3 Steps to Protect Your WordPress Blog from Hackers

Share Button

Hackers like to target popular software programs. (Just ask anyone at Microsoft and they’ll agree.) There are WordPress plug-ins that you can install for additional security but there are also some basic steps that you can take to help decrease the chances of your WordPress blog from being hacked that don’t include installing plug-ins.

#1) Don’t Install WordPress into the Root Directory

When you install WordPress (on a self hosted blog), the default is to install the software into the “root” directory of your blog. Instead, create a new directory with an obscure name and install WordPress into that. This will make it more difficult for malicious programs to find WordPress on your site.

Warning: There are certain extra steps that you will need to perform if you do this including modifying your general settings and your index.php file. Also, if you’re using permalinks or other rewrite rules, the .htaccess file needs to be in the same location as the index.php file (i.e. not the ‘admin’ folder). So, you may want to buy the book that I recommend below or possibly hire a friendly geek to help. (I’m a Geek and my rates are reasonable. 🙂)

#2) Don’t Keep the WordPress Username ADMIN

Don’t keep the “admin” password. Use it to create a new logon with admin rights. Then, log in and delete the original admin password. This is for the same reason as tip #1. Hackers know the default username for a standard WordPress installation is ADMIN and they look for it. This is an easy tip to follow. I don’t think warnings are needed for this one but if anyone can think of a creative way to get in trouble with this one, please let me know.

#3) Keep Your WordPress Software Updated

Update your WordPress installations in a timely manner. (This is especially important if the update is addressing a security risk.) Again, malicious software can look for old versions and compromise them. It’s one thing to wait until there are no known problems with the upgrade process. I use the Thesis theme. So, I always search first to make sure no one else has had an issue. (I don’t have to remind anyone to always backup before upgrading do I?)

Recommended Reading to Get the Most Out of WordPress

When I first built my WordPress blog, I already had experience building HTML websites and sites using Joomla (another CMS –Content Management System program). Even so, as with any new program, I researched it before attempting to install it. (I’m definitely NOT a dive-in-before-you-find-out-how-deep-it-is kind of gal.)

Now, for those of you who read my blog, you know that my preference is always to search for low-cost and open-source solutions. (I do donate to the authors when I can.) However, while I was searching on WordPress tips, I came across the book “Digging Into WordPress” by Chris Coyier and Jeff Starr. I opted for the PDF version for $27. There’s a print version available for $75 and NO, I am not an affiliate. I just found it to be extremely valuable and it’s where I learned these three tips.

What security plug-ins do you use? Do you have more tips that you can share with us to keep our websites safe? What is your favorite resource for WordPress tips?

Share Button

Author: Sherryl Perry

Welcome! If you're looking for help building an Internet presence that fits your needs and works for you, you're in the right place. I blog common sense articles about WordPress, social media and SEO. My goal is to help small business owners and entrepreneurs understand their core business. Together, we can develop and implement business strategies that make sense to you.

150 thoughts on “3 Steps to Protect Your WordPress Blog from Hackers”

  1. I don’t know which of these steps I failed to utilize, but I had my first website hacked about six months ago. The joke was on me the whole way – the website was CoolHacker.com. 😉

    I never even bothered dealing with it. Just never went back to the page and let the domain run out on renewal, LOL.

      1. LOL, I’m almost certain it did. I had no time or money invested in it, it was more a ‘theme test playground.’ One of many at the time, haha. I just thought it was a cool name.

        Light way to learn a lesson, but I’ll take it. 😉

  2. I believe there are also default table names you can change. There’s a plugin for that WP Security something that will tell you what the current possible weakpoints in your WP are

  3. There are a few other things that need to be done to secure your wordpress installation.
    Like the wp-config.php file can be moved out of the main wordpress installation folder, irrespective of what directory you install your wordpress on. It is easy to guess that your wordpress is installed on domain.com or domain.com/blog if the hacker is doing it manually and not using a BOT. So it is imperative to pick up the wp-config.php file (this file has the passwords , database admin access and login details) and place it one directory above the WP installation drive and it works fine from there.

    Adding the text

    # Protect the htaccess file

    order allow,deny
    deny from all

    to your htaccess helps to prevent htaccess file hijacking and there are a lot of other ways a WP installation can get hacked using SQL and javascript injections even if a person(guest blogger) has just ‘contributor’ rights to your blog which I have covered in an article I have written for SearchEngineJournal: Is your guest contributor killing your site? Being a wordpress developer and ethical hacker myself I know that there are more exploits than there are solutions for. There is really no way to protect your installation 100% but the best I have found is to restrict access to your wp-admin directory via TCP wrapping and allowing access only if it is requested from your IP address.

    1. Hi Jenni,
      Installing the WordPress software makes it a little more difficult for malicious programs to find it. It’s not foolproof by any means but there are programs that seek installations of software to take advantage of known vulnerabilities. An outdated version of WordPress installed in the default directory is a lot easier to find and take advantage of than one that’s installed to a different directory.

      Your blog is still very public. There are 2 settings in your WP admin panel under “general”. One is for your “WordPress address (URL)”. This is where you point to the directory where you’ve installed WP. The second setting is for your “Site address (URL)”. This is the address for your blog.
      Sherryl Perry recently posted..20 Tips to Help Protect Your Online PrivacyMy Profile

  4. If I may make one other comment, if anyone reading this blog has the wp-phpmyadmin plugin installed on their site, it should be removed immediately.

    This plugin has not been updated since 2007 and is no longer on the WordPress plugin repository.

    Over the past two months, we’ve been seeing many infected websites with this plugin. Typically the hackers have been adding a file named: upgrade.php with malicious code in it.

    Uninstall that plugin immediately!

    Just an FYI…

  5. I would have to say you are definitely Queen of comments! The comments you get and respond to is amazing.

    I could learn a lot from you on getting people to comment on my blog.

  6. One keep point to keep in mind when you install it in a sub-directory is to definitely use the SEF options. This way, to Google your blog will be: http://yourdomain.com

    If your blog shows in Google as: http://yourdomain.com/blog, then the hackers, who do use Google to find sites to attack, will find your site and the folder your blog is in, no matter what you name it.

    I’m not saying this isn’t a good step, it is! But don’t forget that hackers use Google too.

    1. Thomas when you refer to the SEF options, do you mean the settings in the WP admin panel? I have a client site set up with the URL address indicating a sub-directory of “blog” (as in your example) but the WP installation is in another hidden directory. I also made changes to my index.php and my .htaccess files. Am I missing something here?
      Sherryl Perry recently posted..The Buzz about Google+ Do You Love it or Hate it?My Profile

      1. You’re not missing anything. You have it setup correctly. The URL says /blog/ but as long as the WP installation is in a different folder, you’re not letting the hackers know where your files actually are.

        Keep in mind this is considered: security by obscurity, but when used as one segment of an overall security plan, it does play a significant role.

        What I was referring to earlier was like in our setup. We have our WP installation in a folder on our website named /wordpress/ that does show in our SE results, however, we have many other security systems setup to protect it. However, for most people, this is not the recommended way.

  7. I have my own free WP account, though it was not meant for business, I would feel upset if it would be hack. Thanks for your tips, my username is already different and not as an admin name, then I would follow the rest.

  8. Really good post, Sherryl – thanks. There are lots of plugins that can help to make WordPress more secure, but I think you’ve highlighted some of the key actions – such as changing your username from admin to something else. It’s amazing how many people aren’t aware of that.

  9. Those are both good tips. I was honestly surprised that a couple of people have been intimidated about even creating a new account with the administrator role. I think people who feel technologically challenged sometimes hesitate to make any changes to their blogs but there are so many bloggers online who are willing to offer guidance. The downside of not backing up and taking steps to protect their blog puts them in a much more precarious situation.
    Sherryl Perry recently posted..Ambassador of Buzz -Social Networking Done RightMy Profile

  10. I find so many people who use WordPress are using a version that is more than a couple of versions old. I think however if Sony can get hacked, a simple WordPress blog has no hope in the face of some serious hackers.

    1. There’s definitely no guarantees that you won’t get hacked but there are steps to take to at least make it a little harder for hackers. Sites like Sony are deliberately targeted but for smaller less popular sites like most bloggers have, I believe that hackers send out malicious programs targeting known vulnerabilities. So, it makes sense to install updates.
      Sherryl Perry recently posted..Can Bloggers Learn a Lesson From Watching American Idol?My Profile

  11. Hi, Sherryl! I’m in the Circulation Desk with you and appreciate having a tech savvy person to read. 🙂 I am apparently behind the times and still use Blogger (considering changing but don’t have a “guy” like Atticus does. LOL). I hope to learn from you along the way and will check out some of your past posts as well.

    Twitter: robertssister1
    caregiving. family. advocacy.

  12. Hi Sherryl,

    Glad to be able to return the compliment and visit your site. I don’t do most of these things as my husband sees to them for me. I love the idea of the plug-in though so am going to have a look at that.

    What ways do you do your blog back-up Sherryl? I am always keen to hear how others do their stuff. Nice to read other people’s comments too. Thanks.

    Fiona Stolze
    Inspired Art and Living

    1. That’s terrific that your husband takes care of your site! I use WP-DBManager and I’m very happy with it if I need to do a quick restore of my SQL database. What I depend upon most for backups is Rochen Vault. Rochen is the hosting company that I use and “Vault” is their daily backup system. I’ve been hosting with Rochen for over 6 years now. I’ve had 2 instances where sites I’ve owned have had issues. One time, my Joomla site was hacked into (my fault for neglecting it and not updating) and the 2nd time was a site where I noticed that my live help had stopped working. In both instances, Rochen rescued me. In the case of the site where the Joomla module had suddenly stopped working, they had to go back over 3 months to get me back. Since then, they’ve improved Rochen Vault to the point where I can do restores like this unassisted. I highly recommend them. To me, they’re worth the extra money (about $10/month).
      Sherryl Perry recently posted..Ambassador of Buzz -Social Networking Done RightMy Profile

  13. First of all, welcome to our blogging group, The Circulation Desk, Sherryl! Nice to have a top-notch techie among us.
    Like Julie, I am not tech savvy (and have no interest in becoming so!!) that’s why I have “a guy” 🙂
    Really appreciate your tips and will alert my “guy” about the root stuff (to me, roots are the gray growings on my head or the legs of my plants!– lol)
    my best tip for evading viruses — buy a mac!!!

    Heidi & Atticus
    “commentary to give you paws…”
    Heidi Alberti & Atticus Uncensored recently posted..The State Fair Needs Some Canine CompassionMy Profile

  14. Some great tips.. I am not too tech savvy some of this seemed like another language to me. i didn’t set up my WP blog, i paid someone to do it but i know he is an expert at what he does and ca,e highly recommended so i am presuming (and hoping0 that he took these steps. (my log on was not admin) so that is a good sign (I use the same guy as Louise) so I think I am probably ok. My blog backs up once a week and I get an email with the back up in it and I just save that… Hopefully I am doing enough.

    Julie Labes: The Fun-Loving, Feisty, Fearless, Frisky, Fierce Over 50 Traveler

    1. Sorry parts of my post seems like a foreign language to you Julie. I always try to translate Geek to English. 🙂 If ever you have questions, please feel free to ask. If I don’t know the answer, maybe someone else will or I’ll Google it and send the link. I’m sure if you question something, other readers have the same question too. As for hiring someone to take care of your WP installation, that can be a smart thing to do. Whenever something is outside of our skill set, it’s smart to outsource! 🙂
      Sherryl Perry recently posted..Can Bloggers Learn a Lesson From Watching American Idol?My Profile

  15. Wow, thanks for the info…..didn’t realize about the updates – exactly……hmmm better do those!!!! These were all great tips for people….thanks for sharing and I look forward to learning more…as I grow to be more technophobic! Hearing about all this hacking is making me nervous (hence your blog…got it:) Appreciate all your info…I will be back!

    Rita Brennan Freay

    1. Thanks Rita. I hope you do come back and be sure to let me know if there’s a topic that you want to learn more about. Lots of my articles are inspired by questions and emails.

      I know I’ve mentioned this several times before but I really caution everyone to backup WordPress before they perform any updates. Just last week, I updated a plugin that I’ve been using for over a year. When I checked my blog, I had PHP errors throughout all of my posts. Thankfully, I had a backup to restore.
      Sherryl Perry recently posted..If Your Website Was a Wheel – Is Your Blog the Hub or a Spoke?My Profile

  16. I, too, have had a computer crash where I lost a tremendous amount. Learned the hard way…I’m very naive about computer protection, so your advice is much appreciated. I didn’t keep the ADMIN name, and I accept the updates, so I’m at least doing something right. As for the “root” directory, don’t even know what that means!

    I look forward to more instruction and guidance from you. I find it quite reassuring to get information from people who clearly know what they are talking about. You might have to dumb it down for me, but I’ll do my best to keep up!

    Judy Stone-Goldman
    The Reflective Writer
    “My cat owns me, my clutter stymies me, my writing frees me.
    Word maven loves–and learns from–ordinary life.”

    1. Hi Judy, Don’t worry about my recommendation to install WordPress in a sub-directory rather than the “root”. That advice is more for new installations. As for what the “root” is, it’s basically the highest level of a computer drive that you can access. For example, if you’re looking at the files on your computer and you have a drive named “C” . Then, “C:\” would be the root. Files not in the root are in directories and sub-directories.

      When someone installs WordPress on the host server, the default is to install in the folder that is available to the public. By creating a sub-folder (called an obscure name like “flower”), it makes it a little more difficult for malicious programs to find your WordPress installation. It’s definitely not a guarantee but it’s one more level of protection.
      Sherryl Perry recently posted..Can Bloggers Learn a Lesson From Watching American Idol?My Profile

  17. Hi Sherryl, I learned the hard way about backing up my computer. It completely crashed a few weeks ago. Thank goodness for the geek squad at Best Buy. They were able to save all my files but what a pain to set everything back up.

    With WordPress, or anythink I sign up for, I always chang the “admin” name and the password right away. Lots of great advice, I look forward to continuing to learn from you 🙂

    1. Thanks for sharing your experience with us June. That’s great that Best Buy was able to salvage your files. It’s always good to get feedback based on an actual experience. It helps all of us. Welcome to my blog. It’s a great group of readers and I encourage everyone to share. There’s a lot to be learned in the comment sections here. 🙂
      Sherryl Perry recently posted..Google Panda and Website Load TimesMy Profile

  18. Thanks for the great tips. I KNOW I need to change my username but have never got around to it. Will run off and do it right now! The guy that looks after and is building my new look blog takes care of 1 and 3 for me thankfully!
    Louise Edington
    Fabulous and Fearless

  19. Hi Sherryl,

    I am definitely the “dive-in-before-you-find-out-how-deep-it-is kind of gal”…. Not so sure if that’s a good thing or not, lol 🙂 But I have learned so much by doing so -I definitely know the basics now. You have quite some good advice here. Wish I had read this before I started out, but it’s never too late for good information. My mistake was #1, so I had to start all over again when I did.
    Love your sense of humor!! This was fun to read AND informative.
    Thanks for sharing great info,

    Franziska San Pedro
    The Abstract Impressionist Artress

  20. Nice post, most of them use default admin login as ADMIN, that should be hcanges, thats one of the important point you made there 🙂

  21. There are a number of security plugins out there I’ve heard about, but haven’t had a chance to try them all. Keeping your wordpress up to date is good, but lately it seems like there have been a number of updates. Not to mention if you have a lot of plugins some of them update fairly often. So it can be a bit of a hassle to keep up with it all, but likely worth your time in the long run.
    Ray recently posted..Google in talks to buy HuluMy Profile

    1. Hi Ray,
      What a day to talk to me about updating plug-ins. I’ve been putting off updating to the very latest version of WordPress because I’ve read that a few people have run into issues with it. (I’m waiting for the dust to settle on this one.) Yesterday, I did update four plugins. It was very late and I didn’t check my site. (Dumb, dumb, dumb) This morning, I noticed that my home page (and all posts) were riddled with PHP errors. Thankfully, I was not so lax that I didn’t backup before the upgrades. So, it was an easy restore but geesh. With the constant threat of hackers, we need to stay on top of security. That’s for sure.
      Sherryl Perry recently posted..6 Reasons to NOT Build a WebsiteMy Profile

  22. Thanks for leaving such an informative and detailed post about keeping those hackers at bay. Will definitely follow your advice, it seems that a lot of people have been targeted.

  23. The last two points I certainly agree with, but I’m a little skeptical about the first point. Aside from my doubts about how effective that method is, “hiding” your site from hackers isn’t really worthwhile. If you’re hiding it from hackers, you’re also hiding it from search engines and potential readers. You need to be confident in your site security and publicly advertise your site.
    Dave Clements recently posted..How to Create a WordPress Widget from ScratchMy Profile

  24. Hi Sherryl,
    About those tips I would not only say that they are helpful but those are genuine facts to get you blog protected from hackers. Most of bloggers and even I often use admin as username. Which I have changed after reading this post. This is the worst mistake we do and give an open door to hackers to hack our blog.
    Sharryl that’s a great post. I am waiting to read more post’s regarding such topics from you. Keep up the good work.

    1. Hi John,
      Good for you getting rid of that admin username. Unfortunately, it can be easily exploited and it’s such an easy fix. Thanks for letting me know that you found this helpful. and for your encouragement. It’s good to know that I’m on the right track blogging about ideas and tips that might help some people. I’m very grateful that people take the time to comment and share their own experiences here too. We can all learn from each other.
      Sherryl Perry recently posted..Can Bloggers Learn a Lesson From Watching American Idol?My Profile

  25. Sherryl, aloha. Thx so much for the great advice and solutions to fix the “errors of our ways.”

    You will be pleased to know that I saw this posted on facebook saying “read this; great advice.”

    Sherryl, not only do I appreciate your clear action steps, I also like many of the suggestions made by others in your comments section. This is a definite keeper that will live on my computer. Thx so much. Aloha. Janet

    P.S. Off to share this with many.

    1. Janet,
      Thanks so much for all your support! I did not know that you shared this on Facebook. (My husband has been on vacation. So, I’ve been playing “hooky” a lot lately.) I’ll hop over there now and comment.

      Aren’t the suggestions in the comments great? I feel like we’re building a real community here. 🙂
      Sherryl Perry recently posted..Ambassador of Buzz -Social Networking Done RightMy Profile

  26. Hackers are doing their best to do their job… But we should be aware of them so that we have the most security for the software we have… Thanks for the tips you have provided us…

  27. Great post Sherryl,
    Very informative. It’s always advisable to have your own username.
    As for me, I would recommend a monthly password change in case you noticed there are frequents attempts of hacker trying to get in.

      1. That plugin is very nice Sherryl.
        Those plugins have some very cool features as well like Limit the number of attempts to log in using cookies, Informs user about remaining retries, Will log the failed attempts and Option to have email notification sent to you. 😉

  28. Hey Sheryl,
    How are you. A very useful blog indeed. Hacking is the worst problem that has come along with an advance in technology. I had a very bad experience myself when my email account was hacked. Had a hell of a time in restoring it back.

    1. Hi Shivam,
      Sorry to hear you had a bad experience with your email account. As I mentioned in my replies to other comments, I had a Joomla website hacked into years ago. Since then, I’ve always tried to research precautions that I can take to avoid that ever happening again. Thanks for letting me know that you find my blog useful. I try to blog tips and ideas that can be applied by anyone.
      Sherryl Perry recently posted..Social Networking and Casting a Bigger NetMy Profile

  29. Hi, Sherryl.

    I am hopelessly ignorant and lame-brained when it comes to anything technical. So, I’ll just thank you for sharing this useful article and tell you that I will be forwarding this to my boss, who is handling all the technical details of our blog. I hope he will find a reprieve from all his work soon, so we can finally work out some kinks in our blog like the updates and the Facebook fan page Like button that a lot of people have been advising me to have. 🙂

    Thank you very much for this though. Really appreciate it. 🙂

      1. I think we have already done that admin thing. It is the third tip in your post that really got me because I see a number of WordPress updates in our blog that should be paid attention to. I’ll tell my boss about changing passwords, too. Thanks, Sherryl. 🙂

  30. I don’t know if this tip has been mentioned yet, but I think that you should change your password every now and then…

  31. Hey Sherryl,
    Great advice and a valuable reminder as well! I was hacked twice on a shared hosting account. All sites written in php were hit. They injected a redirect code. Like Greg said you can see it in the index file. It was very time consuming to restore all of the files. Thankfully I knew how to restore myself otherwise it would have cost me a ton of money. Sometimes I think the hackers test their skills in order to move on to bigger fish!
    Good idea to check folder permissions after a new install.
    Happy Sunday!
    kathleen recently posted..Make a Difference|Support Safe Drinking Water for ChildrenMy Profile

    1. Hi Kathleen,
      Sorry to hear about your experience. Have you considered going with another hosting company? I host with Rochen and the one time that I was hacked into (years ago), they restored my site for me. I went back and forth with them via email and my site was back in hours. Rochen has a proprietary backup system called Rochen Vault. Now, I could have easily done the restore myself using their system but at the time, they had to do it for me. It’s simply a one button restore. (I’m sure there are other hosting vendors with similar systems. I recommend Rochen because I use them personally and have never been disappointed with them.) Good to hear from you!
      Sherryl Perry recently posted..Low Cost Resources Small Business Owners and Entrepreneurs Can AccessMy Profile

    1. I complete agree that everyone needs a good host and good backups. One of the reasons that I recommend Rochen hosting is that they have their own backup “vault” system. The few times I have restored sites, I’ve simply logged in to my control panel, selected the restore point and waited for the job to complete. I continue to backup my WordPress database but I’ve never used it. Rochen’s system is so easy and reliable, I depend on it. I’m sure there are other hosts who offer their own proprietary backup systems also. That’s why it’s so important to do your due diligence when you’re selecting your hosting vedndor.
      Sherryl Perry recently posted..If Your Website Was a Wheel – Is Your Blog the Hub or a Spoke?My Profile

  32. Thanks for sharing useful tips. One question as you say do not install wordpress in root directory. If we migrate from blogspot to wordpress then you have to install wordpress in root directory and if you do not install it in root directory then all your permalinks will be broken. Is there any other way to overcome this problem?

  33. Sheryl,

    One other tip:

    I use Bluehost for hosting (very good btw). One of the guys there recommended this service: http://www.wewatchyourwebsite.com/

    The monitor your code and notify you and help clean of any malware. I haven’t used it, so can’t recommend it personally, but it seems like a good idea and worth checking out.

    Anybody else have any experience with it?

    – Greg
    Greg Satell recently posted..The Web’s Big FutureMy Profile

    1. Hi Randy,
      I agree completely that saving a few dollars with a discount hosting service can be a real mistake. That is not the place where you want to save money. I look at my hosting vendor as a partner. I trust them and when I have needed them, they’ve delivered. Just the peace of mind knowing that they’re experts and will take care of protecting my sites is worth a few extra dollars.
      Sherryl Perry recently posted..Can Bloggers Learn a Lesson From Watching American Idol?My Profile

  34. By the way, I really hope the FBI, Israelis and other nations start rounding up hackers and offer them the choice of going to jail and working for their government. It’s going too far with these people wrecking havoc just for fun.

    Let’s face it what do they gain from hacking a wordpress blog? Nothing apart from the pleasure of causing problems and feeling powerful.

    1. Catarina, Thanks for sharing the link to your post on cyber warfare. It’s a great article. I encourage anyone reading this thread to hop over and read it. I agree that it makes sense to tap into the skills of these hackers and put them to good use.

      I will never understand why anyone can take pleasure in causing problems for others but it happens and it’s not a threat that’s going to go away.
      Sherryl Perry recently posted..3 Ways to Build Awareness and Get Ideas for Your Website BlogMy Profile

      1. The hackers don’t take pleasure in causing problems for others – they make money at their craft.

        On average, a hacker can make up to $1,000 for every PC/Mac they infect. This is through installing pay-per-install programs to selling stolen bank login credentials and FTP login credentials. Often times they only infect websites to gain control of more PCs and Macs (yes Macs too!)

        They use infected websites for a variety of reasons:
        # Send spam
        # Infect the computers of visitors to the infected website
        # Phishing
        # Store their illegally downloadable files (movies, music, games, etc.)

        Just thought I’d add my 2 cents worth…

          1. Sometimes they’re just trying to cause havoc, but those are usually the defacers. Defacers don’t really infect a website, but replace the home page with one of their “political” statements. Sometimes these have background music as well. These people want the world to know their “cause”.

            And I should correct myself (I sit corrected), they do derive pleasure, but it’s mainly for monetary pleasure. We’ve experienced instances where some of these hackers are making $10,000 – $20,000 in a day!

            However, the prices for stolen credit cards is dropping – so they’ll be making less. But, it’s supply and demand. There are literally so many stolen credit cards available on the hacker websites – it’s almost like an open auction for blocks of stolen credit cards, that the prices they can get for them is nosediving.

            I know, let’s have a fund raiser to support the plight of people who used to make a good living from stealing credit cards. Or better yet, let’s get a lobbyist to get the government to fund them. Of course, I’m being cynical.

  35. Excellent article Sherryl! Update on a regular basis. But have to change the admin password as you suggest. For the rest I’m afraid I would need a geek:-) or I would blow up my computer…

    1. Hi Catarina,
      You made me laugh saying “blow up my computer”. 🙂 I would not advise you to attempt reinstalling WordPress in a directory. It’s just a good tip to keep in mind should you ever set up another blog.

      You definitely should create a new logon with administrator rights and then get rid of ADMIN. You have a very active site with a lot of exposure. That’s a vulnerability that is relatively simple to fix. It could save you a lot of grief down the road.
      Sherryl Perry recently posted..If Your Website Was a Wheel – Is Your Blog the Hub or a Spoke?My Profile

  36. It is a good thing that I haven’t encountered such problem. And I dreaded the day that it will happen. I always used my standard wordpress log-in but I am very careful with my password, which is a good thing.

  37. It’s also a good idea to check your index PHP file in your theme options regularly. If there is a web site address there or a bunch of incomprehensible numbers and simples mixed in with the commands (it’s usually at the top), you’ve been hacked!

    – Greg
    Greg Satell recently posted..The Web’s Big FutureMy Profile

  38. Hi Sherryl

    Excellent advice. Although I am a complete technophobe I made sure my security plugins were installed correctly. All updates are done promptly and if I need help a techie friend comes to the rescue.

    Guess it’s the things we most dread….being hacked and from reading the other comments, has happened to some of your readers!

    Patricia Perth Australia

    1. Hi Patricia,
      In my reply to Heather, I mention having a Joomla site hacked into. It was definitely my fault for not having installed the most recent release. (I was actually a few updates behind.) The site was just sitting there because I was no longer in that business but I still had a responsibility to either maintain it, redirect it or take it down but I should not have neglected it. Lesson learned. Fortunately, a friend alerted me to the fact that the site had been hacked into. I don’t know how long it would have taken me to discover it!
      Sherryl Perry recently posted..Google Panda and Website Load TimesMy Profile

      1. It is called Limit Login Attempts. You can adjust the settings. What happens they get blocked out longer for every attempt and then for 24 hours. As I get an email notice I then copy the URL and login to my host and in my Cpanel I go into IP Deny manager and paste the URL which prevents them form accessing my site. You don’t have to do this step and can just use the Limit Login plugin if you want. Hope that helps.
        Susan Oakes recently posted..Deepen Your Expertise To Enjoy Marketing SuccessMy Profile

        1. I had several WordPress websites/blogs hacked a couple of years ago – some of them were client websites. Fortunately I had taken backups the old-fashioned way (using FTP), so I was able to reinstate them all OK. Before I did that, though, I moved my sites to a different host, so that I could do as Sherryl suggests, and install my sites in a folder 2 levels below the root directory. For added security, I also put wp-config.php in the parent folder, which is still below the root directory!
          I then installed plugins to backup the database, uploads, themes and plugins.
          I was using wp-db-backup for the database backup, but I’ve just read on Heather Fonseca’s site that she uses wp-dbmanager which enables you to restore backups too, so I’ve just installed that.
          To backup uploads, themes and plugins directories, I use wordpress-backup

  39. Had my site hacked several months ago. My hosting is shared and it turned out by default, my folders and files were not locked down to only allow my user accounts to access them. If you’re in a shared hosting situation make sure you’re doing this. Hackers who have compromised other WordPress installs can attack anyone else on that server. By locking down your files and folders to only allow Apache and your user account to access them it can be prevented. Worked for me.
    Bill Szczytko recently posted..Google OS, the Cloud and testing the new ChromebookMy Profile

    1. I’m on shared hosting Bill but I’m not sure whether my files and folders are “locked down”. How do we verify this? I host with Rochen and they seem to be on top of every situation. I have complete confidence in them. Yet, I would like to look into this. It seems like the default should automatically be locked.

  40. Excellent tips, Sherryl, especially about not using Admin which so many people have not changed (I have). Also, be stingy with the people you share your password with. If you use guest authors on your WP site it will ask for their email address and password. Then it will give you the option of sending the password to them. My advice is don’t do it. Like you, I urge people to have a backup system. I use BackupBuddy and store in on Amazon S3. Everyday like clockwork I get emails telling me the successful backup was completed. While we’re on the subject, also backup your computer. I use an external hard drive and Carbonite. I had used Mozy but had problems with their service.
    Jeannette Paladino recently posted..Generate Live Leads through LinkedInMy Profile

    1. Hi Jeannette, I don’t email passwords to guest authors either. I’m sure if I was working with a blogger who was guest posting on a regular basis and I wanted them to edit and publish their articles without my having to be involved that I would. Sounds like you have a good backup system. Thanks for sharing it with us.
      Sherryl Perry recently posted..Treat Your Blog Like a NewspaperMy Profile

  41. I was hacked a couple of months ago. Thankfully my web hosting company was able to clear it up, but I lost about a week of posts and comments and was REALLY unhappy about the whole thing. You can see the post I wrote about the experience and the steps I took to combat the problem in the future here:

    1. That’s awful Heather. A couple of years ago a Joomla site that I had built was hacked into. (I had not implemented steps #1 and #3.) My host bailed me out too but they did chastise me a little for not having installed the latest Joomla updates. I was quite a bit behind and I honestly deserved the reprimand. I stay on top of all my updates now.

      Thanks for sharing your experience. That’s a good post. I hope others here read it.
      Sherryl Perry recently posted..Social Networking and Casting a Bigger NetMy Profile

Comments are closed.