Hоw Tо Avоid Yоur Wоrdprеss Wеbsitе Bеing Haскеd
Whеthеr оr nоt yоu usе sесurity mеasurеs nоw within yоur wеbsitе оr blоg оr nоt, thе faсt оf thе mattеr is that yоu will sооn usе оnlinе sесurity is a vеry rеal issuе and many pеоplе fоrgеt tо updatе оr еvеn add it tо thеir оnlinе blоg оr wеbsitе whiсh сan mеan disastеr if yоu arе nоt сarеful. nоwadays thеrе arе many haскеrs and spammеrs оut thеrе that arе trying tо maке a fеw buскs frоm yоur misеry, sоmе еvеn dеstrоy оthеr pеоplеs wеbsitеs bесauе thеy thinк it’s fun tо dо. Wеll lеt mе tеll yоu, it is nоt fun if yоu arе оn thе rесеiving еnd оf it!
Lоsing yоur blоg оr wеbsitеs соntеnt сan dеstrоy a businеss, rеputatiоn оr just thе оnlinе prеsеnсе yоu havе bееn trying tо sсalе up; imaginе having a blоg whiсh had hundrеds оf pоsts, соmmеnts and еvеn affiliatе linкs оnly tо find that it has bееn dеstrоyеd thе vеry nеxt day! Nоt a niсе fееling. Hоwеvеr thеrе arе ways оf maкing yоur wеbsitеs sесurity all that mоrе strоngеr than bеоfеr. Yоu сan add plugins, updatе yоur blоgs framеwоrк, basiсally thеrе arе many ways оf gоing abоut gеtting yоur blоg оr wеbsitе sесurе. Sо tо hеlp yоu оut I havе writtеn this shоrt but infоrmativе artiсlе. I hоpе it hеlps sоmе оf yоu оut.
This pоst was put tоgеthеr by оf соursе mysеlf, but alsо my gеnius blоgging friеnd, Julius whо runs And Brеaк! Chеск оut his blоg fоr my grеat tips.
Baск Up Yоur Blоg
Bеfоrе maкing any сhangеs tо yоur blоg bе surе tо baскup yоur blоg. Thе prоblеm with mоst оf thе frее plugins is that thеy dоn’t baскup all оf yоur data. Fоr еxamplе if yоur Wоrdprеss blоg gеts dеlеtеd and yоu rеstоrе thе baскup frоm a frее plugin, yоu will still havе lоst a lоt оf yоur data suсh as thе imagеs, as thеy arе nоt baскеd up with thеsе plugins. That why I wоuld rесоmmеnd tо usе Baскup Buddy whiсh baскs up yоur соmplеtе Wоrdprеss blоg and let’s you easily restore it at a later point in time.
If you have concerns as to whether your blog could get hacked then be sure to take a look at Backup Buddy.
Use Strong Passwords
Strong passwords are essential for high-privileged users such as administrators. Without them your blog will be vulnerable to brute force attacks. Essentially these are attacks in which the attacker tries to guess the password by going through lots of password – user combination’s. If you use secure passwords then the chances of successful brute force attacks become extremely low.
Here are some tips as to what secure passwords should include:
- use at least 1-2 numbers use upper and lower case characters
- use special characters such as !@#…
You should also not use passwords such as your birth date or hobbies of yours. These kind of passwords are very insecure since hackers can find personal information easily.
Another important step you have to take is to have lots of different passwords. It is nice to have just one single password and access everything through it, but imagine what happens if someone knows this password. He can basically access all your accounts.
For that reason use lots of different passwords.
Keep Up with Patches and Updates
This is another vital step in securing your blog. Patches and updates are created in order to fix security holes and to add to the software’s functionality. There is no reason not to install them.
Essentially you should also keep yourself informed about changes in Wordpress and vulnerabilities in general. I therefore advise you to follow these two feeds:
The first one is the Wordpress development feed where new releases and latest updates for Wordpress are posted. The other is the feed from BlogSecurity.net. These guys often post vulnerabilities existing in plugins or in Wordpress.
Use SSH instead of FTP
FTP in general is not as secure as people think it is. Your are usually not encrypted and easy to capture.
A very secure alternative to FTP is SSH. SSH uses a straight forward algorithm to encrypt all the data sent through it, including files. and you might change your mind about using FTP to upload!
Use Supported Wordpress Themes
Most people think that Wordpress themes itself don’t pose a security risk but some do. Themes can pose a security risk because not every web developer knows how to write secure code.
For this reason it is good to stick with a theme that is supported and updated from time to time. Supported Wordpress themes are generally available for some money, but it’s better to be safe than sorry. These paid themes are called premium themes. Such themes are offered by web sites such as Woo Themes or Thesis.
Another advantage about professional templates is that when you run into trouble, you have a place that you can turn to.
Scan Plugins for Viruses After Download
Today you can so easily download plugins and install them within seconds on your blog. But you have to be careful with what kind of extensions you download. Plugins can contain malicious code. Because of this it makes sense to scan for malware right after downloading them.
You especially need to do that with plugins that you downloaded some places other than the Wordpress plugin directory.
For this task it’s best to use anti-virus software. Newer operating systems automatically check for viruses after downloading files. If you use an old operating system I would recommend scanning your download directory maybe once a week or right after downloading new files.
Change the Database Table Prefix
In order to make your database more secure you should change your database table prefix. The default prefix is wp_ and it should be changed to something different, something more complicated and harder to guess like 5rt30k_.
That’s where is useful since it will do this for you. You should install the WP Security plugin anyway as it will show you potential security risks on your blog.
Limit Access to the Wp-Content Directory
Wp-content is an important Wordpress directory. Users should only be able to access certain file types within this directory. These file types include pictures (.jpeg, .gif, .png), Javascript (.js), CSS (.css) and XML (.xml).
It therefore makes sense to prohibit access to all other types of data. The code below will allow access to pictures, Javascript, CSS and XML files but will not allow access to any other data. The code below should be placed in the .htaccess file within the wp-content folder.
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
That’s all you need to do.
Secure wp-config.php
Wp-config.php is a very important file since it contains all the access information and keys that are vital to securing your blog. We can secure the file by adding these lines to the .htaccess file in the Wordpress root directory (where the wp-config file is):
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
This code denies everyone access to the wp-config.php file.
No Directory Browsing
Another vital change concerning Wordpress security is to prohibit people from browsing your website’s directory structure. If you want to see what this looks like just enter “index of” into Google and Google will list all the web sites that allow the browsing of directories.
In order to stop this behavior all you have to do is add the line of code from below to your .htaccess file in the root directory of Wordpress.
Options All -Indexes
This will stop the behavior once and for all.
Keep Search Engines from Indexing the Admin Section
Search engine crawlers index almost every content as long as they are told not to do so. Your admin section being indexed in search engines can be a major security threat.
Therefore it is good to just keep crawlers away from all Wordpress directories. The easiest way to do it, is to create a robots.txt file in your root directory. Then place the following code in the file:
Disallow: /wp-*
Secure Your Plugin Directory
The plugins you use can tell a malicious user a lot about your web site therefore it is wise to hide them.
You can easily hide the plugins. First of all open up a text editor and just create an empty file named index.html . Then upload this file to your wp-content/plugins/ directory.
Delete the Default Admin Account
By deleting the admin account malicious users do not get to know your user name so easily. As every Wordpress installation comes with a admin account, hackers will have an easier time breaking into your account since they already know the user-name.
You cannot delete your administrator account right away if you do not have a new admin account, so follow these steps:
- Create a new administrator account (with a user name that’s harder to guess)
- Log out
- Log in using the new administrator account and password
- Delete the old account
Change Default Access Rights for Users
The default access rights are pretty secure but if you want to be on the safe side and have more control over the rights every user on your blog has, then this is essential.
It is pretty simple to set it up. All you have to do is:
- Download the
- Upload it to your Wordpress blog
- Activate it
Then go to the Users section of your blog. There you can set up the Role Manager plugin to suit your needs.
Delete Inactive User Accounts
Inactive user accounts are annoying and also a security risk. Some people choose weak passwords when they sign up for your blog. If the account is inactive but still on your blog, malicious users could use this account to get access to your blog.
Therefore the best thing to do is to just delete inactive user accounts in Wordpress (though you need to ensure that it doesn’t break anything). In order to do that go to your Wordpress dashboard and click on Users. This takes you to the page where every user will be listed.
Then go ahead and delete the ones you know are inactive.
Add Wordpress Authentication Keys to wp-config.php
Adding Wordpress keys is another . These keys should be random and work as salts for Wordpress cookies thereby insuring better encryption of user data.
Use the to generate these keys and just replace, in the wp-config.php file, the lines below with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
That’s actually all you have to do.
Install a Wordpress Firewall
There is a plugin out there called which actually protects your blog from malicious hackers. What it does is to alert you whenever someone is trying to hack your blog. It will also of course block the attempt of the hacker.
The problem with this plugin is that it does its job too well. That means that it usually also blocks you from making any changes to your blog. If you edit your Wordpress theme file and then click save the Firewall plugin will block it. This also happened to me when using the Smush.it plugin manually.
This is extremely annoying but at least it shows you that the plugin indeed works. The only thing you can do if you want to edit files like these is to disable to plugin and reenable it later.
Drop the Wordpress Version String
<meta content=”Wordpress 2.5″ />
The version string that Wordpress automatically adds to your theme is important because it gives a malicious user the information about whether a blog is patched or not. If it is an outdated version the attacker will immediately start to look for security holes that were made public about that specific Wordpress version.
Wordpress usually automatically adds this version string to your theme. The line of code below will tell Wordpress to not to add the version string to your header. All you have to do is add the code to your functions.php file.
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Now take a look at the source code of your web site. If the generator meta tag is still in there then you should check whether your header.php contains such a line:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
If that’s the case then go ahead and delete it.
Use HTTPS When Logging in to Your Dashboard
HTTPS is the secure version of HTTP. When using HTTPS your data, i.e. passwords and user names, are not send in clear text, instead they are encrypted. This makes it harder for people to intercept and rightly decode your password and user name.
If you want to use HTTPS when logging into your Wordpress dashboard, then you can use one of the codes below and add them to wp-config.php.
define(‘FORCE_SSL_LOGIN’, true);
The code above forces Wordpress to when logging into your administration panel but only when logging in. It does not enforce the use of SSL while using your dashboard.
Instead of doing this manually you can also just add a plugin like
Block Access Attempts to wp-admin Directory
The wp-admin folder is one of the most important directories on your blog. You can access your dashboard through it. Blocking other people from accessing this directory is an essential step in securing your blog.
You can do this by creating an .htaccess file in the wp-admin directory. Add the code below to it but change the IP-addresses to your own ones. If you don’t know what your IP-address is then just visit .
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
It does not make sense to use this code if you have lots of people writing on your blog, especially if they constantly change. The problem is that you always need to add/delete ip-addresses, based on who needs access to your blog at the moment.
Another drawback is when your Internet provider assigns you a dynamic IP-address, meaning that your IP-address is changing constantly. If that’s the case then don’t add the code to the .htaccess file.
Restrict the Number of Failed Wordpress Login Attempts
Restricting the number of failed attempts prevents users from using brute force techniques on your Wordpress account. A brute force attack is an attempt to find out the user password through trying out every single possible password.
As a counter measure there are plugins that automatically ban a user for an hour if he got the password wrong three times in a row. is one of these Wordpress plugins.
Hide Dashboard Log-In Errors
Have you ever noticed that when you try to login with an existing username and a wrong password you get a message saying Error: Incorrect Password. If you login with a non-existent username and some password a different message shows up reporting Error: Invalid Username.
This helps malicious users to figure out what kind of usernames exist.
Therefore I advise you to add the following line to your functions.php file:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Every time an error now occurs a blank line will appear. Try it out.
This technique has the potential to send you far more than 100 visitors. When people use search engines to look for the questions you answered often times a Yahoo! Answers result will appear near the top of the search results. This will give you and your website a ton of exposure if you answer commonly asked questions!
The 3 most popular social bookmarking sites are , , and . These 3 sites get over 8 MILLION unique visitors a month – funneling off a chunk of that traffic to your website is very doable. (There’s plenty to go around ) Just remember to create content that people will enjoy and/or find useful. The most popular content on social bookmarking sites are usually check lists, “Top 10” lists, tools & resources, and breaking news – so keep that in mind!
Creating a lense or two is one of my favorite ways to get laser targeted traffic without hours of work.
Find the forums in your industry with the largest user base, start posting there and become an active community member. Most forums will allow you to leave a link to your website in your post signature, so the more you post the more traffic you get.
For example if I write an article about SEO and Google I can tag the end of the tweet with #SEO #Google and anyone that searches for those keywords on Twitter can see my tweet about the post that I wrote. Be sure to write creative headlines for your posts so people feel the urge to click on them.
The same rule applies here: don’t be boring – be creative and interesting and use common keywords in your article and title so website owners can find it!