Writing Prompt
    Boot Camp

    Subscribe to our FREE email newsletter and get the Writing Prompt Boot Camp download.

    10 Steps to Secure Your WordPress Blog From Hackers

    Categories: Blogging, Blogging for Writers, Build a Platform & Start Blogging, Digitization & New Technology, Freelance Writer, Article Writing, Guest Post.

    Today’s guest post is from Triona Guidry, a computer consultant and freelance writer in the
    northwest suburbs of Chicago. Her blog offers tech support for Windows and Mac, security alerts, and advice on blogs and social media.

    Writers depend on blogs to promote their work, interact with readers,
    and attract the attention of agents and publishers. But what if you
    discover that all your links have been changed to porn sites, or that
    your readers are being spammed?

    You need to know how to protect your
    blog, and what to do if it’s hacked.

    The following advice is geared
    toward those running their own installations of WordPress, but also
    applies to those hosting their blogs with WordPress, Blogger, or other

    The main idea behind computer security is to avoid being the “low-hanging fruit,” meaning that hackers are deterred and move on to easier targets.

    1. Use strong, unique passwords, for your blog plus your other accounts.
    You may groan at the idea of different passwords for every site, but ask
    yourself whether you would rather remember passwords or deal with the
    aftermath of being hacked. Passwords should be eight characters or more
    and contain a mix of letters, numbers, and symbols. Try mnemonics like
    substituting symbols for letters in words, or use a password generator.
    But please don’t rotate between the same two or three passwords, and
    don’t use common words with exclamation points at the end.

    2. Post as “editor” instead of “administrator.”
    Editor accounts can
    create, modify, and edit posts, but can’t make changes to WordPress
    itself. Create a new administrator account and disable access to the
    default one to make it harder for hackers to infiltrate.

    3. Keep WordPress up to date.
    There will be a reminder on your Dashboard
    if there is a new version available. Don’t forget to update your plug-ins

    4. If applicable to you: Keep your server’s system software updated with the latest bug fixes
    and patches, and don’t run beta software.

    If you want to test something,
    create a server you can use for experimentation. Old computers are great
    for this purpose.

    5. Use the WordPress Exploit Scanner Plug-In.
    It’s a good idea to run this utility on a regular basis.

    6. Never access WordPress from public wireless networks.
    and their automated password-harvesting software often lurk there.
    same advice goes for e-mail, Facebook, and especially your financial

    7. Keep the computers on your network free of viruses.
    The easiest way to
    do this is to follow my four steps to computer security: a security
    software suite, a firewall, strong unique passwords, and a method for
    updating of your software including your applications (Microsoft Office,
    Adobe Reader, Flash, etc) and your operating system (Windows or Mac).

    If you
    are using free antivirus, consider a paid version. I used to recommend
    the freebies, but I’ve seen so many infections in my consulting business
    that I decided they don’t offer adequate protection anymore.

    8. Make backups of your blog.
    There are a number of WordPress plug-ins
    that compress your blog files into an archive which can be stored on
    your local computer.

    9. Monitor your server’s logs.
    If someone is trying to get in, you may
    find the first evidence here.

    10. Moderate comments, and never approve spam comments.
    To tell if a
    comment is spam, look for poor grammar and punctuation, web sites that
    don’t match e-mail addresses, foreign languages, lengthy lists of links,
    and comments on ancient posts. When in doubt, don’t approve.

    What if your blog has been hacked?
    First, how do you know if your blog has been hacked? Usually your links have been
    changed or posts appear you didn’t create, that’s a good indication. But
    there may not be any visible signs, which is why monitoring is so

    If you discover you’ve been hacked, here’s how to rescue your

    • Change all passwords immediately, for WordPress and for the server
      itself. This won’t get rid of any bad links or back doors, but it will
      give you time. You should also change your password for your e-mail
      account if someone has attempted to use the “reset password” page to
      commandeer your account.
    • Next, change your secret keys. Otherwise the hackers will be able to
      stay logged in even if you change your passwords, because their cookies
      will still be valid. You can find out how to do this in the WordPress
      Codex FAQ on what to do if you’ve been hacked.

    • Scan your computer for viruses and malware. There’s no point in using
      a contaminated computer to fix a contaminated server.

    • If your WordPress server is hosted elsewhere, contact your provider.
      Other blogs on the same server may have been affected, and your provider
      can offer information and assistance.

    While it’s possible to clean up WordPress after it’s been hijacked, it’s
    safer and easier to wipe WordPress, reinstall it, then restore your blog
    from backup. If you choose not to do this, you need to check anywhere
    hackers could have installed back doors: in your .htaccess file, in your
    PHP scripts, and so forth. Again, the WordPress Codex has advice on what
    to do. Be sure to download clean versions of your theme and plug-ins.
    When WordPress is clean, change your passwords again. Finally, make
    another backup of the cleaned blog and monitor your logs to look for
    further hijack attempts.

    If you make blog security part of your routine, like checking your
    email, you can dismiss your worries and get back to your writing.

    Additional Resources

    Many thanks to Triona for this excellent advice on site security. Be sure to visit her blog.

    If you’re thinking of starting your own website, or would like information on how to improve your site/blog—from a content perspective, not a technical/security perspective—you’ll want to check out the class that I am offering on April 7. Registration will soon appear here.

    You might also like:

    • No Related Posts
    • Print Circulation Form

      Did you love this article? Subscribe Today & Save 58%

    6 Responses to 10 Steps to Secure Your WordPress Blog From Hackers

    1. Elen says:

      Thank you, Jane. I found this most helpful. Some things were already being done, but now we have implemented others. I read you daily; and you are, from time to time, highlighted in my Friday Finds on the Feed. Cheers!

    2. @Triona and Clive, thanks for all these good tips. I’m guessing that it will take me at least a year to understand them, since they seem like goobledygook to me. I’ve used computers since keypunch days, but this recent stuff is quite confusing. I realize that your explanations make sense to you, but I’ll have to really struggle to understand them.
      My website people have taught me how to do backups and upgrades. I’ve never heard of not becoming an administrator, though. Moreover, a recent upgrade of both WP version and the "sharing plug-in" left me in a fix because I use the latter to share my blog posts to my Facebook page. FB now thinks the post is coming from the blog archive. I only state this as an example that a WP blogger is not working with just WP–it’s like starting a new drug, since you have to watch out for the interactions.
      I’m coming out with a new book soon, so that’s probably time to get a website upgrade. In this case, I’ll ask my website people about some of your tips if I still don’t understand them.
      Thanks again.

    3. Great tips, Clive! Thanks so much for jumping in.

    4. Clive says:

      OK, always good to see anti hacking stuff here, or on any site about WordPress:

      Some tips possibly missed:

      1) Turn your original ‘admin’ sign in to ‘Subsciber’ once you have moved your new admin over to something sensible such as: %Daisy21_admin%

      You could always delete your original ‘admin’ profile but some say that’s unwise – as I am too, unwise that is, I can’t comment.

      2) Use a Login Limit plugin ( there are a couple of good free ones out there) so spambots can’t just keep trying and trying ’til they get lucky (BTW most of those bots assume your User ID is ‘admin’

      3) I was also surprised that the post didn’t mention how to back up your site properly. It’s all very well backing up your Database with you preferred plugin but that doesn’t save your image/audio uploads/themes/plugins or tweaks or any other fancy stuff you’ve added.

      So do not think, as many do, that simply by re-instating your database that everything is going to be tickety-boo … it ain’t!

      So, over and above your database you need to back-up your ‘uploads’ folder and tour wp-congig.php file to be sure that you can re-insate your whole site on another hosting site for example – and that’s the acid test as far as I’m concerned. Your plugins and your theme – as somebody who constantly tweaks a themes’s code that mega for me.

      Anyway, I post more about it here on my free WordPress tutorial site:


      Yep, I know it’s not clickable so I’ve added it to my post signature up above.

      And I hope this has added something to the discussion.



    5. Ako says:

      Thanks for point no. 5 .Was not aware of the existence of such plugin.

    6. Thanks for sharing this very important information. I’m heading over to my blog to make some changes right away.

    Leave a Reply