How to Protect Your WordPress Blog From Getting Hacked

How to Protect Your WordPress Blog From Getting Hacked

As many users are probably aware, WordPress is one of the premier open source blog software available on the internet. It has gone far beyond the standard weblog and is now an excellent foundation for just about any type of website. However, the internet itself is fraught with inherent dangers which leave users open to attack by unscrupulous hackers.

It must be understood that it is impossible to prevent every attack, but there are many steps that can be taken to protect WordPress users and their websites. WordPress users have found the program to be highly configurable with an excellent support community available. Because of these features, users can expect considerable levels of security by adhering to the following recommendations outlined below.

How to Protect Your WordPress Blog From Getting Hacked

How Your WordPress Blog is Affected

In the past, the goal of web hackers was simply to disable websites. These criminals, however, discovered that taking a website down did not produce any benefits. Today, their new mode of attack is to hijack websites for their own gain. WordPress hackers accomplish this primarily through link injection. They hack into the user’s web files and insert lines of code that attach unwanted links to practically every web page. The two primary negative effects of link injection are:


  • Time and resources involved in cleaning up the attack
  • Decrease of search engine page rank

WordPress users invest a significant amount of time, energy, and financial resources to set-up and maintain their blog. A blog may be used to generate substantial income for the WordPress user. Page rank is affected when search engines notice excessive links and flag a website. When search engine page rank is adversely impacted by an unwanted link injection, a user may face lost web traffic and, in turn, income.

How to Protect Your WordPress Blog

The goal of protecting a WordPress blog is to prevent outsiders from accessing a user’s web files. By taking the following measures, users can be proactive in the fight against hackers.

Standard Blog Maintenance

An essential component of proper blog maintenance is to make certain that plugins and themes come from a trusted source. The best way to ensure this is to choose only those found in the plugins and themes directories.

Additionally, regular updates of plugins, themes, and the WordPress installation are also necessary for effective blog maintenance. These updates repair bugs and security vulnerabilities that have been discovered in the programs. It is best to update plugins and themes before updating the installation as compatibility issues may arise otherwise.

WordPress users should be aware that it is extremely important to backup the entire installation on a regular basis. Users should make themselves familiar with the process of restoring backup data in order to minimize down time if a problem occurs. The ideal backup system will be off the primary server and include redundancy.

Password Security

A strong password is one of the first lines of defense against hacker attacks. A strong password may be defined as a password that is not easily guessed and contains both numbers and letters. The most secure passwords are random strings of letters and numbers, which may require the WordPress user to store this password in a secure location. There are internet sites that generate these random strong passwords at no charge.


To further maximize password security, WordPress has included the option of using secret keys. A secret key is a hashing salt that adds random elements to the user’s password. To initiate the use of secret keys, go to WordPress API. Copy the information found at this website, and replace the appropriate portion of the user’s wp-config.php file. For existing installations, this will invalidate cookies already stored on the computer and force users that are already logged in to log in again.

Creating a Secure User Name

The default administrator account for WordPress installations is given the user name “admin.” Most hackers are aware of this, and as a result, have half of the information necessary to access a user’s data. The only other piece of information hackers need is the user’s password. To protect a user’s account, this username should be changed to something unique. This can be accomplished in one of two ways depending on the user’s familiarity with MySQL.

Secure Username

Those familiar with MySQL can use a frontend program like phpMyAdmin or the following command: UPDATE wp_user_login='new user' WHERE user_login='admin'.

For those that are unfamiliar with MySQL, the following steps should be taken:

  1. Create a new user with a unique username
  2. Assign an account to admin role
  3. Log out and then log back in using the new user account
  4. Delete the admin account

Recommended Security Plugins

There are several plugins available to WordPress users that can assist with blog security. The following are recommended security plugins for WordPress users:

WP Security Scan
This plugin searches the user’s installation for weaknesses that enable hackers to gain access to the user’s files. It also suggests the actions that will correct these weaknesses. The WP Security Scan may be initiated occasionally and need not be active at all times.

WordPress Exploit Scanner
By scanning a user’s files for evidence of a hacker intrusion, WordPress Exploit Scanner can alert the user to problem areas. Similar to the WP Security Scan, this plugin may be initiated occasionally and does not need to be active at all times.

WordPress File Monitor
This plugin constantly monitors a user’s files and alerts the user to any changes that are made. The user should be able to easily identify changes that are the result of attacks by hackers. To work effectively, WordPress File Monitor should remain activated at all times.

Login Lockdown
Limiting the number of times a login may be attempted, this plugin prevents hackers from guessing a user’s password through multiple efforts. The lockdown time can be set to the user’s personal preference. The Login Lockdown feature should be activated at all times.

Folder Permissions

Another method by which hacker attacks can be thwarted is to make sure the user’s folder permissions are set properly. Many blog hosts allow folder permissions to be set through the control panel. If not, stand alone ftp programs offer users the ability to change these permissions. A good rule of thumb for folder permissions is to set files at 644 and folder at 755. This should provide most plugins and themes the access they require. If the user finds that there are folder access problems, permissions may be increased as needed.

Folder Permission

Change WordPress Table Prefix

The default installation of WordPress sets the database tables with the prefix wp_. This is another bit of information that hackers know well. Database files may be hidden by making the table prefix unique. This is accomplished by changing the wp-config.php file. Prior to installing WordPress on the user’s server, the wp-config.php should be changed. Changing existing tables can be quite complicated if these adjustments do not occur before WordPress installation.

Move wp-config.php File

With the release of WordPress 2.6, users now have the option of moving the wp-config.php file. The ability to move the wp-config.php file prevents hackers from finding the file and making unwanted changes. The file can only be moved to the parent directory of the WordPress installation. For example, if the file is installed in:


it may be moved to:


It must be noted, however, that WordPress is programmed to only search the parent directory. If the configuration file is moved anywhere else, an error message will result.

.htaccess Lockout

While this method of security can become somewhat tricky, it is very effective at preventing a hacker attack. The goal is to specify the IP address or range of IP addresses that can access the administration section of WordPress. To do this, create a .htaccess file in the wp-admin directory on the user’s wordpress web hosting account. The file should contain the following information:

AuthName “Access Control”
AuthType Basic
order deny, allow
deny from all
#IP address to Whitelist
allow from

Users may specify as many IP addresses as they like, and change the IP addresses easily. There is a drawback to this type of security measure, however. If there are many computers accessing the administration portion of WordPress, there will be many IP addresses to coordinate. For some users, this could present a substantial difficulty.

Force SSL Encryption

WordPress users can force their installation to use SSL encryption at the login or administration pages. This can be accomplished by modifying the wp-config.php file. In the file, add the following lines:

SSL 128 Bits

  • For the login in page – define('FORCE_SSL_LOGIN', true);
  • For the administration page – define('FORCE_SSL_ADMIN', true);

In order to use this security function, users must ensure that their server is set-up and configured for SSL encryption.

You Can Protect Yourself From Attack

The threats of hacker attacks on a WordPress blog are real, but there are ways to prevent nuisances such as these. With diligent maintenance and judicious preventative steps, a user can head off all but the most virulent hacks. Following the aforementioned recommendations will provide a high level of security for any WordPress user.

Vanessa Davis is a content writer with web hosting services guide, WHS. Here you can go through reviews of best blog hosting providers as well as WordPress hosting reviews of top hosts.


    • Ahmad,
    • November 8, 2010
    / Reply

    Thanks for the tips Strong Pass is very effective also daily backup is important

    • L1,
    • November 8, 2010
    / Reply

    One more thing I find that helps is not to use the Admin account to publish content/comments etc. That way you can give it a totally random name and nobody will know what it is at all even if they scope out your site and read through it.

  1. / Reply

    Great article and very useful tips to follow.

  2. / Reply

    A bit concerned about your plugin list – is it wise to recommend WordPress plugins that have not been updated for over a year? There are also a few caveats on the WP Security Scan plugin that could trip people up.

    Really should consider using “WP Login Security” rather than “Login Lockdown.” I would also recommend checking out the Ultimate Security Check and Better WP Security beta.

  3. / Reply

    Nice article mate, even antivirus plugin is very effective to check wordpress files for any changes :)

  4. / Reply

    Terrific rundown, thanks, Vanessa! I can definitely use this as a reference.

  5. / Reply

    Thanks, but some of the options are outdated. The WordPress 3 installation already gave you the options for custom admin-username and changing the database prefix. Most of the rest is new for me, so I thank you for that. Thank you!!

  6. / Reply

    Excellent. I’ve had a least one WP site that I created hacked. This is most helpful!

  7. / Reply

    Hi thanks, this post is very useful…

    • H4L,
    • November 9, 2010
    / Reply

    Thanks it’s really helpful! Great info I got here.

    • Micah,
    • November 9, 2010
    / Reply

    One of my favorite plugins for every install is called Semisecure Login Reimagined. You can find it on the WordPress plugin directory and I think it’s one of the most secure ways to login and keep your passwords safe without using SSL.

    • Buzz,
    • November 9, 2010
    / Reply

    Thanks for the article…. it makes a good checklist of things to make sure you’ve done.

  8. / Reply

    All good tips that should be taken on board.
    Would be great if cPanel one-click installs allowed for users to choose a WordPress table prefix

    • Yuriy,
    • November 10, 2010
    / Reply

    I like, thanks for post.
    May be someone knows abouts Ddos protection for WP blog?

  9. / Reply

    good tips, thanks for sharing.

  10. / Reply

    I agree with your article. I’d add also the excellent plugin “Automatic WordPress Backup” ( which save daily or weekly both files and database to Amazon S3, for a few cents per year. This is good for the peace of the mind :-)

    You can also strenghten the admin access by adding a second password through a .htaccess file and a crypted password file.

    Last, I use also some free monitoring services to check that my site is still clean and not banned :
    – FeedMedic from Google Feedburner will send regular alerts on the health of the site
    – ( will check regularly your site against several referals to ensure it is not black listed (Norton Safe Web Report, Google Safe Browsing Report, Site Advisor Report …)

    Read more (in french):

  11. / Reply

    Good tips but I believe that some plugins search for the wp_ prefix in order to run. So changing this may issues.

  12. / Reply

    excellent techniques tips to protect wordpress blog from hackers

  13. / Reply

    This is really a timely hint for me as I am developing my blog and
    would need to take these recommended steps to protect my
    resources. These hackers should be reminded or know the
    hard work people put in using wordexpress.

    Again, a reminder to watch our steps in this business of SEO and PPC.

  14. / Reply

    Effective & useful instructions to be follow. Thank you so much for let us know this through this post which is more helpful to us to protect our wordpress blog. Will follow these tips in coming days. Thx again for sharing this post.

    • dev,
    • December 6, 2010
    / Reply

    Very detailed

  15. / Reply

    Another aspect that you didn’t mention was not sending FTP files that contain account information in plain text (port 21). If you server supports it, use port 22 instead. Port 22 allows encryption between your computer and the server, and will not transfer your files in plain text.

  16. / Reply

    Wow, this is what I’m looking for. Thanks for sharing and nice info.

  17. / Reply

    Very nice post. It gives information I need. Thanks for sharing.

  18. / Reply

    I like this post and I enjoyed read it. This information is what I’m looking for. Thanks for sharing.

  19. / Reply

    Wow, I like this post. It gives me information that I never knew before. Thanks for sharing.

  20. / Reply

    We’re doing more WP sites now and this was a good read. Thanks!

  21. / Reply

    Its too much helpful for me, thank you so much

    • Anonymous,
    • March 24, 2011
    / Reply

    thanks for the information,very useful

  22. / Reply

    I am very lucky to find your web site. Your article is very useful. Thank you for share

  23. / Reply

    Great job. Thank you for share your article is very useful. Thank you for share

  24. / Reply

    I think your article is very useful for me. Thanks

    • Vjeko,
    • December 13, 2011
    / Reply

    It would be great to have one cool plugin with all this tweaks and options so users can easily secure their blogs.
    Nice tips, thanks.


  25. / Reply

    Hi . I found your web site by way of Google at the same time as searching for a similar subject, your website came up. It seems to be good. I`ve bookmarked it in my google bookmarks to visit later..thank you for your article..i’m very interested. keep up date articles.

  26. / Reply

    Hello Dear, i have read full post and now i got good points and plugins for blogs, many thanks for this post.
    You Helped lot of bloggers.

  27. / Reply

    I was searching the same, My blog was hacked many times. I will surely implement your rules. Thanks

  28. / Reply


    This is one of the excellent articles I have found on the subject. I’ve had two wordpress sites hacked and I was searching for ways to prevent it happening again on other sites I am planning to create in the near future and this article has given me all the tips and info necessary.

    Well done! Many thanks.

    Keep up the good work

    • Jame,
    • May 16, 2012
    / Reply

    My website was recently hacked and it is in bad situation that can ruin income, every site owner should read this post and project their sites before getting into trouble . Thank For sharing this valuable stuffs!

  29. / Reply

    It would be good if these 9 plugins could consolidate into one powerful plugin

  30. / Reply

    Great article how to protect a blog!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Iconfinder Coupon Code and Review

Iconfinder offers over 1.5 million beautiful icons for creative professionals to use in websites, apps, and printed publications. Whatever your project, you’re sure to find an icon or icon…

WP Engine Coupon

Considered by many to be the best managed hosting for WordPress out there, WP Engine offers superior technology and customer support in order to keep your WordPress sites secure…

InMotion Hosting Coupon Code

InMotion Hosting has been a top rated CNET hosting company for over 14 years so you know you’ll be getting good service and won’t be risking your hosting company…

SiteGround Coupon: 60% OFF

SiteGround offers a number of hosting solutions and services for including shared hosting, cloud hosting, dedicated servers, reseller hosting, enterprise hosting, and WordPress and Joomla specific hosting.