10 Simple Steps to Secure & Protect your WordPress Blog


0 Flares Filament.io 0 Flares ×

As of the beginning of 2009 there were approximately Secure & Protect WordPress
133 Million blogs online. This is a pretty large market and also the perfect playground for unscrupulous persons who live for spamming, scamming and just creating malicious programs that can seriously compromise and disable unsuspecting sites. As wordpress blog owners, we need to do everything possible to ensure that our sites are never exploited.

Here are 10 very simple steps, tools and tips to ensure that your blog can withstand malicious attacks and not be overrun with spam.

1. Use the Login Lockdown Plugin

Hackers can easily crack your password and other login credentials by using Brute Force Attacks (Click here for a definition). This plugin adds an extra security feature to WordPress by restricting the rate at which failed logins can be re-attempted from a given IP range. This plugin can be downloaded from Bad Neighborhood

2. Delete Unused Plugins

Always ensure to delete unused plugins as these can provide loop holes that can be easily exploited.

3. Secure the /wp-admin/ Directory using .htaccess

I found this one on google’s Matt Cutts’ blog. Secure your /wp-admin/ directory by using a .htaccess file to allow access from specific IP addresses only. Create a new .htaccess file, which you can place directly in /wp-admin/.htaccess.

This is what the .htaccess file contains:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from
# whitelist work IP address
allow from
allow from

Replace the with the IPs you would like to whitelist. This file says that the IP address (and the other IP addresses whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. The ‘#’ lines are just notes and can be changed to suit your need.

4. WordPress Security Scanner Plugin

Install this plugin to help detect any loop holes that may exist in your database and blog files. It provides a report on what needs to be done to prevent attacks. This one is very useful and can be downloaded here: WP-Security-Scan

5. Limited Blog Registration Access

If your blog accepts registration, ensure that a user cannot immediately register and receive an administrative access. To change this, go to your Settings option in the wordpress dashboard, select General. Then change the New User Default Role to Contributor. This can easily be changed as the need arise. User privileges can also be assigned using the Role-Manager plugin.

6. Change Your Login Name

The default wordpress username is admin and hackers will always try to infiltrate using this default. So make it harder for them by changing it.

In your WordPress dashboard, go to Users and set up a new user account. Give this new user administrator role. Log out and log in again with the new user account.

Go to Users again. This time, check the box beside admin and press Delete. When it asks for deletion confirmation, select the “Attribute all posts and links to:” and select your new username from the dropdown bar. This will transfer all the posts to your new user account. Press Confirm Deletion

7. Use a Very Strong Password

Ensure that you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case letters to form your password.

8. Always Upgrade to the Latest WordPress Version

The latest version of WordPress always contains bug fixes for any security vulnerabilities, therefore it is very important to keep your blog updated at all times. The latest version at the time of this post is 2.9.2 and can be downloaded here.

9. Install the Akismet Plugin

Once installed, Akismet checks your comments against the Akismet web service to see if they look like spam or not and prevents them from being published. Spam is stored in a separate folder where you can review all that is caught. This can be downloaded from Akismet.com

10. Backup Your WordPress Database

There is a free plugin that can schedule backups of your database to reduce the risk of loss of data. This can be downloaded here: WP-Database-Backup

Yeah, I know its a pretty tedious ToDo list but invest the time to secure a robust wordpress blog. It will cost 100 times more to recover from a malicious attack. Think about down-time, lost revenue, loss of trust from your readers, hiring a professional to get rid of malicious code, loss of information, loss of integrity and the list goes on forever.

Are you doing what it takes to secure and protect your presence online? If not, now is the time to do so. If you have any additional ideas on how to protect a wordpress blog please leave a comment to let us know.

Leave a Reply, Join the Community

(*) Required, Your email will not be published


33 Responses

    • Sam

      03/23/2010, 05:13 pm

      Hey Brian,

      I’m glad the listing helped. Making the switch to wordpress is an excellent choice and you won’t regret the time spent to learn it.

      Subscribe to my rss, I’ll be posting more tutorials and useful information on wordpress in the coming weeks.

      Thanks for commenting :)

    • Sam

      03/25/2010, 12:35 pm

      I’m glad you found it useful. All online ventures must have the best security possible. You will never know when something decides to attack.

  1. Sachin @ Web Design Mauritius

    04/01/2010, 09:57 am

    Nice tips Robyn. Here’s a killer one that few know about. Since some 2 or 3 versions ago, The WordPress config system has changed. You can therefore move your config.php file somewhere else on your host, e.g: a level higher than your current www folder. The WordPress core runs on all the host to search for this file and then connects the whole thing in one go. This prevents the blog/site from being hacked through the config.php file.
    .-= Sachin @ Web Design Mauritius´s last blog ..Nobody needs web designers. =-.

    • Sam

      04/01/2010, 11:21 pm

      Thanks for reading Jimi.

      There’s always something new that can be done to improve our online presence. I have a couple of resources to add to the list or I think I will make a part 2 to this post.

      Thanks again for commenting, please subscribe and come again. :)

    • Sam

      04/06/2010, 05:49 pm

      That’s a very valid point Keller.

      A google blacklisting can severely damage a site’s ability to get any search engine traffic for as long as 6 to 12 months. Its a serious issue and if this happens the site owner can either register a new domain or choose to ride the wave and promote the site through community building activities until google lifts the ban. Its not just google alone but Bing may also blacklist.

      I hope your client’s site is recovering well.

      Thanks a lot for commenting Keller. Have a great day :)
      .-= Sam´s last blog ..My Blogging Journey So Far – March Blog Statistics =-.

  2. Selurus

    04/07/2010, 12:01 am

    I’ve already implemented most of the tips. I’ll need to try out the login lockdown and security scan plugins though. Thanks for sharing these tips.

  3. Jane @ Limoges Boxes

    04/08/2010, 09:15 am

    Thank you for sharing these 10 tips. I’m pretty familiar with some of it but 2,3,4 are new ideas to try. Two of my blogs had been hacked and it has been a hassle in my part to set it up and pull things out together again. I’ve learned my lesson and prevention is definitely better than setting up my blog again.

  4. ron

    07/30/2010, 05:48 pm

    These are very helpful ways to get the security you needs these days because as the net grows so does the viruses and spam that may be harmful to a site or even you computer . Yikes

  5. Keith

    08/04/2010, 06:38 pm

    I totally posted this in the wrong article last night, so now i’m reposting it in the right one. This in regards to securing the wp-admin directory…

    I’ve been using your site to configure my WordPress CMS (yeah I know, I’m asking for it) but can’t figure out why this code doesn’t work. I use .htaccess files in other directories just fine, but for some reason when I put this code in with my home IP address I always get a 500 error when attempting to access the admin side of things. Any ideas?