Hackers like to target popular software programs. (Just ask anyone at Microsoft and they’ll agree.) There are WordPress plug-ins that you can install for additional security but there are also some basic steps that you can take to help decrease the chances of your WordPress blog from being hacked that don’t include installing plug-ins.
#1) Don’t Install WordPress into the Root Directory
When you install WordPress (on a self hosted blog), the default is to install the software into the “root” directory of your blog. Instead, create a new directory with an obscure name and install WordPress into that. This will make it more difficult for malicious programs to find WordPress on your site.
Warning: There are certain extra steps that you will need to perform if you do this including modifying your general settings and your index.php file. Also, if you’re using permalinks or other rewrite rules, the .htaccess file needs to be in the same location as the index.php file (i.e. not the ‘admin’ folder). So, you may want to buy the book that I recommend below or possibly hire a friendly geek to help. (I’m a Geek and my rates are reasonable. 
)
#2) Don’t Keep the WordPress Username ADMIN
Don’t keep the “admin” password. Use it to create a new logon with admin rights. Then, log in and delete the original admin password. This is for the same reason as tip #1. Hackers know the default username for a standard WordPress installation is ADMIN and they look for it. This is an easy tip to follow. I don’t think warnings are needed for this one but if anyone can think of a creative way to get in trouble with this one, please let me know.
#3) Keep Your WordPress Software Updated
Update your WordPress installations in a timely manner. (This is especially important if the update is addressing a security risk.) Again, malicious software can look for old versions and compromise them. It’s one thing to wait until there are no known problems with the upgrade process. I use the Thesis theme. So, I always search first to make sure no one else has had an issue. (I don’t have to remind anyone to always backup before upgrading do I?)
Recommended Reading to Get the Most Out of WordPress
When I first built my WordPress blog, I already had experience building HTML websites and sites using Joomla (another CMS –Content Management System program). Even so, as with any new program, I researched it before attempting to install it. (I’m definitely NOT a dive-in-before-you-find-out-how-deep-it-is kind of gal.)
Now, for those of you who read my blog, you know that my preference is always to search for low-cost and open-source solutions. (I do donate to the authors when I can.) However, while I was searching on WordPress tips, I came across the book “Digging Into WordPress” by Chris Coyier and Jeff Starr. I opted for the PDF version for $27. There’s a print version available for $75 and NO, I am not an affiliate. I just found it to be extremely valuable and it’s where I learned these three tips.
What security plug-ins do you use? Do you have more tips that you can share with us to keep our websites safe? What is your favorite resource for WordPress tips?
{ 154 comments… read them below or add one }
← Previous Comments
Twitter: christesperar
May 10, 2012 at 9:59 pm
Hacking is too mainstream this day since there are many people started to try to build a blog. Using the default username/passwords is one of the common mistakes that all bloggers need to pay attention. Step#1 is kind of geeky for others since you will move it to other directories which is not common but this is definitely worth a try.
Christian Esperar recently posted..Access Blocked And Banned Websites
Twitter: keepupweb
May 11, 2012 at 12:34 pm
Hi Christian,
I don’t recommend undertaking step #1 if you already have WordPress installed. (It is “kind of geeky”.) It is something to keep in mind of new installs. Thanks for taking the time to weigh in on this.
Sherryl Perry recently posted..Does Twitter Drive Traffic to Your Website Blog?
Twitter: itechcode
May 1, 2012 at 4:45 am
Thanks for this superb tips Sherryl. Almost everything i am following.
I would love to share this with my frnds who want to start his new wordpress blog. It would be helpful for him.
Thanks.
Amit Shaw recently posted..Best iPhone Apps For Keeping Your Documents and Business in Cloud
Twitter: keepupweb
May 1, 2012 at 10:56 pm
I’m glad you found my post helpful Amit. When I decided to start my blog, I bought the “Digging Into WordPress” book (my affiliate link is in the sidebar under resources). I was very glad that I had invested in it because one of the first things I learned was to install WordPress into a directory rather than the root. That book is chock full of tips and I found it to be very well written.
Sherryl Perry recently posted..How to Ping Your Website Blog and When Not To
An outdated version of WordPress installed in the default directory is a lot easier to find and take advantage of than one that’s installed to a different directory.
Twitter: learnblogtips
March 8, 2012 at 9:11 am
Thank you so much for providing this info. I’m glad to find this blog. Really helpful for every blogger.
Rahul kuntala recently posted..How to Get Your First 1000 Twitter Followers
Twitter: keepupweb
March 17, 2012 at 11:31 am
Rahul,
Thanks for dropping by and taking the time to let me know that you liked my post about protecting your blog from hackers. I apologize for such a late reply but your comment was trapped by my spam filter. (I have no idea why.)
Sherryl Perry recently posted..How to Ping Your Website Blog and When Not To
Really helpful for us.
I’m glad you shared the valuable info with us. I appreciate your writing skills
Amit Shaw recently posted..12 Excellent Cloud-Based Tools To Be Productive
Twitter: keepupweb
March 17, 2012 at 11:26 am
Amit,
Somehow, your comment was caught in my spam filter and I just found it. I apologize for taking so long to answer you. Thanks so much for taking the time to let me know that you appreciated my post on protecting your WP site from hackers.
Sherryl Perry recently posted..WordPress OpenHook 3 Plugin Broke my Thesis Theme
Twitter: learnblogtips
March 8, 2012 at 8:59 am
I really dint know this before. I’m maintaining still admin as my user name. I’ll change it now. Thanks for sharing this
Rahul kuntala recently posted..How to Get Your First 1000 Twitter Followers
Twitter: keepupweb
March 8, 2012 at 12:00 pm
You’re welcome Rahul. I’m glad that you found my article interesting. Keeping the user “admin” really does open you to a risk of having your site hacked. It’s smart to create a new user and delete admin.
Sherryl Perry recently posted..Treat Your Blog Posts Like Website Home Pages
I was amazed reading this because I learned something new again. Something to add in my knowledge and I appreciate it so much. Keep on writing more informative articles.
Twitter: keepupweb
February 22, 2012 at 2:04 pm
Hi Grace, Thanks for letting me know that your found my article valuable. I’m glad I could help.
Sherryl Perry recently posted..Treat Your Blog Posts Like Website Home Pages
Twitter: bkgroup
February 16, 2012 at 6:37 am
Hi Sherryl,
I am agree with the point you mentioned,specially your recommendation about Don’t Install WordPress into the Root Directory.
Most of hackers would first target the root directory,so if we are installing WordPress on new directory with obscure name,hackers would not guess the word and this way we can get protection from hackers.
Nice post.
Bhavesh Sondagar recently posted..Top 5 Social Bookmarking Sites to boost Traffic To Your Blog
Twitter: keepupweb
February 16, 2012 at 8:02 pm
Thanks Bhavesh. I read an excellent book on WordPress prior to installing it and that was one of the things that stood out to me. When we install it in the root, it’s easy for a bot to target our sites. I think everyone would do this if they were aware of the risks involved.
Sherryl Perry recently posted..4 Simple Steps to Building Your Brand Online
One of the most common ways WordPress websites get hacked is because their owners don’t keep their software up to date. What happens is that older versions of WordPress can have known security weaknesses. These weaknesses are fixed by newer releases of the software.
Twitter: keepupweb
February 13, 2012 at 12:56 pm
It’s very important to keep our software updated. Following all three of the suggestions here will help. Additionally, we can install WordPress plugins like Firewall2 and Login Lockdown.
Sherryl Perry recently posted..4 Simple Steps to Building Your Brand Online
Don’t keep the “admin” password. <—— OMG! I always do this. I don't change the username "admin". Thanks a lot for this post. But I have an autolock system too for passwords that have been repeatedly entered in the wrong manner. THANKS THANKS! THESE POST REALLY HELPED A LOT. I'll lose my mind if my websites got hacked.
Just recently blogged about San Jose Internet Marketing
Marixie San Jose recently posted..Merry Christmas and Happy New Year!
Twitter: keepupweb
January 11, 2012 at 2:28 pm
Thanks for letting me know that my article helped you. You are not alone. I am amazed by how many people leave the admin user. I manage a LinkedIn group called Bloggers Helping Bloggers. I saw so many members who were doing this that I started a discussion just to warn people about it.
Sherryl Perry recently posted..Utilizing Social Media to Build Brand Awareness and Authority
What i’ve been trying on one of my blgos is a plugin called Stealth Login. What it does is encrypt your login connection and you can also change your login path. So you get rid of the wp-admin login, since most hackers go for that path to steal your pass. I haven’t installed it on all my blogs because i’m still not sure how well it works. But i like the idea.
Twitter: keepupweb
December 30, 2011 at 11:45 am
That’s an interesting plugin Stan. I’ll keep it in mind for the future. My problem is that I have quite a few plugins running now and I’m starting to get leery about adding more. I’ll have to check it out more. I had never heard of it before. Thanks for sharing.
Sherryl Perry recently posted..4 SEO Tips to Optimize your WordPress Blog
My existing sites are hosted at Hostgator. (You talk about a self hosted blog). Is it possible to create a new directory and install WordPress in that directory if Hostgator is your host? Also I’m sure when I created a blog for one of my Amazon sites I was not able to change the default ‘admin’ log in. I could be wrong. Would be really interested in getting your input on the above issues.
Many Thanks
Peter
Twitter: keepupweb
December 10, 2011 at 12:00 pm
Peter, I don’t recommend re-installing your WordPress into a new subdirectory for active blogs. It’s a good tip to keep in mind for any future blogs you install.
As for your admin logon, what you need to do is create a new logon with administrator privileges. Then logout and login with your new admin account. Then delete the old “admin” account. This is simple yet very important.
Sherryl Perry recently posted..What the Heck is an RSS Feed?
Don’t Keep the WordPress Username ADMIN – I know some who stick with admin as username. It’s much easier to remember but like what you’ve said, it’s the default username. At least if two items are unknown to the hacker, it would be difficult for them to penetrate your account.
Audrey recently posted..Fisher Price Newborn Rock And Play Sleeper Review
Twitter: keepupweb
November 20, 2011 at 9:31 pm
I agree Audrey, that’s one of the first things that someone should do when they’re setting up their WordPress blog.
Sherryl Perry recently posted..What Can You Do if Restoring Your WordPress Backup Doesn’t Work?
Twitter: hippoxx
November 11, 2011 at 3:11 am
I look forward to your next post and your story of brroken themes. There’s nothing worse than having to wade through pages of someone elses code to find out what’s broken.
Of course you can always backup your theme. I work on my themes offline so fortunately I always have a backup.
There have been times when I have broken my theme while working offline and had to back up from my server. It’s very handy to work this way.
Steve recently posted..Instant Free SEO Test
Twitter: keepupweb
November 11, 2011 at 10:56 am
Thanks Steve. I posted the article yesterday. The problem was that even though I had both a MYSQL database backup and a full site backup, restoring them did not solve the problem. Thankfully, (unfortunately for them), other bloggers had run into a similar problem and there was a documented solution online. My post is sort of a warning to others about having documentation. It also should cast some light on the troubleshooting process that I went through.
Sherryl Perry recently posted..What Can You Do if Restoring Your WordPress Backup Doesn’t Work?
Twitter: hippoxx
November 10, 2011 at 3:52 am
Like Rohan said, you are never 100% safe so you should take steps beyond prevention. I know it’s pretty obvious but for real peace of mind, make regular backups. Then if the worst does happen, you wont loose everything.
Steve recently posted..Banks Or Gangsters Who Do You Prefer?
Twitter: keepupweb
November 10, 2011 at 12:46 pm
That is so true Steve. I’m amazed by the number of people who don’t backup. Sometimes, backing up isn’t even enough. An interesting thing happened to me last weekend when my WordPress theme “broke”. Restoring from backups didn’t work. (My next post will fill you in on what happened.)
Sherryl Perry recently posted..Could Your Business Survive if Something Happened to You?
Geez! thanks for these 3 important steps on how I can protect my Wordpress from the mean hackers that do no good. I want to start my own blog and have used Wordpress and I admit, Sherryl, that I have no idea how can I protect it. I’ll follow all the steps you have shared right now.
Twitter: keepupweb
November 10, 2011 at 12:44 pm
Hi Mike,
First, I want to apologize for not replying to your comment earlier than this. I try to reply daily but I missed your comment. Good luck with your blog. If you’d like me to take a quick look at your blog let me know and I may be able to give you some feedback.
Thanks for taking the time to leave a comment.
Sherryl Perry recently posted..3 Steps to Develop a Branding Strategy for Social Media
Twitter: PRLuv
October 4, 2011 at 5:30 am
I don’t know which of these steps I failed to utilize, but I had my first website hacked about six months ago. The joke was on me the whole way – the website was CoolHacker.com.
I never even bothered dealing with it. Just never went back to the page and let the domain run out on renewal, LOL.
Thomas recently posted..14,000+ Available Domains With Exact Match Search Volume Up To 300k
Twitter: keepupweb
October 4, 2011 at 1:08 pm
Wow! That’s a shame Thomas. I wonder if your choice of domain name did have any influence on why you were targeted. I hope you didn’t have a lot of time or money invested in it.
Sherryl Perry recently posted..3 Steps to Develop a Branding Strategy for Social Media
Twitter: PRLuv
October 6, 2011 at 11:05 pm
LOL, I’m almost certain it did. I had no time or money invested in it, it was more a ‘theme test playground.’ One of many at the time, haha. I just thought it was a cool name.
Light way to learn a lesson, but I’ll take it.
Thomas recently posted..Get Free Internet Traffic For Your Site (tool)
I believe there are also default table names you can change. There’s a plugin for that WP Security something that will tell you what the current possible weakpoints in your WP are
Kenneth Tan recently posted..Graffiti Wars: Banksy VS Robbo
Twitter: keepupweb
September 7, 2011 at 6:27 pm
I haven’t read about renaming tables. I wonder if that would affect automatic upgrades.
Sherryl Perry recently posted..Can Anyone Really Follow 131,000 People on Twitter?
I love your first tip, to not install it in the root. That way hackers that use bots get shut down. Of course if a hacker tries to hack manually any exploits will still be there.
Alice D recently posted..Low Mortgage Rates Almost Impossible To Get
Twitter: keepupweb
August 10, 2011 at 7:27 pm
That’s true Alice. It’s certainly not foolproof but it could deter the hackers that are looking for sites that can be exploited more easily.
Sherryl Perry recently posted..Have You Been Innovative Today?
There are a few other things that need to be done to secure your wordpress installation.
Like the wp-config.php file can be moved out of the main wordpress installation folder, irrespective of what directory you install your wordpress on. It is easy to guess that your wordpress is installed on domain.com or domain.com/blog if the hacker is doing it manually and not using a BOT. So it is imperative to pick up the wp-config.php file (this file has the passwords , database admin access and login details) and place it one directory above the WP installation drive and it works fine from there.
Adding the text
# Protect the htaccess file
order allow,deny
deny from all
to your htaccess helps to prevent htaccess file hijacking and there are a lot of other ways a WP installation can get hacked using SQL and javascript injections even if a person(guest blogger) has just ‘contributor’ rights to your blog which I have covered in an article I have written for SearchEngineJournal Is your guest contributor killing your site?. Being a wordpress developer and ethical hacker myself I know that there are more exploits than there are solutions for. There is really no way to protect your installation 100% but the best I have found is to restrict access to your wp-admin directory via TCP wrapping and allowing access only if it is requested from your IP address.
Rohan recently posted..How Google+ Can Help Your Business
Twitter: keepupweb
August 4, 2011 at 11:06 am
Rohan,
Thanks so much for sharing this information with us. I read the article you wrote for SearchEngineJournal too. It’s excellent and I tweeted it for you. Welcome and I look forward to reading more of your comments!
Sherryl Perry recently posted..If Your Website Was a Wheel – Is Your Blog the Hub or a Spoke?
Could you explain that why you recommend “Don’t Install WordPress into the Root Directory”? Wordpress is a public blog, we install and need reader to visit and read it, I don’t think there’s any reason why we need to install it on another folder.
Jenni recently posted..Secrets on How to Create a Killer Content for Your Blog
Twitter: keepupweb
July 31, 2011 at 11:18 am
Hi Jenni,
Installing the WordPress software makes it a little more difficult for malicious programs to find it. It’s not foolproof by any means but there are programs that seek installations of software to take advantage of known vulnerabilities. An outdated version of WordPress installed in the default directory is a lot easier to find and take advantage of than one that’s installed to a different directory.
Your blog is still very public. There are 2 settings in your WP admin panel under “general”. One is for your “WordPress address (URL)”. This is where you point to the directory where you’ve installed WP. The second setting is for your “Site address (URL)”. This is the address for your blog.
Sherryl Perry recently posted..20 Tips to Help Protect Your Online Privacy
← Previous Comments