This is How to Prevent WordPress Hacking [7 Easy Tips]

By: | March 1, 2016 | Tags: , ,

Avoid WordPress Hacking of your blogYour security is constantly being discussed in the news.

Whether you are a resident of Paris, France or San Bernardino, California, your welfare is being discussed by legislators.

Even as I write this, your future security is being discussed in the press if you are an Apple iPhone user.

Apparently, Apple and the FBI are clashing over whether technology should be produced that would make the information in your phone vulnerable to hackers.

Do you care about your phone’s security?

Do you care about your blog’s security?

Fortunately, my guest author David Attard is here to tell us why we should care and exactly what we should do about protecting our blog’s security.

David, take it away.

Prevent WordPress Hacking with These 7 Easy Tips

You probably often heard about the hacking of websites. Many times you just read a news story and forget all about it.

WordPress hacking, though, is something which could visit any one of us running a WordPress site.

Why would a hacker want to hack a small WordPress website, you may ask?

  • Use it to get their advertisements ranked better in search engines
  • Use it to distribute malicious software
  • Use it to attack other websites …

The list goes on.

You need to do a few strong and hard actions to prevent your WordPress website from getting hacked.

Here are 7 Easy Tips You Should Implement on Your WordPress Website

This article first appeared on DART Creations as The Essential Checklist to Prevent WordPress Hacking.

1. WordPress Security starts with your workstation.
Funny, how when we think about the security of our computer we tend to forget our own computer. If your own desktop is infected, it is more than likely going to pass on the infection to your website.

Make sure you keep all of your Mac or Windows software updated. Software and browsers should be on the latest SUPPORTED versions!

Old versions will have vulnerabilities which WILL infect your machine no matter how many precautions you take.

2. Keep WordPress on the latest version.
Every release of WordPress addresses a number of security fixes. Each time you don’t update to the latest version, you are literally leaving a door unlocked.

There are known vulnerabilities which hackers will exploit if you don’t have the latest version of WordPress installed on your site.

Side note: Consider a host which keeps your WordPress site updated automatically and takes your website’s security seriously.

(Admin Blogger: I am affiliate of A Small Orange, and I highly recommend the company for your hosting needs. Their link is in the right sidebar.)

3. Use a complex admin password.
Prevent WordPress hacking: create a secure password and don’t use easy passwords.
Complex passwords are NOT overrated. Users tend to prefer something shorter and easier to remember; a fact hackers know and take advantage of.

A good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your WordPress blog. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.

4. Use trusted sources only for downloads.
If you are running on a tight budget, you might be tempted by the option of downloading all the features and functionalities of premium plugins/themes for free – through pirate sites.

Would you trust a pirate with your gold? I think not.

Pirated sites are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the downloaders do the rest. They will put hidden backdoors in that software. They will convert your brand’s online appearance into a giant poster for enlargement pills – or even worse, malware.

This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware.

You can, on the other hand, trust sources like Envato Market (Theme Forest, Code Canyon), Elegant Themes, etc.

5. Use plugins to prevent WordPress hacking.
Your wp-admin should be protected. The login page and admin directory are available to all: including those with malicious intent.

You should strengthen the guard around admin with WordPress security plugins like:

Limit Login Attempts

It will limit the number of login attempts for each IP address, including your own (with auth [authentication] cookies).

Acunetix Secure WordPress

This plugin is a superb security solution in general. It runs a WordPress security scan. It also pays close attention to preventive measures so you don’t get hacked in the first place.

6. Backup your WordPress site (just in case).
What if, in spite of all the prevention, you still get your WordPress hacked? A backup is one of the first things you’ll need to restore your site if you do get hacked.

Backup your WordPress site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.

Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories.

7. Secure WordPress though correct file permissions.
The rule of thumb is 755 for directories and 644 for files. Although this varies depending on the server and the type of file in question – in most cases, you should work very well with these permissions. It would be best to ask your host to check, or if you’ve got direct access, you can do this yourself.

Never ever set file permissions to 777 (not even temporarily).

If you are serious about wanting to prevent WordPress hacking – Never set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers.

There is a very dangerous tendency amongst beginners to set file permissions to 777, “because it’s easy”, or “because we’ll fix it later”, or “because I’ll change it later”. This is extremely dangerous – 777 means anybody who wants can change the contents of that file. With those permissions set, your website is an open house.

Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.

Admin blogger’s commentary:

David did a great job explaining why we should care about blog security and how we can prevent our blogs from getting hacked.

I realize the plug-ins he recommended can only be installed by self-hosted bloggers. However, his other tips can be implemented by anyone.

Having up-to-date computer software and a complex password are valuable suggestions for everyone.

Do you care about your blog’s security?

Who are you siding with in the FBI versus Apple Computer case?

I look forward to your views in the comments section.

Please share, so bloggers know why they should take precautions, how to protect their blogs, and can take part in the conversation about security concerns.

Then, go show David some blog love and visit him at his site DART Creations.

Related Post

Don’t Make These Mistakes With Your Blog Security


  1. Suzanne Fluhr | at 8:12 am

    I bit the bullet and pay someone to do most of the above. I don’t want to attract the Evil Eye, but my site has never been hacked. Another piece of advice I’ve seen and employ is never to have an admin for your site whose user name is, wait for it, “admin”.

    • David Attard | at 11:53 pm

      Hey Kandace,

      You really wouldn’t want to be in the position of not knowing how to get your awesome content if something goes wrong … not necessarily a hack. Even a mistake.

      Backups are a must.

    • Janice Wald | at 8:20 pm

      HI Kandace,
      Thank you for commenting. Are you still getting an error message when you write me? If yes, what is the error message?
      I didn’t realize I could be locked out from my posts since they are on the Internet. I learned a lot from David’s article.
      Janice Wald recently posted…Inspire Me Monday Linky Party #71My Profile

    • Janice Wald | at 8:26 pm

      Hi LonelyAuthor,
      Great to see your cute (lonely?) monkey avatar and hearing from you. Many people seem to have found value in David’s article. Thank you for writing to share that you did too.
      PS, I tried to return the blog love and visit your site, but your link took me to
      Janice Wald recently posted…Inspire Me Monday Linky Party #71My Profile

    • Janice Wald | at 8:38 pm

      Hi Jeanette,
      Thank you for writing me. Great to hear from you.
      Joe, who came in after you, commented that our government is already doing what Apple is trying to prevent per the NSA!
      Knowing the national interest in this issue, I couldn’t resist the opportunity to connect it to blog hacking.
      Janice Wald recently posted…Inspire Me Monday Linky Party #71My Profile

  2. Kathy | at 9:33 am

    Thank you for the reminder that we stay safe and protect our sites. I’m with Melinda and didn’t even know about file permissions. I hope you’re right that they are probably okay if I haven’t messed with them. I have been using WordFence for running scans but I might also try the one you recommend, Acunetix Secure WordPress. Is it good to use both or is just one or the other the best way to go?

    • Janice Wald | at 8:55 pm

      HI Kathy,
      Great to hear from you. It’s been a long time. I hope you have been well.
      I am with you and Melinda. I had never heard of file permissions either, so, according to what David wrote her, I guess I am in good shape. As far as your question– one or both– it’s a good one. I will ask David to come answer. I don’t know the answer, but I am wondering that myself. Thanks for writing. Take care,
      Janice Wald recently posted…Inspire Me Monday Linky Party #71My Profile

    • David Attard | at 1:05 am

      Hey Kathy,

      one of the other is typically enough don’t worry – it’s much more than most people do in reality, so you’re safer than most people in reality.

      WordFence probably runs the scans for correct file permissions too, so I think you need to rest easy about that.


  3. Joe Cosme | at 12:14 pm

    This case is monumental because of the legal precedent it could set. Apple CEO Tim Cook wrote a letter to Apple’s customers. Here is one thing he said. “The implications of the government’s demand are chilling” and could set a legal precedent that would “make it easier to unlock your iPhone … to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge.” Scary stuff, but not too far off from what the NSA and other government agencies are already doing. Big Brother is our reality.

  4. Janice Wald | at 9:06 pm

    Hi Joe,
    Thanks for writing. A student told me (for what it’s worth), Samsung already has the technology Apple is being asked to produce.
    I agree with what you wrote. The NSA years ago was criticized for violating privacy. So, what’s new?
    And that’s what I gotta say about it! =) Thanks for writing.
    Janice Wald recently posted…Inspire Me Monday Linky Party #71My Profile

    • David Attard | at 1:09 am

      The fact that it’s already being done does not make the pill any easier to swallow. We shouldn’t just “give up” on privacy – there are ways and means of making us safer without taking away all our liberties.

  5. Ted Hinton | at 10:24 am

    Great tips Janice. I’m new in the WordPress world and it is good to know that my website can be easily backed up using a plugin. My web host – offers free weekly backup which is great, but it is really good to have my own backup.

    Thanks again.

  6. Julia Bonner | at 10:56 am

    Wordfence is another great security program for your WordPress site. It offers the ability to incorporate 2 step authentication for your admin(s) login. It also automatically blocks ip’s that try to login with a non valid username either immediately or after a x amount of tries that you set. Just a couple of the many features of this plugin offers.

    I have nothing to do or gain by promoting this plugin, just fyi.

    Julia Bonner

  7. DazzleWhileFrazzled | at 5:08 am

    Thanks for the tips! I can barely manage running a blog under “normal” conditions let alone if I were to get hacked and had to start over. I *think* I have good security on my site but will look into the Acunetix plugin. How often do you recommend backing up? I’m doing it at the start of each month. Visiting from Saturday Sharefest.

    • David Attard | at 2:21 am

      Hey Dazzle,

      It mostly depends on how much content you post and what you can afford to “lose” – I tend to go for at least one backup a month as a bare minimum, though weekly or even daily is ideal. Of course, before any upgrade is absolutely essential in case anything breaks in the interim.

  8. Bilqees Kenchi | at 4:57 am

    Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.

    • Janice Wald | at 12:51 pm

      Dear Satyakini,
      Thank you for coming by to tell me. After publishing my guest author’s post, I installed some of those plugins too to make sure my site was backed up. I have WordPress Security posts on my site regularly. If you are interested, consider subscribing.
      Janice Wald recently posted…Blogger’s Pit Stop #27My Profile

Would you like to share your thoughts?

Your email address will not be published. Required fields are marked *

CommentLuv badge

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: