Guarding Your WordPress Blog

This is the second in a series of articles on how WordPress blogs may be hacked.

Unfortunately it’s becoming a more and more frequent occurrence, even though some seem unaware it has happened. If you have not yet read the first article, WordPress Blog Hacked, you may find it useful to do so before reading this follow-on article. However it is not required reading.


House on fire

You may naturally feel that calamities such as your house burning or your blog being hacked only happen to other people. It’s not true and it’s always wise to take precautions. Just imagine returning to your home one evening and finding it in flames. You close your eyes and cannot imagine it’s happening to you. You open them again and it’s all still flames.

How can you recover from such a tragic event. That is why most of us take out insurance and have security alarm systems to prevent such happenings. The more valuable your house, the more you are willing to invest in the right level of protection.


Getting your website hacked can be an equally unwelcome experience. Just see how Anita Campbell describes it in a recent article, Hacked: It Could Never Happen to My Site (Famous Last Words).

computer monitor

On Christmas morning, I tried to open this site as I normally do first thing in the morning, just to do a quick check. The home page of the site was completely blank! Nothing. Nada. I could not post anything new, either. I realized that a cracker had hacked the site. As I investigated later that day I discovered quite a bit of damage to the site.

Imagine seeing that blank screen. It’s as devastating in its own way as all those flames consuming your house. However if you think that is what happens when a site is hacked, you haven’t come up against the latest generation of skillful hackers. You won’t be aware that they have come in and taken over the attic of your house. They may create thousands of parasite webpages on your server without changing the physical appearance of your blog. That is what happened to the two SMM blogs that were hacked two weeks ago.

Eternal Vigilance

The first part of the security plan for your blog must emphasize vigilance. If you’re Al Gore or Matt Cutts, your blog is valuable real estate. Its traffic represents real economic potential to a hacker. Just as for a palatial home, you should invest in significant security systems. However for reasons we will discuss in the third article in the series, even more modest blogs are attractive to hackers. What you must do is to determine what you believe the risk of hacking to be and then invest an appropriate amount of effort in protecting against that.

If your blog is worth hacking, then likely it will be hacked so as to give the maximum time before you detect the intrusion. As will be explained in the next article in this series, hackers may only need access to your website for a few days to gain full value for their efforts. You will notice that Anita Campbell’s blog was hacked on Christmas Day. The two SMM blogs were hacked one Saturday morning. One important lesson is to never leave the blog unattended for too long.

There are two simple ways of checking whether intruders may be ‘in the house’. The first and easiest step is to check the source code of your blog. Just visit the blog and then use the View choice on your browser menu to examine the Source. With Firefox if you prefer you can use < control > U to see the source code in a different window. It may be this will show some lines of code or hyperlinks that should not be there. If you have followed the steps to be described later, then hopefully the code is as you expect it to be. A very rapid way of checking changes in source code is given in the article, Fast Alarm For Hidden WordPress Hackers.

Another way is to examine the traffic to your website. If there is an unexplained and massive increase in the volume, then this may be a sign of trouble. Similar increases in traffic may be seen in other analytic programs such as Google Analytics or SiteMeter. However depending on what hacking has been done, the increased traffic might be hidden from these tools.

To avoid these intrusions, there are certain recommended steps which are described below. As was mentioned in the previous article in this series, the best you can do is to ensure that your blog is as secure as you can make it. There are a host of other blogs that are insecure, and that may be your biggest protection.

Upgrade to the latest version

The most important recommendation that cannot be emphasized enough is to always upgrade to the most stable recent version of WordPress. The WordPress community is very active and as security holes are spotted, then as quickly as possible they are plugged. This does not guarantee that hackers will be kept out. However they may choose to attack earlier version blogs that have easier access holes.

You should also upgrade to the latest version of any plugins that you are using. A plugin may well be written by a single volunteer author so less attention may have been paid to security considerations. You should do a little research on each plugin you intend to use to make sure that others have not had security concerns about it. It is also recommended that you put an empty index.html in the plugins subfolder. This prevents anyone checking that folder and receiving a full display of all the plugins being used.

Harden Your Administration

In addition to working with the latest version of WordPress, there are a number of steps you can take to make hacker intrusions more difficult. The references below explain in greater detail what is involved. Here we summarize only the more important points.

Having user names and passwords that are not easily cracked for access to the blog administration panel is critical. In addition if you have a highly visible blog then you might wish to use the Login LockDown Plugin. This blocks access to the administration panel for a certain period after a small number of incorrect attempts.

You can also restrict access to the admin folder by having an appropriate .htaccess file there. This would specify the IP addresses for those who have rightful access to the folder. This would take the following form:

order deny,allow
deny from all
# whitelist home IP address
allow from
# whitelist office IP address
allow from

The extent to which you go beyond these steps should be based on your assessment of the risk of being hacked. The references spell out the possibilities.

Hardening WordPress – WordPress Codex
Three tips to protect your WordPress installation – Matt Cutts
5 WordPress Security Essentials – Lee Robertson
How to Protect Your WordPress Site – Anita Campbell
Protecting Your WordPress Blog – Lorelle

The final article in this series is How WordPress Blogs Are Hacked.

18 thoughts on “Guarding Your WordPress Blog”

  1. Thanks Barry. Good post. Something everyone probably needs to do if they are spending the many many hours to create a great site in the first place.

  2. Thank you for the mention. Really appreciate it. Sorry to hear about your blog getting hacked. It can happen to anyone, even if you do try your hardest to keep them out. If you can try to keep a recent backup. That can get you back to normal pretty quick.

    Thanks again for the link.

  3. Thanks for your comments, Brian and Amanda.

    Your advice on backups is excellent, Lee. That should be for both the data and for the website structure.

    I believe, Zak, that any blog could be hacked, what ever the software used. So with the .com shared version you may run into exactly the same problems. What increases the risk is whether your blog has significant traffic and is visible in the search engines. If so you need to be extremely vigilant.

  4. Barry, this and the other posts in this series are really awesome. I wish I’d seen this earlier, as I might have been able to help it go hot on Sphinn :(. Let me know next time you post a gem like this, will you?

    Incidentally, did you see that Lyndon Antcliff’s got cracked?

  5. Thank you, Gab. In fact I kept the best till the last one: this is only the middle one of the series. I’ll look into what happened to Lyndon Antcliff. This is all a very unfortunate learning experience. I’m intrigued what Google is doing about this, if anything. I did inform them very early on about what was happening but I’ve not even had an acknowledgement of my message to them. 🙁

  6. I find the subject of Hacking fascinating in the sense that my team and I learn about security and programming by reviewing how hacks are done.

    There is a certain irony in the fact that these hackers are using SEO techniques for their own ends. As stated in another post, setting up a blog in relatively easy and inexpensive but these “qualities” also part of problem. While the development team working on WP is doing a fantastic job, many of the features asked by users can be security risks. Hosting is relatively cheap, knowing how some ISP operate, I’m amazed that there are not more hacks. While modifying .httacces can reduce potential hacks, not everyone is hosted on Linux, so it’s only partially applicable.

    While it’s great to have Open Source software and cheap hosting, the ubiquitousness and ease of setup are part of the problem.

  7. You’re right, Denis. I think so many people just do not realize the risks they may be running. It’s certainly wise to do periodic backups of websites and databases just in case.

  8. That’s really tough, Thomas. Backing up is so easy with the right plugin. You can back up after every post or once a week and it takes very little time. I hope you can somehow get back what you lost, although you then have some work to do however convenient your backup is. It’s tragic that such things happen.

  9. One of the easiest ways for hackers to get in is if you use a username and password that are related to your theme, my advice is to make all security related keys to be very different to the theme of your blog and to include random numbers.

  10. There’s always been a fine line between white hat and black hat seo techniques. It’s getting harder and harder to get listed on SE’s, so some are taking to hacking. It’s too profitable of a business to let it go.

Comments are closed.