3 Steps to Protect Your WordPress Blog from Hackers

Share Button

Hackers like to target popular software programs. (Just ask anyone at Microsoft and they’ll agree.) There are WordPress plug-ins that you can install for additional security but there are also some basic steps that you can take to help decrease the chances of your WordPress blog from being hacked that don’t include installing plug-ins.

#1) Don’t Install WordPress into the Root Directory

When you install WordPress (on a self hosted blog), the default is to install the software into the “root” directory of your blog. Instead, create a new directory with an obscure name and install WordPress into that. This will make it more difficult for malicious programs to find WordPress on your site.

Warning: There are certain extra steps that you will need to perform if you do this including modifying your general settings and your index.php file. Also, if you’re using permalinks or other rewrite rules, the .htaccess file needs to be in the same location as the index.php file (i.e. not the ‘admin’ folder). So, you may want to buy the book that I recommend below or possibly hire a friendly geek to help. (I’m a Geek and my rates are reasonable. 🙂)

#2) Don’t Keep the WordPress Username ADMIN

Don’t keep the “admin” password. Use it to create a new logon with admin rights. Then, log in and delete the original admin password. This is for the same reason as tip #1. Hackers know the default username for a standard WordPress installation is ADMIN and they look for it. This is an easy tip to follow. I don’t think warnings are needed for this one but if anyone can think of a creative way to get in trouble with this one, please let me know.

#3) Keep Your WordPress Software Updated

Update your WordPress installations in a timely manner. (This is especially important if the update is addressing a security risk.) Again, malicious software can look for old versions and compromise them. It’s one thing to wait until there are no known problems with the upgrade process. I use the Thesis theme. So, I always search first to make sure no one else has had an issue. (I don’t have to remind anyone to always backup before upgrading do I?)

Recommended Reading to Get the Most Out of WordPress

When I first built my WordPress blog, I already had experience building HTML websites and sites using Joomla (another CMS –Content Management System program). Even so, as with any new program, I researched it before attempting to install it. (I’m definitely NOT a dive-in-before-you-find-out-how-deep-it-is kind of gal.)

Now, for those of you who read my blog, you know that my preference is always to search for low-cost and open-source solutions. (I do donate to the authors when I can.) However, while I was searching on WordPress tips, I came across the book “Digging Into WordPress” by Chris Coyier and Jeff Starr. I opted for the PDF version for $27. There’s a print version available for $75 and NO, I am not an affiliate. I just found it to be extremely valuable and it’s where I learned these three tips.

What security plug-ins do you use? Do you have more tips that you can share with us to keep our websites safe? What is your favorite resource for WordPress tips?

Share Button

Author: Sherryl Perry

Welcome! If you're looking for help building an Internet presence that fits your needs and works for you, you're in the right place. I blog common sense articles about WordPress, social media and SEO. My goal is to help small business owners and entrepreneurs understand their core business. Together, we can develop and implement business strategies that make sense to you.

150 thoughts on “3 Steps to Protect Your WordPress Blog from Hackers”

  1. Thanks for letting me know that you found my article about WordPress security useful. As for security plugins, I use Better WP Security. It’s very powerful and you don’t have to implement everything they suggest to make your site safer. (The only thing that I find slightly annoying is all of the notifications that you’ll get. You can tweak the settings but then if there is a hack, you may not be notified of it.)

    The other plugin that you may want to install is “Prevent XMLRPC” which addresses a recently identified security vulnerability involving trackback spam.

  2. Hi Sheryl,

    Nice article but can I ask a question? Don’t you suggest using other wordpress plugin like limit login attempts? In my end, I am using that plugin in addition to extremely difficult password.

      1. Yeah you are right there Sherryl. Plugins can help albeit they will slow down our website’s loading time.

        Actually I created a post about protecting a wordpress blog from hackers just today too. lol. There I included this plugin, Limit Login Attempts.

        If you have spare time please try reading it too.

  3. The mere thought of losing access to my blog makes me cringe 🙁 These good for nothing hackers must be annihilated!!! But because no one has the ability to do it for good, let us make it a habit to take precautionary measures like increasing the strength of our password and being wary of anything suspicious. Thanks for the very informative share!

    1. Hi Emilia,
      Thanks for joining the conversation. 🙂 I cringe over the thought of hackers too. Strong passwords and changing them regularly is so important. Having backups offsite as well as local is important too just in case someone does manage to access your site and do damage.

      Recently Richard Bracke was a guest blogger here and he wrote an interesting article for us on cloud computing. I linked to it below. You might find it interesting.
      Sherryl Perry recently posted..Is Cloud Computing Safe for Your Business?My Profile

  4. What I would have given for this information 2 years ago, Sherryl.

    I poured my heart and soul into my first ever blog – a Vegan website – and spent months making it as best I could. One day I logged in to find a warning telling me that it’d been hacked and after speaking with some more computer literate buddies I learned that my beloved pet project was unsaveable.

    To all those reading this post – it CAN happen to you, really easily, because sadly there are some malicious people out there. Following these 3 steps will go a long way to preventing any loss though!

    ADam 🙂

    1. Hi Adam,
      It’s unfortunate that happened to you. No matter how much we think we’re protected, there are some very real risks out there. Recently, a blogging friend of mine had his two most valuable domain names stolen from him. (The usual safeguards that are supposed to protect us seem to have failed.) His first notice that he had lost his domains came in the form of an email from the person who stole them. (He was trying to sell them to the real owner.) After contacting the FBI, he was able to reclaim them. Lesson learned – we have to take extra steps to protect ourselves. In this case, his password was hacked. So, he now has established an even more secure one. (After hearing his story, I changed mine too. We both use GoDaddy as our domain registrars.)
      Sherryl Perry recently posted..How to Grow Your Google+ FollowersMy Profile

  5. I’ve been looking around for tips to keep my wordpress site secure and the information you provided here is just what I need. Thanks a lot!

    1. Kristine,
      First, I want to apologize for taking over two weeks to reply to your comment. (It’s been an insane month of techie issues but that is not a good excuse.) Thanks for letting me know that you found my tips for protecting your WordPress site from hackers valuable. I appreciate your taking the time to let me know.
      Sherryl Perry recently posted..4 Tips You Should Know When You Start BloggingMy Profile

  6. Thanks for letting me know that you found my tips valuable. Just yesterday, I was on a blog where all the posts were created by “Admin”. That is such a common mistake and so easy to fix! I’m off to write my post for this week and I think this tip is worth mentioning again.
    Sherryl Perry recently posted..Is Your Email Address Part of Your Brand?My Profile

  7. Hacking is too mainstream this day since there are many people started to try to build a blog. Using the default username/passwords is one of the common mistakes that all bloggers need to pay attention. Step#1 is kind of geeky for others since you will move it to other directories which is not common but this is definitely worth a try.

    1. I’m glad you found my post helpful Amit. When I decided to start my blog, I bought the “Digging Into WordPress” book (my affiliate link is in the sidebar under resources). I was very glad that I had invested in it because one of the first things I learned was to install WordPress into a directory rather than the root. That book is chock full of tips and I found it to be very well written.
      Sherryl Perry recently posted..How to Ping Your Website Blog and When Not ToMy Profile

  8. An outdated version of WordPress installed in the default directory is a lot easier to find and take advantage of than one that’s installed to a different directory.

  9. I was amazed reading this because I learned something new again. Something to add in my knowledge and I appreciate it so much. Keep on writing more informative articles.

  10. Hi Sherryl,
    I am agree with the point you mentioned,specially your recommendation about Don’t Install WordPress into the Root Directory.
    Most of hackers would first target the root directory,so if we are installing WordPress on new directory with obscure name,hackers would not guess the word and this way we can get protection from hackers.
    Nice post.
    Bhavesh Sondagar recently posted..Top 5 Social Bookmarking Sites to boost Traffic To Your BlogMy Profile

  11. One of the most common ways WordPress websites get hacked is because their owners don’t keep their software up to date. What happens is that older versions of WordPress can have known security weaknesses. These weaknesses are fixed by newer releases of the software.

  12. Don’t keep the “admin” password. <—— OMG! I always do this. I don't change the username "admin". Thanks a lot for this post. But I have an autolock system too for passwords that have been repeatedly entered in the wrong manner. THANKS THANKS! THESE POST REALLY HELPED A LOT. I'll lose my mind if my websites got hacked.

  13. What i’ve been trying on one of my blgos is a plugin called Stealth Login. What it does is encrypt your login connection and you can also change your login path. So you get rid of the wp-admin login, since most hackers go for that path to steal your pass. I haven’t installed it on all my blogs because i’m still not sure how well it works. But i like the idea.

  14. My existing sites are hosted at Hostgator. (You talk about a self hosted blog). Is it possible to create a new directory and install WordPress in that directory if Hostgator is your host? Also I’m sure when I created a blog for one of my Amazon sites I was not able to change the default ‘admin’ log in. I could be wrong. Would be really interested in getting your input on the above issues.
    Many Thanks

    1. Peter, I don’t recommend re-installing your WordPress into a new subdirectory for active blogs. It’s a good tip to keep in mind for any future blogs you install.

      As for your admin logon, what you need to do is create a new logon with administrator privileges. Then logout and login with your new admin account. Then delete the old “admin” account. This is simple yet very important.
      Sherryl Perry recently posted..What the Heck is an RSS Feed?My Profile

  15. Don’t Keep the WordPress Username ADMIN – I know some who stick with admin as username. It’s much easier to remember but like what you’ve said, it’s the default username. At least if two items are unknown to the hacker, it would be difficult for them to penetrate your account.

  16. I look forward to your next post and your story of brroken themes. There’s nothing worse than having to wade through pages of someone elses code to find out what’s broken.
    Of course you can always backup your theme. I work on my themes offline so fortunately I always have a backup.
    There have been times when I have broken my theme while working offline and had to back up from my server. It’s very handy to work this way.
    Steve recently posted..Instant Free SEO TestMy Profile

    1. Thanks Steve. I posted the article yesterday. The problem was that even though I had both a MYSQL database backup and a full site backup, restoring them did not solve the problem. Thankfully, (unfortunately for them), other bloggers had run into a similar problem and there was a documented solution online. My post is sort of a warning to others about having documentation. It also should cast some light on the troubleshooting process that I went through.
      Sherryl Perry recently posted..What Can You Do if Restoring Your WordPress Backup Doesn’t Work?My Profile

  17. Geez! thanks for these 3 important steps on how I can protect my WordPress from the mean hackers that do no good. I want to start my own blog and have used WordPress and I admit, Sherryl, that I have no idea how can I protect it. I’ll follow all the steps you have shared right now.

Comments are closed.