Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
Running a WordPress-based website is often a pleasure, enabling you to focus on content and building relationships with readers and other websites.
However, not everyone on the web is as friendly as you. Somewhere out there is a list with your blog’s name on it, where it sits, waiting to be targeted by hackers. When they get around to your blog, they’ll try various tactics to gain access to it, perhaps with the aim of selling legal drugs or infecting your visitor’s computers with malware.
Fortunately, there are various ways in which you can protect your WordPress blog from hackers.
Regularly Update WordPress
One of the most powerful but oft-overlooked solutions for keeping WordPress safe from hackers is to make sure it is regularly updated.
Obviously there is a down-side to this – some of your best WordPress plugins might stop working if WordPress is updated – but at the same time it should be looked upon as an opportunity to refresh your plugins, find replacements that themselves are secure and reliable and basically tighten up your website or blog. Sticking to plugins that are found in the WordPress directory is also a good way to keep things under control.
Updating WordPress is possible from within the Dashboard, but always take a backup of your database before doing so.
Keep Regular Backups
An important procedure for all WordPress blog owners is to ensure that backups are made regularly and that they can easily be restored should the worse happen.
Solutions are plentiful, but Cloudsafe365 is one of the most powerful, combining cloud backup (Dropbox can be used) with various secure protection tools against techniques such as cross site scripting, SQL injection, and even monitors content theft.
Cloudsafe365, available from the, comes in three flavors. A free option covers the things listed above, while the paid options offer further features such as protection against code injection and brute force attacks.
Install an Encrypted Login Plugin
Protecting the actual act of logging on to your WordPress-based website is best effected by using an encrypted login plugin, as the website software doesn’t have this facility by default. Probably the best solution for this – perfect for protecting your blog login details from packet sniffers on wireless networks – is Chap Secure Login, which uses the SHA-256 algorithm to protect your username and password.
Meanwhile the Login Lockdown plugin is a useful way of blocking IPs that record repeated failed attempts to access your site.
Other login protection steps you can take includes installing a strong CAPTCHA plugin. RetinaPost is a particularly impressive plugin, requiring users to enter highlighted characters from a phrase rather than try and decipher screwed up text images or do maths challenges. Any attempts to disrupt your blog using the comments system can be markedly reduced using this plugin.
Hide “Powered by WordPress”
Hackers have a different tactic for each of the various types of website software that is in use, but you can make things tougher for them by not advertising the fact that your website is “Powered by WordPress”.
By default this information can be found in the footer.php file, reached by entering your blog’s Dashboard, selecting Appearance > Editor to edit within the browser window. Different themes will require different methods for removing this text, so you should check online to find the best approach (if plain text is used to display the legend, then delete this; if PHP code is used, tread carefully unless you know what you’re doing).
Change Admin Username
One way in which hackers can find a way into your site is by using brute force software that will attempt multiple logins using common words and phrases as passwords, coupled with a selection of obvious usernames.
The administrator username in WordPress can be selected when the software is setup, but in the rush to get things done many users leave it at the default choice of “admin”. As obvious usernames go, this comes at the top of the list, which is why changing it is important.
Two ways exist for changing the admin username. First, you can create a second administrator account with a username which isn’t obvious, and then delete the original user. Note, however, that this might have an effect on any articles written under the administrator account (they’ll perhaps be unpublished until a new name is set, or display an error on the post page).
Probably the most effective way to do this is to access your site’s phpMyAdmin, select the WordPress database, find the wp_users table (“wp_”is a default prefix which may have been changed at installation) and use the Browse icon to find the “admin” username.
Once discovered, find the user_login column, click the edit button on the appropriate row and then change “admin” to your preferred administrator account login name, clicking Go when you’re done.
Move the wp-config File
A glaring issue with WordPress is that the key security details are stored in a single, unencrypted file that can be hacked and used to take control of your blog. The wp-config.php file contains the admin login details as well as the username and password for the MySQL database.
Therefore, securing this file is paramount if you wish to protect the site from hackers.
One thing you shouldn’t do, however, is delete wp-config – this would leave your site unusable (and rather blank). So how do you protect your site from this bizarre vulnerability?
Since the release of WordPress 2.8, blog owners have had the ability to move the file to the root web directory on the server. What this means, for instance, is that if you have your site installed in www.mysite.com/wordpress, the wp-config.php file can be moved up a level, to the mysite directory.
Regardless of how technical or non-technical you are, if you run a WordPress blog there is no excuse not to implement any or all of these tools to protect your website from hackers.
After all, what is the point in putting in all of that hard work only to find that someone has taken over the site and is now costing you your regular visitors by advertising Viagra?
These steps can be implemented in just a couple of hours – perhaps a single weekend morning if you’re pressed for time – so don’t ignore, act now.