22 Tips To Prevent Your WordPress Blog Being Hacked
How To Avoid Your WordPress Website Being Hacked
Whether or not you use security measures now within your website or blog or not, the fact of the matter is that you will soon use online security is a very real issue and many people forget to update or even add it to their online blog or website which can mean disaster if you are not careful. nowadays there are many hackers and spammers out there that are trying to make a few bucks from your misery, some even destroy other peoples websites because they think it’s fun to do. Well let me tell you, it is not fun if you are on the receiving end of it!
Losing your blog or websites content can destroy a business, reputation or just the online presence you have been trying to scale up; imagine having a blog which had hundreds of posts, comments and even affiliate links only to find that it has been destroyed the very next day! Not a nice feeling. However there are ways of making your websites security all that more stronger than beofer. You can add plugins, update your blogs framework, basically there are many ways of going about getting your blog or website secure. So to help you out I have written this short but informative article. I hope it helps some of you out.
This post was put together by of course myself, but also my genius blogging friend, Julius who runs And Break! Check out his blog for my great tips.
Back Up Your Blog
Before making any changes to your blog be sure to backup your blog. The problem with most of the free plugins is that they don’t backup all of your data. For example if your WordPress blog gets deleted and you restore the backup from a free plugin, you will still have lost a lot of your data such as the images, as they are not backed up with these plugins. That why I would recommend to use Backup Buddy which backs up your complete WordPress blog and let’s you easily restore it at a later point in time.
If you have concerns as to whether your blog could get hacked then be sure to take a look at Backup Buddy.
Use Strong Passwords
Strong passwords are essential for high-privileged users such as administrators. Without them your blog will be vulnerable to brute force attacks. Essentially these are attacks in which the attacker tries to guess the password by going through lots of password – user combination’s. If you use secure passwords then the chances of successful brute force attacks become extremely low.
Here are some tips as to what secure passwords should include:
- use at least 1-2 numbers use upper and lower case characters
- use special characters such as !@#…
You should also not use passwords such as your birth date or hobbies of yours. These kind of passwords are very insecure since hackers can find personal information easily.
Another important step you have to take is to have lots of different passwords. It is nice to have just one single password and access everything through it, but imagine what happens if someone knows this password. He can basically access all your accounts.
For that reason use lots of different passwords.
Keep Up with Patches and Updates
This is another vital step in securing your blog. Patches and updates are created in order to fix security holes and to add to the software’s functionality. There is no reason not to install them.
Essentially you should also keep yourself informed about changes in WordPress and vulnerabilities in general. I therefore advise you to follow these two feeds:
The first one is the WordPress development feed where new releases and latest updates for WordPress are posted. The other is the feed from BlogSecurity.net. These guys often post vulnerabilities existing in plugins or in WordPress.
Use SSH instead of FTP
FTP in general is not as secure as people think it is. Your FTP credentials are usually not encrypted and easy to capture.
A very secure alternative to FTP is SSH. SSH uses a straight forward algorithm to encrypt all the data sent through it, including files. Read this story and you might change your mind about using FTP to upload!
Use Supported WordPress Themes
Most people think that WordPress themes itself don’t pose a security risk but some do. Themes can pose a security risk because not every web developer knows how to write secure code.
For this reason it is good to stick with a theme that is supported and updated from time to time. Supported WordPress themes are generally available for some money, but it’s better to be safe than sorry. These paid themes are called premium themes. Such themes are offered by web sites such as Woo Themes or Thesis.
Another advantage about professional templates is that when you run into trouble, you have a place that you can turn to.
Scan Plugins for Viruses After Download
Today you can so easily download plugins and install them within seconds on your blog. But you have to be careful with what kind of extensions you download. Plugins can contain malicious code. Because of this it makes sense to scan for malware right after downloading them.
You especially need to do that with plugins that you downloaded some places other than the WordPress plugin directory.
For this task it’s best to use anti-virus software. Newer operating systems automatically check for viruses after downloading files. If you use an old operating system I would recommend scanning your download directory maybe once a week or right after downloading new files.
Change the Database Table Prefix
In order to make your database more secure you should change your database table prefix. The default prefix is wp_ and it should be changed to something different, something more complicated and harder to guess like 5rt30k_.
That’s where WP Security Scan is useful since it will do this for you. You should install the WP Security plugin anyway as it will show you potential security risks on your blog.
Limit Access to the Wp-Content Directory
Wp-content is an important WordPress directory. Users should only be able to access certain file types within this directory. These file types include pictures (.jpeg, .gif, .png), Javascript (.js), CSS (.css) and XML (.xml).
It therefore makes sense to prohibit access to all other types of data. The code below will allow access to pictures, Javascript, CSS and XML files but will not allow access to any other data. The code below should be placed in the .htaccess file within the wp-content folder.
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all
</Files>
That’s all you need to do.
Secure wp-config.php
Wp-config.php is a very important file since it contains all the access information and keys that are vital to securing your blog. We can secure the file by adding these lines to the .htaccess file in the WordPress root directory (where the wp-config file is):
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
This code denies everyone access to the wp-config.php file.
No Directory Browsing
Another vital change concerning WordPress security is to prohibit people from browsing your website’s directory structure. If you want to see what this looks like just enter “index of” into Google and Google will list all the web sites that allow the browsing of directories.
In order to stop this behavior all you have to do is add the line of code from below to your .htaccess file in the root directory of WordPress.
Options All -Indexes
This will stop the behavior once and for all.
Keep Search Engines from Indexing the Admin Section
Search engine crawlers index almost every content as long as they are told not to do so. Your admin section being indexed in search engines can be a major security threat.
Therefore it is good to just keep crawlers away from all WordPress directories. The easiest way to do it, is to create a robots.txt file in your root directory. Then place the following code in the file:
Disallow: /wp-*
Secure Your Plugin Directory
The plugins you use can tell a malicious user a lot about your web site therefore it is wise to hide them.
You can easily hide the plugins. First of all open up a text editor and just create an empty file named index.html . Then upload this file to your wp-content/plugins/ directory.
Delete the Default Admin Account
By deleting the admin account malicious users do not get to know your user name so easily. As every WordPress installation comes with a admin account, hackers will have an easier time breaking into your account since they already know the user-name.
You cannot delete your administrator account right away if you do not have a new admin account, so follow these steps:
- Create a new administrator account (with a user name that’s harder to guess)
- Log out
- Log in using the new administrator account and password
- Delete the old account
Change Default Access Rights for Users
The default access rights are pretty secure but if you want to be on the safe side and have more control over the rights every user on your blog has, then this is essential.
It is pretty simple to set it up. All you have to do is:
- Download the Role Manager plug-in
- Upload it to your WordPress blog
- Activate it
Then go to the Users section of your blog. There you can set up the Role Manager plugin to suit your needs.
Delete Inactive User Accounts
Inactive user accounts are annoying and also a security risk. Some people choose weak passwords when they sign up for your blog. If the account is inactive but still on your blog, malicious users could use this account to get access to your blog.
Therefore the best thing to do is to just delete inactive user accounts in WordPress (though you need to ensure that it doesn’t break anything). In order to do that go to your WordPress dashboard and click on Users. This takes you to the page where every user will be listed.
Then go ahead and delete the ones you know are inactive.
Add WordPress Authentication Keys to wp-config.php
Adding WordPress keys is another important security measure. These keys should be random and work as salts for WordPress cookies thereby insuring better encryption of user data.
Use the WordPress Key Generator to generate these keys and just replace, in the wp-config.php file, the lines below with the generated ones:
define(‘AUTH_KEY’, ‘put your unique phrase here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(‘NONCE_KEY’, ‘put your unique phrase here’);
That’s actually all you have to do.
Install a WordPress Firewall
There is a plugin out there called WordPress Firewall 2 which actually protects your blog from malicious hackers. What it does is to alert you whenever someone is trying to hack your blog. It will also of course block the attempt of the hacker.
The problem with this plugin is that it does its job too well. That means that it usually also blocks you from making any changes to your blog. If you edit your WordPress theme file and then click save the Firewall plugin will block it. This also happened to me when using the Smush.it plugin manually.
This is extremely annoying but at least it shows you that the plugin indeed works. The only thing you can do if you want to edit files like these is to disable to plugin and reenable it later.
Drop the WordPress Version String
<meta content=”Wordpress 2.5″ />
The version string that WordPress automatically adds to your theme is important because it gives a malicious user the information about whether a blog is patched or not. If it is an outdated version the attacker will immediately start to look for security holes that were made public about that specific WordPress version.
WordPress usually automatically adds this version string to your theme. The line of code below will tell WordPress to not to add the version string to your header. All you have to do is add the code to your functions.php file.
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
Now take a look at the source code of your web site. If the generator meta tag is still in there then you should check whether your header.php contains such a line:
<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” />
If that’s the case then go ahead and delete it.
Use HTTPS When Logging in to Your Dashboard
HTTPS is the secure version of HTTP. When using HTTPS your data, i.e. passwords and user names, are not send in clear text, instead they are encrypted. This makes it harder for people to intercept and rightly decode your password and user name.
If you want to use HTTPS when logging into your WordPress dashboard, then you can use one of the codes below and add them to wp-config.php.
define(‘FORCE_SSL_LOGIN’, true);
The code above forces WordPress to use SSL when logging into your administration panel but only when logging in. It does not enforce the use of SSL while using your dashboard.
Instead of doing this manually you can also just add a plugin like WordPress HTTPS (SSL)
Block Access Attempts to wp-admin Directory
The wp-admin folder is one of the most important directories on your blog. You can access your dashboard through it. Blocking other people from accessing this directory is an essential step in securing your blog.
You can do this by creating an .htaccess file in the wp-admin directory. Add the code below to it but change the IP-addresses to your own ones. If you don’t know what your IP-address is then just visit WhatIsMyIP.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 64.233.169.99
# whitelist work IP address
allow from 69.147.114.210
allow from 199.239.136.200
It does not make sense to use this code if you have lots of people writing on your blog, especially if they constantly change. The problem is that you always need to add/delete ip-addresses, based on who needs access to your blog at the moment.
Another drawback is when your Internet provider assigns you a dynamic IP-address, meaning that your IP-address is changing constantly. If that’s the case then don’t add the code to the .htaccess file.
Restrict the Number of Failed WordPress Login Attempts
Restricting the number of failed attempts prevents users from using brute force techniques on your WordPress account. A brute force attack is an attempt to find out the user password through trying out every single possible password.
As a counter measure there are plugins that automatically ban a user for an hour if he got the password wrong three times in a row. Login Lockdown is one of these WordPress plugins.
Hide Dashboard Log-In Errors
Have you ever noticed that when you try to login with an existing username and a wrong password you get a message saying Error: Incorrect Password. If you login with a non-existent username and some password a different message shows up reporting Error: Invalid Username.
This helps malicious users to figure out what kind of usernames exist.
Therefore I advise you to add the following line to your functions.php file:
add_filter(‘login_errors’,create_function(‘$a’, “return null;”));
Every time an error now occurs a blank line will appear. Try it out.
"Do Not Write Another Blog Post Until You Watch This Free Video..."
Watch this free video to learn...
- How I got over 10,000,000 people to visit my websites.
- The types of blog post that got me all that traffic.
- How to get someone else to do it for you!
Great list Michael, I recently tried to backup my database but I wasn’t too pleased with the result I got. Backup Buddy looks good. And I hope to see your posts more frequently. Peace!
Yo Mike, this is a wonderful list. Thanks for sharing!
Super post Michael. Thanks for reminding us that whether you’re running a small blog/website security is very crucial. Not only big site are hacked, also small one. I hope all who read this post will agree and take this matter serious. before I forget Michael, please check “Top 10 World Richest Blog / Website Ever – The Top dogs of the $1 trillion a year industry – Information publishing industry -2011 ” this list was inspired by retire21.com lists.
Links –
I love how comprehensive this list is. Definitely worth going through again to make sure I’m covered.
By the way, are you heading to AwesomenessFest again this year?
Very useful! I think I know where I got wrong before because my wordpress was hacked and how I wish I was able to read your post before that happens so I can prevent it but the good thing I now know. Thanks for information. I so love this.
This has to be one of the best articles I’ve ever read on protecting your blog. I’ve used some backup programs with success and knew about those but there’s obviously a lot more you can do to avoid the problem in the first place. This one will be bookmarked for ongoing reference!
Thanks for the great list Michael!
Awesome tips Mike! Hackers don’t rest, always looking for a way to satisfy their ego. In order to do that, they must hack! I will apply some of these tips on my blog. Thanks so much for sharing. Rock on!
WOH that was one solid post! The only issue I have been having and think I might have again in the future is updating wordpress itself. Since I have a custom theme I am always afraid its going to break something. Have you had any issues with that?
Thanks a million Michael. This info is just what I need at the moment. I’m going to use several of these advice. I’m currently using a free Back-Up Plugin. I guess I’m going to have to change that.
Btw, your earlier post on how to make WordPress site load faster was also beneficial. You seem to be posting everything I need these days regarding WordPress. Subscribing to your Newsletter has done me so much!
Thank you,
Joe.
Thanks for these tips! It’s awesome that you don’t need to be an expert to easily apply these methods to secure your WordPress blog.
Excellent tips! Thanks very much for summarizing this important information!
Awesome Michael! I knew a lot of the 1st tips but when you started getting into the more advanced stuff I had some idea of what you were talking about but it is a huge eye opener and I will be implementing your tips right away! Don’t want to get hacked arggghh lol
Amazing amount of content, Michael. It’ll probably take me till Christmas to apply all the tips on my blog. Here and there I could have done with a more detailed explanantion. What’s an htaccess file, for instance, and where would I find it? Great stuff. Nic
PS. Is your own blog based on a template, such as Socrates, or custom? It’s possibly the best IM design I’ve seen.
Hi Michael,
Love your blog! Reading it for a month now.
Missing two important things in your post.
Login over SSL
1) Use:
define(‘FORCE_SSL_ADMIN’, true);
instead of
define(‘FORCE_SSL_LOGIN’, true);
in wp-config.php. It does all the work. All admin trafic is forced through SSL and is fully encrypted. Login session cookies are only send over SSL.
No need for plugins. As a matter of fact. “Admin SSL” didn’t work for me. It failed when I tried it a few weeks ago. It’s last update is: 10 july 2009 and that makes it abandon-ware
After days of searching I encountered the above solution:
http://codex.wordpress.org/Administration_Over_SSL It really works great and is embedded in the core of WP, which makes the solution very robust. Be aware add the define(‘FORCE_SSL_ADMIN’, true); in the begin of the file not at the end. Cost me a two whole days to figure that out…..
Login over SSL is very important on unsecured WiFi and untrusted networks. I encourage everyone to use is, if there host allows the use of SSL.
Brute force attacks.
One of the best counter measures against a brute force attack is throttle the attack. There is a nice plugin “Limit Login Attempts” that just does this. It has a short and long lockout periode. Lockout behavior can be fully tweaked, but the standards are just fine to use. It’s a great just install and forget plugin, which gives a lot of added security to your blog.
Cheers, Bart
Hi Michael/ rugged scar face:)
Thanks for the great post, so many things for a non-techie.
Keep up the great posts, I always look forward to receiving them;)
Hi Micheal
Fantastic post!, I have learnt things from this post that I
didn’t even think about before.
There is alway’s ton’s of useful information on this site.
I look forward to your next post.
I tried WordPress firewall but don’t know how it works and is it worth installing. This extra plugins can slow down my website.
Very useful post. Could have been a ebook itself. Thanks for sharing.
Wow this is all really good stuff and I didn’t know Plugins can carry viruses thats nuts! Thanks again Sir
-Louweezy
Hey Michael, as always a first class post, and just what I needed to get my very first WordPress site up to scratch. I got a ton of take-aways from this article, so thank you very much for this. Looking forward to your next post!
Great list of things to be aware of. I use EZ Backup that emails me daily with a backup of my WP site.
Very good list! I would add a few more:
1-Change your password often!
2-Do not login to the admin panel while on a public (unencrypted) wifi
3-Scan your site for malware and other badness. Free scanner here: http://sitecheck.sucuri.net
thanks,
My website has been hacked once by the kurdish hackers and they replaced the index file…. Since then I have been using a strong password. However, Michael has given some tips that are important, thanks Michael. Cheers.
BTW, if anyone falls victim to index file replacement, just login to your server and replace the index file of your wordpress theme or reinstall the theme altogether.
Man, i like this post. You’ve uncovered so many hidden technics. i need to make some updates on my blog. now
Wow, after reading this I suddenly feel naked. I had already done the robots.txt thing. But I never thought to do anything else!
I lost my wordpress blog and my hosting all in one go from hackers.
Please take note of this blog and do what it says to the letter. It will make a difference.
Great stuff! I get lost and emotional if I get minor issues with my Blog! I can’t imagine what I’d do if something major happened! This information is very useful, I thank you for you time & effort, it’s clearly not one of these 5 minutes posts! Quality! Love it, regards Peter
I’d always been concerned about the default “admin” issue. I’ve only been using wordpress for a short while. Thanks for these good tips. I’ll be working through them.