This is How to Prevent WordPress Hacking [7 Easy Tips]

By: | March 1, 2016 | Tags: , , |

Avoid WordPress Hacking of your blogYour security is constantly being discussed in the news.

Whether you are a resident of Paris, France or San Bernardino, California, your welfare is being discussed by legislators.

Even as I write this, your future security is being discussed in the press if you are an Apple iPhone user.

Apparently, Apple and the FBI are clashing over whether technology should be produced that would make the information in your phone vulnerable to hackers.

Do you care about your phone’s security?

Do you care about your blog’s security?

Fortunately, my guest author David Attard is here to tell us why we should care and exactly what we should do about protecting our blog’s security.

David, take it away.

Prevent WordPress Hacking with These 7 Easy Tips

You probably often heard about the hacking of websites. Many times you just read a news story and forget all about it.

WordPress hacking, though, is something which could visit any one of us running a WordPress site.

Why would a hacker want to hack a small WordPress website, you may ask?

  • Use it to get their advertisements ranked better in search engines
  • Use it to distribute malicious software
  • Use it to attack other websites …

The list goes on.

You need to do a few strong and hard actions to prevent your WordPress website from getting hacked.

Here are 7 Easy Tips You Should Implement on Your WordPress Website

This article first appeared on DART Creations as The Essential Checklist to Prevent WordPress Hacking.

1. WordPress Security starts with your workstation.
Funny, how when we think about the security of our computer we tend to forget our own computer. If your own desktop is infected, it is more than likely going to pass on the infection to your website.

Make sure you keep all of your Mac or Windows software updated. Software and browsers should be on the latest SUPPORTED versions!

Old versions will have vulnerabilities which WILL infect your machine no matter how many precautions you take.

2. Keep WordPress on the latest version.
Every release of WordPress addresses a number of security fixes. Each time you don’t update to the latest version, you are literally leaving a door unlocked.

There are known vulnerabilities which hackers will exploit if you don’t have the latest version of WordPress installed on your site.

Side note: Consider a host which keeps your WordPress site updated automatically and takes your website’s security seriously.

(Admin Blogger: I am affiliate of A Small Orange, and I highly recommend the company for your hosting needs. Their link is in the right sidebar.)

3. Use a complex admin password.
Prevent WordPress hacking: create a secure password and don’t use easy passwords.
Complex passwords are NOT overrated. Users tend to prefer something shorter and easier to remember; a fact hackers know and take advantage of.

A good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your WordPress blog. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.

4. Use trusted sources only for downloads.
If you are running on a tight budget, you might be tempted by the option of downloading all the features and functionalities of premium plugins/themes for free – through pirate sites.

Would you trust a pirate with your gold? I think not.

Pirated sites are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the downloaders do the rest. They will put hidden backdoors in that software. They will convert your brand’s online appearance into a giant poster for enlargement pills – or even worse, malware.

This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware.

You can, on the other hand, trust sources like Envato Market (Theme Forest, Code Canyon), Elegant Themes, etc.

5. Use plugins to prevent WordPress hacking.
Your wp-admin should be protected. The login page and admin directory are available to all: including those with malicious intent.

You should strengthen the guard around admin with WordPress security plugins like:

Limit Login Attempts

It will limit the number of login attempts for each IP address, including your own (with auth [authentication] cookies).

Acunetix Secure WordPress

This plugin is a superb security solution in general. It runs a WordPress security scan. It also pays close attention to preventive measures so you don’t get hacked in the first place.

6. Backup your WordPress site (just in case).
What if, in spite of all the prevention, you still get your WordPress hacked? A backup is one of the first things you’ll need to restore your site if you do get hacked.

Backup your WordPress site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.

Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories.

7. Secure WordPress though correct file permissions.
The rule of thumb is 755 for directories and 644 for files. Although this varies depending on the server and the type of file in question – in most cases, you should work very well with these permissions. It would be best to ask your host to check, or if you’ve got direct access, you can do this yourself.

Never ever set file permissions to 777 (not even temporarily).

If you are serious about wanting to prevent WordPress hacking – Never set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers.

There is a very dangerous tendency amongst beginners to set file permissions to 777, “because it’s easy”, or “because we’ll fix it later”, or “because I’ll change it later”. This is extremely dangerous – 777 means anybody who wants can change the contents of that file. With those permissions set, your website is an open house.

Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.

Admin blogger’s commentary:

David did a great job explaining why we should care about blog security and how we can prevent our blogs from getting hacked.

I realize the plug-ins he recommended can only be installed by self-hosted bloggers. However, his other tips can be implemented by anyone.

Having up-to-date computer software and a complex password are valuable suggestions for everyone.

Do you care about your blog’s security?

Who are you siding with in the FBI versus Apple Computer case?

I look forward to your views in the comments section.

Please share, so bloggers know why they should take precautions, how to protect their blogs, and can take part in the conversation about security concerns.

Then, go show David some blog love and visit him at his site DART Creations.

Related Post

Don’t Make These Mistakes With Your Blog Security


  1. John Doe

    In light of what’s going on in today’s society what a great post at this time or anytime for that matter

    • David Attard

      There’s never a bad time for securing your WordPress blog. Or any other site for that matter 😉

    • Janice Wald

      Hi John,
      I’m glad you appreciated the relevance. I hoped people would. Thanks for telling me.

  2. Margaretha (Equine Guided MD)

    Great useful, simple, practical advice, especially no 6.

    • David Attard

      Hey Margaretha, I can’t stress enough the importance of that. Someday, somehow something is going to happen. When it does you want to be sure you have a point to return to.

    • Janice Wald

      Hi Margaretha,
      Thanks for writing. Great to hear from you. It never would have occurred to me to back up my site either until reading David’s article.

    • David Attard

      Excellent point Michel. It’s just as dangerous not to update your WordPress template as not updating the WordPress core. There’s literally the same amount of risk if you don’t update your theme.

    • Janice Wald

      Hi Michel,
      Thanks for your comments. I will always make sure mine is updated.

    • Janice Wald

      HI Lois,
      I agree. I feel like I am complacent since I feel like I am in good hands with WordPress. Thanks for writing.

  3. GiGi Eats

    I remember when I was hacked once! That was – UGH! But I got through it by… Um… HIRING SOMEONE to help me out! My entire blog was LOCKED – it was so odd!

    • David Attard

      Hey Gigi,

      most people will find it hard to recover from a hacked WordPress – it’s not a trivial exercise. That’s why prevention is so much better than cure!


    • Janice Wald

      Hi Gigi,
      Thanks for writing to share your experience. How stressful! Do you know what caused the problem?

  4. Suzanne Fluhr

    I bit the bullet and pay someone to do most of the above. I don’t want to attract the Evil Eye, but my site has never been hacked. Another piece of advice I’ve seen and employ is never to have an admin for your site whose user name is, wait for it, “admin”.

    • David Attard

      Or … even more scary. Admin with the password…wait for it…admin

    • Janice Wald

      HI Suzanne,
      Thank you for your comments. I have a wonderful tech person who handles tech problems for me. Her information is in the right sidebar if anyone needs.

  5. Avnish Gautam.

    Personally i have faced hacking problem with my WordPress based blogs also and i was searching for the good information by following which i can make my blog safer and really thanks for your guide.

    • Janice Wald

      HI Avnish,
      I enjoyed my visit to your site last night. I learned a lot from your post. I am so glad you found David’s post valuable. It seems many people did.

  6. Kandace Chadwell

    Thank you for sharing. I didn’t think of backing up my blog until reading this.

    • David Attard

      Hey Kandace,

      You really wouldn’t want to be in the position of not knowing how to get your awesome content if something goes wrong … not necessarily a hack. Even a mistake.

      Backups are a must.

    • Janice Wald

      HI Kandace,
      Thank you for commenting. Are you still getting an error message when you write me? If yes, what is the error message?
      I didn’t realize I could be locked out from my posts since they are on the Internet. I learned a lot from David’s article.

    • Janice Wald

      Hi LonelyAuthor,
      Great to see your cute (lonely?) monkey avatar and hearing from you. Many people seem to have found value in David’s article. Thank you for writing to share that you did too.
      PS, I tried to return the blog love and visit your site, but your link took me to

    • Janice Wald

      Hi Jeanette,
      Thank you for writing me. Great to hear from you.
      Joe, who came in after you, commented that our government is already doing what Apple is trying to prevent per the NSA!
      Knowing the national interest in this issue, I couldn’t resist the opportunity to connect it to blog hacking.

  7. Camesha

    This is such great information. I have implemented most of these. I’ll be doing a bit more to secure my sites. Taking notes from this post!

    • Janice Wald

      Hi Camesha,
      Thank you for writing. I am glad you found David’s post valuable. That seems to be the consensus! I, myself, learned a lot by reading it.

  8. Patricia

    I need to ask my host about those file and directory permissions! Thanks for the tips, David!

  9. Robin Khokhar

    Hi Janice,
    It has become essential to prevent WordPress site from hacking. Because WordPress has become one of the most popular and most used CMS, so precautions must be taken.
    Use of the Plugins really helps to protect our website from hacking.
    And also thanks for the great share.

    • David Attard

      Hey Robin,

      definitely some plugins will take your WordPress security to the next level. There are a few we recommend in our post too.

    • Janice Wald

      HI Robin,
      Thanks for writing. Great to hear from you. I am glad you found David’s post valuable. I need to install some of the plugins he recommended to protect my site. I wouldn’t have thought of it without his article.

  10. melinda

    Hi BBFFJ, as usual, I’m somewhat lost. I don’t even know what #7, file permissions are??
    Thanks for the info DAvid! Now I know more of what I need to know!

    • David Attard

      Hey Melinda,

      if you don’t know what they are, it means you haven’t messed around with them and that’s a good thing – so you should be ok.

    • Janice Wald

      Hi My BBFFM,
      I didn’t know what File Permissions were either. I had never heard of them before reading David’s post. I guess I don’t have to worry then. Thanks for writing.

    • Janice Wald

      HI Patricia,
      i know you came over fro Chris’s site. I appreciate you writing. Nice to see you again. I am glad you appreciated David’s valuable post.

  11. Kathy

    Thank you for the reminder that we stay safe and protect our sites. I’m with Melinda and didn’t even know about file permissions. I hope you’re right that they are probably okay if I haven’t messed with them. I have been using WordFence for running scans but I might also try the one you recommend, Acunetix Secure WordPress. Is it good to use both or is just one or the other the best way to go?

    • Janice Wald

      HI Kathy,
      Great to hear from you. It’s been a long time. I hope you have been well.
      I am with you and Melinda. I had never heard of file permissions either, so, according to what David wrote her, I guess I am in good shape. As far as your question– one or both– it’s a good one. I will ask David to come answer. I don’t know the answer, but I am wondering that myself. Thanks for writing. Take care,

    • David Attard

      Hey Kathy,

      one of the other is typically enough don’t worry – it’s much more than most people do in reality, so you’re safer than most people in reality.

      WordFence probably runs the scans for correct file permissions too, so I think you need to rest easy about that.


  12. Joe Cosme

    This case is monumental because of the legal precedent it could set. Apple CEO Tim Cook wrote a letter to Apple’s customers. Here is one thing he said. “The implications of the government’s demand are chilling” and could set a legal precedent that would “make it easier to unlock your iPhone … to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.” Scary stuff, but not too far off from what the NSA and other government agencies are already doing. Big Brother is our reality.

  13. Janice Wald

    Hi Joe,
    Thanks for writing. A student told me (for what it’s worth), Samsung already has the technology Apple is being asked to produce.
    I agree with what you wrote. The NSA years ago was criticized for violating privacy. So, what’s new?
    And that’s what I gotta say about it! =) Thanks for writing.

    • David Attard

      The fact that it’s already being done does not make the pill any easier to swallow. We shouldn’t just “give up” on privacy – there are ways and means of making us safer without taking away all our liberties.

  14. Ted Hinton

    Great tips Janice. I’m new in the WordPress world and it is good to know that my website can be easily backed up using a plugin. My web host – offers free weekly backup which is great, but it is really good to have my own backup.

    Thanks again.

    • Janice Wald

      Hi Ted, my apologies that you didn’t get a reply sooner. It should not reoccur. I found your comments in the Spam folder.
      My pleasure. I am glad you found the article valuable.

  15. Julia Bonner

    Wordfence is another great security program for your WordPress site. It offers the ability to incorporate 2 step authentication for your admin(s) login. It also automatically blocks ip’s that try to login with a non valid username either immediately or after a x amount of tries that you set. Just a couple of the many features of this plugin offers.

    I have nothing to do or gain by promoting this plugin, just fyi.

    Julia Bonner

    • Janice Wald

      Hi Julia,
      Thanks for contributing to the discussion by telling us this valuable information.

  16. Shellie Bowdoin

    Great heads up! I just added the limit login attempts plugin. I just hopped over from the #bloggerspitstop


    • Janice Wald

      Hi Shellie,
      Great to hear from you. Thanks for clicking my link over at Pit Stop. I am glad you found David’s tip valuable. Thanks for writing to tell me.

  17. DazzleWhileFrazzled

    Thanks for the tips! I can barely manage running a blog under “normal” conditions let alone if I were to get hacked and had to start over. I *think* I have good security on my site but will look into the Acunetix plugin. How often do you recommend backing up? I’m doing it at the start of each month. Visiting from Saturday Sharefest.

    • David Attard

      Hey Dazzle,

      It mostly depends on how much content you post and what you can afford to “lose” – I tend to go for at least one backup a month as a bare minimum, though weekly or even daily is ideal. Of course, before any upgrade is absolutely essential in case anything breaks in the interim.

  18. Sarah Fuller

    Really appreciate these great reminders, especially about the file directories

  19. Bilqees Kenchi

    Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.

    • Janice Wald

      Hi Bilqees,
      I have written the author of the article with your question. I will let you know his response. He knows more about blog security than I do. Thanks for reading what we wrote and asking us.

    • David Attard

      Hey Bilqees, all of the above suggestions apply to any WordPress blog, even if it is on /site URL, so I’m not sure whether there are any specifics you want to ask.

  20. machine vision lens CALIFORNIA

    Thanks for sharing this nice article. and I wish to visit again on your blog. keep sharing with your work.

    • Janice Wald

      Thank you so much for your kind words. I would love for you to visit again. I encourage you to subscribe to my blog so you never miss an article.

  21. satyakini

    Hey Janice, this is really a helpful post, need to appreciate this for those plugins listed.

    • Janice Wald

      Dear Satyakini,
      Thank you for coming by to tell me. After publishing my guest author’s post, I installed some of those plugins too to make sure my site was backed up. I have WordPress Security posts on my site regularly. If you are interested, consider subscribing.

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.