My WordPress Security Guide will help you to protect your WP blog from hackers. I have lots of clients that pay me to work on their WordPress powered sites and the work is usually SEO, setting up an affiliate store, or working on plugins or hacks. I’ve yet to come across a client site that had WordPress security plugins installed. I’ve yet to see a client with a “strong” password. Nobody I’ve worked for actually had a backup of their web site or database.

Do you Know What You’re Risking?


Maybe you feel safe because none of your sites has ever been hacked, but honestly – is it worth the risk of losing all or even part of your work? Spammers want to load up your blog with comments linked to online casino and male enhancement web sites. Malware hackers want to inject your blog with redirects to hijack your traffic to their domain. You are risking anything from thousands of spam comments to having every PHP file on your web site “injected” with a javascript redirect to a foreign address. A really nasty virus might even chew through your entire mySQL database and destroy all your content. If you lost your entire web site tomorrow, how old would your latest backup be? How much work would you lose? Do you even take regular backups of your web site? If your web site generates income you could actually lose money during your down time, and your search engine rankings could be compromised – costing your traffic and even more money.

Do You Know What Could Happen?


The world is filled with skeptics who fail to believe this can’t happen to them. Let me explain why it’s more important than ever to secure your WordPress powered site, because there are literally armies of online villains ready to attack you!

There are specific things you need to protect yourself against:

  • Malware, Trojans, and Viruses – oh my! Believe it or not, your web site or blog can be hacked by a virus. Usually you think of a virus as something that attacks your personal computer. There are viruses and trojans that are designed to steal your FTP or login info and gain entry to web sites. Once inside they can chew through your PHP files like a mouse eating cheese. These types of attacks normally originate from a Windows based computer.
  • Hackers, Spam-bots, and automated software – When you’re sleeping your web site is being bombarded night and day by online attackers. Some of these are from real live people, but most of them are completely automated by hackers using bots and automated software. Software doesn’t sleep, and it’s designed to find web sites that have potential exploits. The most common targets are sites with older versions of WordPress or plugins that have known security holes. These types of attacks happen as often on your web site as real visitors, and you don’t even know they’re happening because more than likely you have no way of tracking them.
  • Bad Web Hosts – Would you purposely buy a home in a bad neighborhood you didn’t feel safe in? When you build a web site online it’s like building a real brick and mortar home, the safety of your new “web home” depends on your web neighbohood. What if the the great $9.95 per month deal you got on web hosting means that your shiny new blog is now parked in an online ghetto? Your site is only as safe as the server you’re hosted on, and you might be more succeptible to attacks if their server security isn’t very good, and depending on their setup you could even be at risk from the other customer’s sites hosted next door to you! Maybe you never thought about your web site being attacked by neighboring accounts or lax web host security until now.
  • Your own computer – Believe it or not, you are your own worst enemy. You are 80% more likely to infect your own web site or give you FTP login info away unwittingly through a trojan than you are being attacked by other means. This is mainly because the majority of people have Windows based computers, and a great percentage of them are infected with some type of malware, virus, or trojan. Even if you are the most careful person on earth, other people using your computer (or children) may not be. Your virus program could be out of date, or you could have an older version of Windows without current updates.
  • Internet Security – Even if you’ve thought of everything to secure your own computer, what good does it make if you’re still connecting to your web site in regular FTP? Are you using a wireless router at home that’s not encrypted? Do you use public wifi connections and check your email and use the admin functions of your blog? Are you still logging into your WordPress blog unsecured? All or any of these could compromise you site.

Where Do You Begin?

If you want to secure and harden you WordPress powered site there are some very simple steps you can take to protect yourself:

  1. Upgrade WordPress and all plugins to the latest versions available
  2. Examine your site for potential exploits and security holes
  3. Limit access to your site through permissions, robots.txt, and .htaccess file
  4. Examine the security of your web host
  5. Make all usernames, passwords, and logins more secure
  6. Don’t encourage bad behaviour by allowing spammy accounts or comments
  7. Consider tracking attack attempts against your site to keep aware of potential problems
  8. Use secure connections at all times
  9. Keep your personal computer up to date and protected

This guide will explain in easy to understand steps how to do all those things and more. By the end of this tutorial you will be able educate other bloggers about WordPress security and potential online attacks.

Backup Now!

Before you make any changes at all the first thing you need to do is backup your web site and database. If you’re not doing that already, now is the time to start! There are all kinds of plugins that will do this for you, but to be honest I’m not a very big fan of that technique. Mainly because at some point in time the database file will probably be too large to manipulate via WordPress plugin – especially if you have an active blog. The WordPress Backup plugin can help you with that if that’s the route you choose.

Manually downloading all your wordpress files to a directory on your computer is as easy as it was to upload a theme or plugin. Download everything, so you have a current working version of all wordpress files, themes, and plugins. Nearly all web hosts provide you with a web control panel to manage your web site. Login and find the section for managing your databases. You should have access to a web tool called “phpMyAdmin” which allows you to administer your database via web page. Find this tool, select your database from the drop down menu, and then export!

The WordPress Codex has a page about phpMyAdmin, as well as a page about Restoring Your Database from Backup if you have to need to.

Upgrade WordPress and Plugins

Now that you have backups of everything in your current version of WordPress, it’s safe to upgrade everything! Since version 2.8 of WordPress, it’s been possible to upgrade your WordPress installation from your admin dashboard, as well as updated versions of your plugins (as they become available). If you’re not up to version 2.7 of WordPress, you’ll need to update by downloading the lastest version from first, and the uploading the files via FTP. Then you’ll be able to update your plugins via the admin dashboard plugin page. This may be the first step, but it’s one of the most important, because exploits in outdated versions of WordPress and plugins are exactly what hackers are looking for. Staying up to date is your best defense against issues like this.

The following images show how easy it is to updating both WordPress and plugins in version 2.7x and above by simply clicking a link to do it live in your WordPress dashboard admin.



Releases of WordPress are pretty solid, but when new versions become available sometimes themes and plugins get broken until they are updated. It always pays to view the latest plugin compatibility list BEFORE UPGRADING, in case something you rely on might be immediately broken. It doesn’t mean to never upgrade in fear of breaking things, but rather be more aware of conflicts that might need fixing once you do. Just google wordpress x.x compatibility for the lastest official list (replace x.x with the version number you’re searching for in google).

Stay tuned to the next part in this series to learn how to examine your WordPress powered site for exploits!

Visit the WordPress Security Guide home to skip to other sections

JTPratt Media offers Malware Removal and WordPress Security Services