How to secure your WordPress Blog from being hacked

Wifi

My colleague has a great tech related wordpress blog, the other day we did a few minor fixes in the template.

All was well till evening, when he logged in at night he realized that the blog pointed to a different domain. The blog was hacked and the hacker pointed it to a different domain which obviously belonged to the hacker.

Being a tech guy he could restore it in the next 30 minutes, but what do you do if your blog is hacked and you are not a tech guy.

WordPress probably is one of the safest blog systems out there. But the code is open source, which means that everybody can see the code and they can find security holes. So if they spot a security hole, they might be able to hack your WordPress account and erase every single blog post. In my colleague’s case the blog was not erased but it pointed to a different domain.

There have been numerous cases where blogs have been completely erased with no back up and bloggers have had failed attempts to talk to their web-host to provide daily back ups for their blogs. The backups webhosts provide, will only be restored if the web host’s system fails. Which has nothing to do with hacking.

You cannot avoid a hack attack completely but you can certainly take preventive measure to secure your wordpress blog

Below are seven tips you can take to secure your blog from being hacked

1) Upgrade to the latest WordPress version :

– A majority of the blogs that are hacked run on an outdated wordpress version, whenever there is a new WordPress version, you’ll be notified in the admin panel, upgrading to the latest WordPress version takes only one click and a few seconds.

2 ) Avoid using relatively new plugins
– There have been cases where wordpress plugins have had security issues, some plugins are not as secure as they should be resulting in vulnerability and security issues with wordpress. Use only plugins that have been tried and tested on other blogs.

3 ) Update plugins regularly :

– Just like the wordpress version upgrade you’ll also find that upgrades for plugins are available via the wordpress admin. Ensure that you use the latest plugin updates for your wordpress blog.

4 ) WordPress database back up plugin :

I don’t want to use the export function in WordPress twice a day, so I get a plugin to do it. This plugin will send you an email twice a day. It backups comments, posts and whatever is needed to get the blog to run again and everything is done automatically.

I want to make clear the importance of making automatic backups. You never know when you are hit by an attack. Lots of these attacks, are not related to you personally, but some hacker may just want to show their friends that they can hack a blog. And if that happens there should be preventive measures taken to get your blog up and running.

The same hacker will not hack your blog again, this is just an assumption but you never know, so just keep backing up your files.

Normally when people attack your blog, they will only delete the posts, comments etc. (what is placed in the database) and that is only what this plugin is backing up.

But to be sure, you can copy all the files from your FTP server down to your computer. This should only be done when you make some themes changes/plugin changes (adding a new theme or plugin) not that often, because all posts are located in the database.

Just connect to your FTP server and then copy every file that is on your webserver. It is recommend that you do this as often as possible depends on how frequently you update your blog. If you update your blog 3 – 4 times a week then you should take a full backup every week.

The WordPress blog plugin I have been talking about is called WordPress Database Backup the download instructions are on the page.

5 ) Protect your WordPress admin folder :
– Hackers can use automated bots to try and crack your password, the automated bots will keep guessing your password by using a script till it succeeds to login.

What you need to do :

– Restrict access to wp admin folder by IP address : You can restrict access to your wp admin folder via the IPs you or your team of writers use with the help of .htaccess file. There is one drawback in doing this, you will have to keep changing your .htaccess files if your internet provider assigns you dynamic IPs.

– Login Lockdown plugin : The Login Lockdown plugin records IP address and timestamp for every failed wordpress login attempt. If it records failed login attempts from the same IP range in a short span of time, it will restrict login from the entire range. You can also restrict login entries after certain attempted login attempts from certain IPs.

– Ask Apache password protection : Ask Apache password protection plugin adds a second layer to your admin login folder, you can define a user id and password for the second layer. If you need to access the wp admin folder, you ll need to know the second layer protection login and password.


6 ) Have a complex user id and a strong password:

– WordPress by default assigns you ‘admin’ as the login id and not a lot of bloggers change that as it needs to be changed from the .htaccess file.

Admin as a login user name is very easy to hack as most blogs have login as the user name. I recommend you to change the admin login name to make it difficult for the hacker. You should also have a strong password that is alpha numeric.

7 ) Use SSH / Shell access instead of FTP access :

– FTP access does not have the required encrypted mode to avoid restricting to your wp admin folders, if someone happens to get hold of your FTP login password it could spell disaster for your blog. Try to use SSH to transfer, upload, edit your files everything is encrypted.

Do you have any more plugins or tips to secure wordpress blogs ?

Article by ZK

ZK has written 944 articles.

You can follow webtrafficroi on Google Plus, Facebook and Twitter here. Subscribe to WebTrafficROI feed via RSS or EMAIL to receive instant updates.


Comments on this entry are closed.

  • andrew @ Blogging Guide March 19, 2010, 11:00 am

    I would also recommend the plugins:

    Secure WordPress: http://wordpress.org/extend/plugins/secure-wordpress/

    WP Security Scan: http://wordpress.org/extend/plugins/wp-security-scan/

    Andrew
    .-= andrew @ Blogging Guide´s last blog ..Blogging Guide: Blogger tips 5, 6 and 30 (video 2) =-.

  • Jack@Blog Marketing March 19, 2010, 11:13 am

    I’ve been using WP-DBManager for my back up, only problem is that you cant perform automatic backups with this plugin. Should I use both back plugins on my blog?

    Reasons why I like WP-DBManager is because it allows you to restore you database on the dashboard.
    .-= Jack@Blog Marketing´s last blog ..Effective Niche Market Research Strategy With Ezinearticles =-.

  • Paul@entertaiment tonight March 19, 2010, 7:19 pm

    Thanks or sharing this. I need this.
    .-= Paul@entertaiment tonight´s last blog ..The death of Toni Rose Gayda son =-.

  • Web Developer March 19, 2010, 10:01 pm

    There are very good points here apart from plugins that are critical to secure your blog..thanks ZK

  • Ganesh Iyer March 20, 2010, 4:29 am

    I am working for a full time Internet Marketing company and we use Wordpress extensively.Your article was helpful and I would be cautious.
    .-= Ganesh Iyer´s last blog ..Viperchill – A Blog You Should Definitely Check Out =-.

  • Tom@Websites for Accountants March 20, 2010, 10:25 am

    re the IP access to admin folder, very good idea, you could also add a .htpasswd protection do it – the more layers of protection you add the better.
    .-= Tom@Websites for Accountants´s last blog ..Get more people talking with the Wordpress plugin “subscribe to comments” =-.

  • Mathew Day March 20, 2010, 3:12 pm

    Good post, since this is one thing that is always on the back of my mind. I will be adding some of those plugins to my blogs and be taking more precautions. Like you said, you never know when you might get hacked.
    .-= Mathew Day´s last blog ..FREE Private-Label Rights Package – 90 Graphics and Templates =-.

  • Davits March 23, 2010, 3:13 am

    Good tips of secure wordpress blog. I rarely update plugins of my blog.

  • Web Design March 23, 2010, 6:48 am

    Keeping your stuff updated is really important. That, and backing up everything……

  • kitchen taps March 24, 2010, 5:37 am

    This is what one can take in mind and consider for the prevention of being hacked. It seems very good seccurity for your wordpress.

  • limos gold coast March 25, 2010, 5:31 am

    If someone is new to blogging, the blogging site should be easy and doesn’t make one disappointed in future, when he/she will be technically far more ahead at implementing things than they’re at present.

  • Kathleen@Legitimate Work From Home Jobs March 25, 2010, 6:19 pm

    I find it amazing that people even do this hacking garbage. They’re obviously smart, so why not use the knowledge for better use? I’m glad your friend was able to restore his blog. Thanks for these tips – bookmarked.

  • Aluminum Laptop Cases March 26, 2010, 3:11 pm

    Good wordpress security tips. While wordpress is a fairly secure platform, you do have to be careful to ensure you do not open up loopholes. Having your blog hacked can be a huge problem in many ways….financial, emotional and time-wise. While for some people it is a quick 30 minute fix, for others it can be a massive headache. So do what you can to avoid that situation.

  • Mayweather vs Mosley March 30, 2010, 1:05 am

    really helpful article, Im using wordpress on all of my blogs, I admit its secure to some extent but when a site gets popular, hackers will really try to bring the site down/
    .-= Mayweather vs Mosley´s last blog ..Sitdown: Mayweather vs Mosley HBO 24/7 =-.

  • Free Picks April 13, 2010, 9:02 am

    Thanks for the tips
    .-= Free Picks´s last blog ..Orlando Magic (-3) at Indiana Pacers =-.

  • Dagul@Wealth Creation April 16, 2010, 2:06 am

    I am not a fan of Wordpress but beginning to like it. I started tinkering it and its a lot cooler than blogger. Thanks for the tips, this could really help me kick start my online escapades with Wordpress 🙂
    .-= Dagul@Wealth Creation´s last blog ..Hello world! =-.

  • Carol July 16, 2010, 3:29 am

    Thanks for another fantastic article. I am always looking for original WordPress tutorials to suggest to my own readers. Thanks for creating this post. It’s just what I was trying to find. Truly phenomenal post.