Although blogging can be fun, you also run many security risks that can leave you dead in the water.  No one likes to think it can happen to them, but the truth is, it can.  It’s not a matter of if, but when, especially if you your blog is vulnerable.

I’ve done alot of research into security vulnerabilities with wordpress and have come across some shocking information, including things you have probably never heard of.  So I’ve compiled a checklist of things to do in order to minimize your chances of being hacked.

1. Upgrade Wordpress - I can’t tell you how many people do not upgrade to the newest version of wordpress.  You should always upgrade, especially if it’s a security upgrade.  Not upgrading to the newest version leaves your blog wide open for an attack from hackers and spammers that know the security vulnerability.  Your wordpress dashboard page in your admin panel will tell you when the newest version of wordpress is released.  It may seem scary to upgrade, but it’s not that difficult once you get in there and walk through the steps.

If you have trouble understanding the wordpress instructions on upgrading or you’re not very tech savvy, you can download a plugin called Wordpress Automatic Upgrade, which walks you step by step through the process and does everything for you.  If you have this plugin, there is no reason you shouldn’t upgrade to the newest version.

2. Change Default Admin Account - Every hacker and spammer on the internet knows there is a default “admin” user for wordpress that has full god-like power over your entire blog.  By leaving this user account you are asking for an attack.  When you log in to you wordpress control panel for the first time, you should go to the Users page, create a new user with admin privelages (named something other than admin), and delete the default admin user.  This makes hackers have to guess the username as well as the password of your admin account.  If you want even further security, you should set up another user with posting privelages only and use that user account everytime you login to wordpress to post a new blog entry.

3. Remove Version String From Header - The header file of your wordpress blog includes some code that tells everyone what the current version is you’re running of wordpress.  The best way to decrease vulnerability from this is to always upgrade like I talked about earlier, however, if you still have reservations about upgrading, you should at least remove the version string from the header file.

To do this, log into wordpress with your admin account, click design and then theme editor.  Choose the header.php file to edit, and find the piece of code that looks like this and remove it:

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

4. Know Your Plugins - There are thousands of plugins written for wordpress and new ones are being created everyday.  Even though we all want to believe it, not all of them are safe plugins.  They can contain malicious code that allows the creator to access your blog through the back door.  The absolute best way to ensure the plugin you’re using is safe, is to only download and install plugins from the wordpress.org website.  The plugins listed on wordpress.org have been tested by the wordpress team which ensures they are not maliciously written.

5. Rename Your Wordpress Database Tables - Don’t get scared at this one.  If you are tech savvy, you probably already know how to do this, and if you don’t there are plenty of step by step instructions available on the web.  If you aren’t as tech savvy and aren’t sure what you’re doing, your best bet would be to download some plugins that step you through the process.  One of these plugins is called WP Prefix Changer.  It’s a great plugin and very easy to use, but you should beware some plugins that are incorrectly written may be affected because they hardlink to the specific database table name.  But having to deactivate a plugin or two to increase your blog security is well worth it.

6. Hide Your Folder Directory - By default your wordpress plugins directory is viewable by anyone interested in looking at it simply by typing http://www.yourdomainname.com/wp-content/plugins.  Try it right now and see what I’m talking about.  If you can’t see it, you are ahead of the game and can skip this item in your checklist, but if you can see your plugins, you are vulnerable to an attack on your blog.  As with alot of wordpress users, you may have also created some extra folders on your hosting account that may be viewable as well, and these can be fixed in the same way as your plugins folder.

There are two methods to use:

  • Add a blank “index.html” file into every folder that doesn’t have one.
  • Add this line of code to your “.htaccess” file in the root directory of your blog: Options All -Indexes

The second choice is the best method, because it allows you to block directory access to all folders, as opposed to finding each folder manually and creating a new file for it.  You may end up missing important folders using the first method.  If you’re not sure how to write to your .htaccess folder, you can find alot of step by step instructions by googling “.htaccess”.

7. Block WP Folders From Search Engines - By default search engines index everything from your root directory of your website down to the smallest file.  There are alot of files and directories in your wordpress install that you don’t want the search engines indexing.  If anyone found those particular folders and files in google, you can have the same problems as the afore-mentioned vulnerability.  The only method to keep search engines from indexing particular files you don’t want them to see (besides not allowing your entire blog to be indexed - which is not recommended) is to create a “robots.txt” file.

When a search engine bot comes to your website the first thing they look for is your robots.txt file.  This tells them what they can’t do. Like and rule book.  If you want to know all the features of the “robots.txt” file, you can google it and find millions of links to helpful websites.  In order to keep google from indexing your wp-admin, wp-content, wp-includes, and other wp folders, simply add the following line to your robots.txt file:

Disallow: /wp-*

These are simply the basic and most important things you can do to increase security and minimize your chances of being successfully hacked.  There are alot more suggestions found all over the internet, all you have to do is look.  If you’re interested there is a plugin called WP Security Scan, which scans your blog for vulnerabilites and lets you know what you need to fix.  There is also a plugin called Login Lock, which locks a particular username for a specified amount of time (default 1 hour) if too many unsuccessful attempts were made at entering the correct password.

Do you know of any more tips for increasing wordpress security?


If you missed my latest post, click here to learn how I make $40-$50 per month with my SMS Blog Feed and only 3 subscribers.