile

Sherryl Perry
Twitter:
March 17, 2012 at 11:26 am

Amit,
Somehow, your comment was caught in my spam filter and I just found it. I apologize for taking so long to answer you. Thanks so much for taking the time to let me know that you appreciated my post on protecting your WP site from hackers.
Sherryl Perry recently posted..WordPress OpenHook 3 Plugin Broke my Thesis ThemeMy Profile

Rahul kuntala
Twitter:
March 8, 2012 at 8:59 am

I really dint know this before. I’m maintaining still admin as my user name. I’ll change it now. Thanks for sharing this 🙂
Rahul kuntala recently posted..How to Get Your First 1000 Twitter FollowersMy Profile

Sherryl Perry
Twitter:
March 8, 2012 at 12:00 pm

You’re welcome Rahul. I’m glad that you found my article interesting. Keeping the user “admin” really does open you to a risk of having your site hacked. It’s smart to create a new user and delete admin.
Sherryl Perry recently posted..Treat Your Blog Posts Like Website Home PagesMy Profile

Grace Walker February 21, 2012 at 9:35 am

I was amazed reading this because I learned something new again. Something to add in my knowledge and I appreciate it so much. Keep on writing more informative articles.

Sherryl Perry
Twitter:
February 22, 2012 at 2:04 pm

Hi Grace, Thanks for letting me know that your found my article valuable. I’m glad I could help.
Sherryl Perry recently posted..Treat Your Blog Posts Like Website Home PagesMy Profile

Bhavesh Sondagar
Twitter:
February 16, 2012 at 6:37 am

Hi Sherryl,
I am agree with the point you mentioned,specially your recommendation about Don’t Install WordPress into the Root Directory.
Most of hackers would first target the root directory,so if we are installing WordPress on new directory with obscure name,hackers would not guess the word and this way we can get protection from hackers.
Nice post.
Bhavesh Sondagar recently posted..Top 5 Social Bookmarking Sites to boost Traffic To Your BlogMy Profile

Sherryl Perry
Twitter:
February 16, 2012 at 8:02 pm

Thanks Bhavesh. I read an excellent book on WordPress prior to installing it and that was one of the things that stood out to me. When we install it in the root, it’s easy for a bot to target our sites. I think everyone would do this if they were aware of the risks involved.
Sherryl Perry recently posted..4 Simple Steps to Building Your Brand OnlineMy Profile

leather ipad case February 13, 2012 at 1:40 am

One of the most common ways WordPress websites get hacked is because their owners don’t keep their software up to date. What happens is that older versions of WordPress can have known security weaknesses. These weaknesses are fixed by newer releases of the software.

Sherryl Perry
Twitter:
February 13, 2012 at 12:56 pm

It’s very important to keep our software updated. Following all three of the suggestions here will help. Additionally, we can install WordPress plugins like Firewall2 and Login Lockdown.
Sherryl Perry recently posted..4 Simple Steps to Building Your Brand OnlineMy Profile

Marixie San Jose January 11, 2012 at 7:09 am

Don’t keep the “admin” password. <—— OMG! I always do this. I don't change the username "admin". Thanks a lot for this post. But I have an autolock system too for passwords that have been repeatedly entered in the wrong manner. THANKS THANKS! THESE POST REALLY HELPED A LOT. I'll lose my mind if my websites got hacked.

Sherryl Perry
Twitter:
January 11, 2012 at 2:28 pm

Thanks for letting me know that my article helped you. You are not alone. I am amazed by how many people leave the admin user. I manage a LinkedIn group called Bloggers Helping Bloggers. I saw so many members who were doing this that I started a discussion just to warn people about it.
Sherryl Perry recently posted..Utilizing Social Media to Build Brand Awareness and AuthorityMy Profile

Stan December 30, 2011 at 9:47 am

What i’ve been trying on one of my blgos is a plugin called Stealth Login. What it does is encrypt your login connection and you can also change your login path. So you get rid of the wp-admin login, since most hackers go for that path to steal your pass. I haven’t installed it on all my blogs because i’m still not sure how well it works. But i like the idea.

Sherryl Perry
Twitter:
December 30, 2011 at 11:45 am

That’s an interesting plugin Stan. I’ll keep it in mind for the future. My problem is that I have quite a few plugins running now and I’m starting to get leery about adding more. I’ll have to check it out more. I had never heard of it before. Thanks for sharing.
Sherryl Perry recently posted..4 SEO Tips to Optimize your WordPress BlogMy Profile

Peter Venter December 10, 2011 at 8:11 am

My existing sites are hosted at Hostgator. (You talk about a self hosted blog). Is it possible to create a new directory and install WordPress in that directory if Hostgator is your host? Also I’m sure when I created a blog for one of my Amazon sites I was not able to change the default ‘admin’ log in. I could be wrong. Would be really interested in getting your input on the above issues.
Many Thanks
Peter

Sherryl Perry
Twitter:
December 10, 2011 at 12:00 pm

Peter, I don’t recommend re-installing your WordPress into a new subdirectory for active blogs. It’s a good tip to keep in mind for any future blogs you install.

As for your admin logon, what you need to do is create a new logon with administrator privileges. Then logout and login with your new admin account. Then delete the old “admin” account. This is simple yet very important.
Sherryl Perry recently posted..What the Heck is an RSS Feed?My Profile

Audrey November 20, 2011 at 9:18 pm

Don’t Keep the WordPress Username ADMIN – I know some who stick with admin as username. It’s much easier to remember but like what you’ve said, it’s the default username. At least if two items are unknown to the hacker, it would be difficult for them to penetrate your account.

Sherryl Perry
Twitter:
November 20, 2011 at 9:31 pm

I agree Audrey, that’s one of the first things that someone should do when they’re setting up their WordPress blog.
Sherryl Perry recently posted..What Can You Do if Restoring Your WordPress Backup Doesn’t Work?My Profile

Steve
Twitter:
November 11, 2011 at 3:11 am

I look forward to your next post and your story of brroken themes. There’s nothing worse than having to wade through pages of someone elses code to find out what’s broken.
Of course you can always backup your theme. I work on my themes offline so fortunately I always have a backup.
There have been times when I have broken my theme while working offline and had to back up from my server. It’s very handy to work this way.
Steve recently posted..Instant Free SEO TestMy Profile

Sherryl Perry
Twitter:
November 11, 2011 at 10:56 am

Thanks Steve. I posted the article yesterday. The problem was that even though I had both a MYSQL database backup and a full site backup, restoring them did not solve the problem. Thankfully, (unfortunately for them), other bloggers had run into a similar problem and there was a documented solution online. My post is sort of a warning to others about having documentation. It also should cast some light on the troubleshooting process that I went through.
Sherryl Perry recently posted..What Can You Do if Restoring Your WordPress Backup Doesn’t Work?My Profile

Steve
Twitter:
November 10, 2011 at 3:52 am

Like Rohan said, you are never 100% safe so you should take steps beyond prevention. I know it’s pretty obvious but for real peace of mind, make regular backups. Then if the worst does happen, you wont loose everything.
Steve recently posted..Banks Or Gangsters Who Do You Prefer?My Profile

Sherryl Perry
Twitter:
November 10, 2011 at 12:46 pm

That is so true Steve. I’m amazed by the number of people who don’t backup. Sometimes, backing up isn’t even enough. An interesting thing happened to me last weekend when my WordPress theme “broke”. Restoring from backups didn’t work. (My next post will fill you in on what happened.)
Sherryl Perry recently posted..Could Your Business Survive if Something Happened to You?My Profile

Mike Geary October 11, 2011 at 4:10 am

Geez! thanks for these 3 important steps on how I can protect my Wordpress from the mean hackers that do no good. I want to start my own blog and have used Wordpress and I admit, Sherryl, that I have no idea how can I protect it. I’ll follow all the steps you have shared right now.

Sherryl Perry
Twitter:
November 10, 2011 at 12:44 pm

Hi Mike,
First, I want to apologize for not replying to your comment earlier than this. I try to reply daily but I missed your comment. Good luck with your blog. If you’d like me to take a quick look at your blog let me know and I may be able to give you some feedback.

Thanks for taking the time to leave a comment.
Sherryl Perry recently posted..3 Steps to Develop a Branding Strategy for Social MediaMy Profile

Previous post:

Next post: