3 Steps to Protect Your WordPress Blog from Hackers

Share Button

Hackers like to target popular software programs. (Just ask anyone at Microsoft and they’ll agree.) There are WordPress plug-ins that you can install for additional security but there are also some basic steps that you can take to help decrease the chances of your WordPress blog from being hacked that don’t include installing plug-ins.

#1) Don’t Install WordPress into the Root Directory

When you install WordPress (on a self hosted blog), the default is to install the software into the “root” directory of your blog. Instead, create a new directory with an obscure name and install WordPress into that. This will make it more difficult for malicious programs to find WordPress on your site.

Warning: There are certain extra steps that you will need to perform if you do this including modifying your general settings and your index.php file. Also, if you’re using permalinks or other rewrite rules, the .htaccess file needs to be in the same location as the index.php file (i.e. not the ‘admin’ folder). So, you may want to buy the book that I recommend below or possibly hire a friendly geek to help. (I’m a Geek and my rates are reasonable. 🙂)

#2) Don’t Keep the WordPress Username ADMIN

Don’t keep the “admin” password. Use it to create a new logon with admin rights. Then, log in and delete the original admin password. This is for the same reason as tip #1. Hackers know the default username for a standard WordPress installation is ADMIN and they look for it. This is an easy tip to follow. I don’t think warnings are needed for this one but if anyone can think of a creative way to get in trouble with this one, please let me know.

#3) Keep Your WordPress Software Updated

Update your WordPress installations in a timely manner. (This is especially important if the update is addressing a security risk.) Again, malicious software can look for old versions and compromise them. It’s one thing to wait until there are no known problems with the upgrade process. I use the Thesis theme. So, I always search first to make sure no one else has had an issue. (I don’t have to remind anyone to always backup before upgrading do I?)

Recommended Reading to Get the Most Out of WordPress

When I first built my WordPress blog, I already had experience building HTML websites and sites using Joomla (another CMS –Content Management System program). Even so, as with any new program, I researched it before attempting to install it. (I’m definitely NOT a dive-in-before-you-find-out-how-deep-it-is kind of gal.)

Now, for those of you who read my blog, you know that my preference is always to search for low-cost and open-source solutions. (I do donate to the authors when I can.) However, while I was searching on WordPress tips, I came across the book “Digging Into WordPress” by Chris Coyier and Jeff Starr. I opted for the PDF version for $27. There’s a print version available for $75 and NO, I am not an affiliate. I just found it to be extremely valuable and it’s where I learned these three tips.

What security plug-ins do you use? Do you have more tips that you can share with us to keep our websites safe? What is your favorite resource for WordPress tips?

Share Button

Published by Sherryl Perry

Welcome! If you're looking for help building an Internet presence that fits your needs and works for you, you're in the right place. I blog common sense articles about WordPress, social media and SEO. My goal is to help small business owners and entrepreneurs understand their core business. Together, we can develop and implement business strategies that make sense to you.

Join the Conversation


Your email address will not be published. Required fields are marked *

  1. Thanks for letting me know that you found my article about WordPress security useful. As for security plugins, I use Better WP Security. It’s very powerful and you don’t have to implement everything they suggest to make your site safer. (The only thing that I find slightly annoying is all of the notifications that you’ll get. You can tweak the settings but then if there is a hack, you may not be notified of it.)

    The other plugin that you may want to install is “Prevent XMLRPC” which addresses a recently identified security vulnerability involving trackback spam.

    1. You’re welcome Neeraj. Thanks for letting me know that you found my article helpful. It’s much easier to install WP in a sub-directory on a new site than trying to deal with it afterwards.

  2. Hi Sheryl,

    Nice article but can I ask a question? Don’t you suggest using other wordpress plugin like limit login attempts? In my end, I am using that plugin in addition to extremely difficult password.

    1. Thanks for bringing up plugins Mark. They’re very helpful and I could have easily made that tip #4. I used to use the Limit Login plugin along with WordPress Firewall2. I now use Better WP Security.

      1. Yeah you are right there Sherryl. Plugins can help albeit they will slow down our website’s loading time.

        Actually I created a post about protecting a wordpress blog from hackers just today too. lol. There I included this plugin, Limit Login Attempts.

        If you have spare time please try reading it too.

  3. The mere thought of losing access to my blog makes me cringe 🙁 These good for nothing hackers must be annihilated!!! But because no one has the ability to do it for good, let us make it a habit to take precautionary measures like increasing the strength of our password and being wary of anything suspicious. Thanks for the very informative share!

    1. Hi Emilia,
      Thanks for joining the conversation. 🙂 I cringe over the thought of hackers too. Strong passwords and changing them regularly is so important. Having backups offsite as well as local is important too just in case someone does manage to access your site and do damage.

      Recently Richard Bracke was a guest blogger here and he wrote an interesting article for us on cloud computing. I linked to it below. You might find it interesting.

  4. What I would have given for this information 2 years ago, Sherryl.

    I poured my heart and soul into my first ever blog – a Vegan website – and spent months making it as best I could. One day I logged in to find a warning telling me that it’d been hacked and after speaking with some more computer literate buddies I learned that my beloved pet project was unsaveable.

    To all those reading this post – it CAN happen to you, really easily, because sadly there are some malicious people out there. Following these 3 steps will go a long way to preventing any loss though!

    ADam 🙂

    1. Hi Adam,
      It’s unfortunate that happened to you. No matter how much we think we’re protected, there are some very real risks out there. Recently, a blogging friend of mine had his two most valuable domain names stolen from him. (The usual safeguards that are supposed to protect us seem to have failed.) His first notice that he had lost his domains came in the form of an email from the person who stole them. (He was trying to sell them to the real owner.) After contacting the FBI, he was able to reclaim them. Lesson learned – we have to take extra steps to protect ourselves. In this case, his password was hacked. So, he now has established an even more secure one. (After hearing his story, I changed mine too. We both use GoDaddy as our domain registrars.)

    1. Kristine,
      First, I want to apologize for taking over two weeks to reply to your comment. (It’s been an insane month of techie issues but that is not a good excuse.) Thanks for letting me know that you found my tips for protecting your WordPress site from hackers valuable. I appreciate your taking the time to let me know.

  5. Thanks for letting me know that you found my tips valuable. Just yesterday, I was on a blog where all the posts were created by “Admin”. That is such a common mistake and so easy to fix! I’m off to write my post for this week and I think this tip is worth mentioning again.

  6. Hacking is too mainstream this day since there are many people started to try to build a blog. Using the default username/passwords is one of the common mistakes that all bloggers need to pay attention. Step#1 is kind of geeky for others since you will move it to other directories which is not common but this is definitely worth a try.

    1. Hi Christian,
      I don’t recommend undertaking step #1 if you already have WordPress installed. (It is “kind of geeky”.) It is something to keep in mind of new installs. Thanks for taking the time to weigh in on this.

  7. Thanks for this superb tips Sherryl. Almost everything i am following.
    I would love to share this with my frnds who want to start his new wordpress blog. It would be helpful for him.

    1. I’m glad you found my post helpful Amit. When I decided to start my blog, I bought the “Digging Into WordPress” book (my affiliate link is in the sidebar under resources). I was very glad that I had invested in it because one of the first things I learned was to install WordPress into a directory rather than the root. That book is chock full of tips and I found it to be very well written.

    1. Rahul,
      Thanks for dropping by and taking the time to let me know that you liked my post about protecting your blog from hackers. I apologize for such a late reply but your comment was trapped by my spam filter. (I have no idea why.)

    1. Amit,
      Somehow, your comment was caught in my spam filter and I just found it. I apologize for taking so long to answer you. Thanks so much for taking the time to let me know that you appreciated my post on protecting your WP site from hackers.

    1. You’re welcome Rahul. I’m glad that you found my article interesting. Keeping the user “admin” really does open you to a risk of having your site hacked. It’s smart to create a new user and delete admin.

  8. I was amazed reading this because I learned something new again. Something to add in my knowledge and I appreciate it so much. Keep on writing more informative articles.

  9. Hi Sherryl,
    I am agree with the point you mentioned,specially your recommendation about Don’t Install WordPress into the Root Directory.
    Most of hackers would first target the root directory,so if we are installing WordPress on new directory with obscure name,hackers would not guess the word and this way we can get protection from hackers.
    Nice post.

    1. Thanks Bhavesh. I read an excellent book on WordPress prior to installing it and that was one of the things that stood out to me. When we install it in the root, it’s easy for a bot to target our sites. I think everyone would do this if they were aware of the risks involved.

  10. One of the most common ways WordPress websites get hacked is because their owners don’t keep their software up to date. What happens is that older versions of WordPress can have known security weaknesses. These weaknesses are fixed by newer releases of the software.

  11. Don’t keep the “admin” password. <—— OMG! I always do this. I don't change the username "admin". Thanks a lot for this post. But I have an autolock system too for passwords that have been repeatedly entered in the wrong manner. THANKS THANKS! THESE POST REALLY HELPED A LOT. I'll lose my mind if my websites got hacked.

    1. Thanks for letting me know that my article helped you. You are not alone. I am amazed by how many people leave the admin user. I manage a LinkedIn group called Bloggers Helping Bloggers. I saw so many members who were doing this that I started a discussion just to warn people about it.

  12. What i’ve been trying on one of my blgos is a plugin called Stealth Login. What it does is encrypt your login connection and you can also change your login path. So you get rid of the wp-admin login, since most hackers go for that path to steal your pass. I haven’t installed it on all my blogs because i’m still not sure how well it works. But i like the idea.

    1. That’s an interesting plugin Stan. I’ll keep it in mind for the future. My problem is that I have quite a few plugins running now and I’m starting to get leery about adding more. I’ll have to check it out more. I had never heard of it before. Thanks for sharing.

  13. My existing sites are hosted at Hostgator. (You talk about a self hosted blog). Is it possible to create a new directory and install WordPress in that directory if Hostgator is your host? Also I’m sure when I created a blog for one of my Amazon sites I was not able to change the default ‘admin’ log in. I could be wrong. Would be really interested in getting your input on the above issues.
    Many Thanks

    1. Peter, I don’t recommend re-installing your WordPress into a new subdirectory for active blogs. It’s a good tip to keep in mind for any future blogs you install.

      As for your admin logon, what you need to do is create a new logon with administrator privileges. Then logout and login with your new admin account. Then delete the old “admin” account. This is simple yet very important.

  14. Don’t Keep the WordPress Username ADMIN – I know some who stick with admin as username. It’s much easier to remember but like what you’ve said, it’s the default username. At least if two items are unknown to the hacker, it would be difficult for them to penetrate your account.

  15. I look forward to your next post and your story of brroken themes. There’s nothing worse than having to wade through pages of someone elses code to find out what’s broken.
    Of course you can always backup your theme. I work on my themes offline so fortunately I always have a backup.
    There have been times when I have broken my theme while working offline and had to back up from my server. It’s very handy to work this way.

    1. Thanks Steve. I posted the article yesterday. The problem was that even though I had both a MYSQL database backup and a full site backup, restoring them did not solve the problem. Thankfully, (unfortunately for them), other bloggers had run into a similar problem and there was a documented solution online. My post is sort of a warning to others about having documentation. It also should cast some light on the troubleshooting process that I went through.

  16. Like Rohan said, you are never 100% safe so you should take steps beyond prevention. I know it’s pretty obvious but for real peace of mind, make regular backups. Then if the worst does happen, you wont loose everything.

    1. That is so true Steve. I’m amazed by the number of people who don’t backup. Sometimes, backing up isn’t even enough. An interesting thing happened to me last weekend when my WordPress theme “broke”. Restoring from backups didn’t work. (My next post will fill you in on what happened.)

  17. Geez! thanks for these 3 important steps on how I can protect my WordPress from the mean hackers that do no good. I want to start my own blog and have used WordPress and I admit, Sherryl, that I have no idea how can I protect it. I’ll follow all the steps you have shared right now.

    1. Hi Mike,
      First, I want to apologize for not replying to your comment earlier than this. I try to reply daily but I missed your comment. Good luck with your blog. If you’d like me to take a quick look at your blog let me know and I may be able to give you some feedback.

      Thanks for taking the time to leave a comment.