Skip to main content

10 Steps to Secure Your WordPress Blog From Hackers

Image placeholder title

Today's guest post is from Triona Guidry, a computer consultant and freelance writer in the
northwest suburbs of Chicago. Her blog offers tech support for Windows and Mac, security alerts, and advice on blogs and social media.


Writers depend on blogs to promote their work, interact with readers,
and attract the attention of agents and publishers. But what if you
discover that all your links have been changed to porn sites, or that
your readers are being spammed?

You need to know how to protect your
blog, and what to do if it's hacked.

The following advice is geared
toward those running their own installations of WordPress, but also
applies to those hosting their blogs with WordPress, Blogger, or other

The main idea behind computer security is to avoid being the "low-hanging fruit," meaning that hackers are deterred and move on to easier targets.

1. Use strong, unique passwords, for your blog plus your other accounts.

You may groan at the idea of different passwords for every site, but ask
yourself whether you would rather remember passwords or deal with the
aftermath of being hacked. Passwords should be eight characters or more
and contain a mix of letters, numbers, and symbols. Try mnemonics like
substituting symbols for letters in words, or use a password generator.
But please don't rotate between the same two or three passwords, and
don't use common words with exclamation points at the end.

2. Post as "editor" instead of "administrator."
Editor accounts can
create, modify, and edit posts, but can't make changes to WordPress
itself. Create a new administrator account and disable access to the
default one to make it harder for hackers to infiltrate.

3. Keep WordPress up to date.
There will be a reminder on your Dashboard
if there is a new version available. Don't forget to update your plug-ins

4. If applicable to you: Keep your server's system software updated with the latest bug fixes
and patches, and don't run beta software.

If you want to test something,
create a server you can use for experimentation. Old computers are great
for this purpose.

5. Use the WordPress Exploit Scanner Plug-In.
It's a good idea to run this utility on a regular basis.

6. Never access WordPress from public wireless networks.
and their automated password-harvesting software often lurk there.
same advice goes for e-mail, Facebook, and especially your financial

7. Keep the computers on your network free of viruses.
The easiest way to
do this is to follow my four steps to computer security: a security
software suite, a firewall, strong unique passwords, and a method for
updating of your software including your applications (Microsoft Office,
Adobe Reader, Flash, etc) and your operating system (Windows or Mac).

If you
are using free antivirus, consider a paid version. I used to recommend
the freebies, but I've seen so many infections in my consulting business
that I decided they don't offer adequate protection anymore.

8. Make backups of your blog.
There are a number of WordPress plug-ins
that compress your blog files into an archive which can be stored on
your local computer.

9. Monitor your server's logs.
If someone is trying to get in, you may
find the first evidence here.

10. Moderate comments, and never approve spam comments.
To tell if a
comment is spam, look for poor grammar and punctuation, web sites that
don't match e-mail addresses, foreign languages, lengthy lists of links,
and comments on ancient posts. When in doubt, don't approve.

What if your blog has been hacked?
First, how do you know if your blog has been hacked? Usually your links have been
changed or posts appear you didn't create, that's a good indication. But
there may not be any visible signs, which is why monitoring is so

If you discover you've been hacked, here's how to rescue your

  • Change all passwords immediately, for WordPress and for the server
    itself. This won't get rid of any bad links or back doors, but it will
    give you time. You should also change your password for your e-mail
    account if someone has attempted to use the "reset password" page to
    commandeer your account.
  • Next, change your secret keys. Otherwise the hackers will be able to
    stay logged in even if you change your passwords, because their cookies
    will still be valid. You can find out how to do this in the WordPress
    Codex FAQ on what to do if you've been hacked.
  • Scan your computer for viruses and malware. There's no point in using
    a contaminated computer to fix a contaminated server.
  • If your WordPress server is hosted elsewhere, contact your provider.
    Other blogs on the same server may have been affected, and your provider
    can offer information and assistance.

While it's possible to clean up WordPress after it's been hijacked, it's
safer and easier to wipe WordPress, reinstall it, then restore your blog
from backup. If you choose not to do this, you need to check anywhere
hackers could have installed back doors: in your .htaccess file, in your
PHP scripts, and so forth. Again, the WordPress Codex has advice on what
to do. Be sure to download clean versions of your theme and plug-ins.
When WordPress is clean, change your passwords again. Finally, make
another backup of the cleaned blog and monitor your logs to look for
further hijack attempts.

If you make blog security part of your routine, like checking your
email, you can dismiss your worries and get back to your writing.

Additional Resources


Many thanks to Triona for this excellent advice on site security. Be sure to visit her blog.

If you're thinking of starting your own website, or would like information on how to improve your site/blog—from a content perspective, not a technical/security perspective—you'll want to check out the class that I am offering on April 7. Registration will soon appear here.

A Conversation With Jaden Terrell on Writer Expectations, Part 1 (Killer Writers)

A Conversation With Jaden Terrell on Writer Expectations, Part 1 (Killer Writers)

Killer Nashville founder Clay Stafford continues his series of interviews with mystery, thriller, and suspense authors. Here he has a conversation with novelist Jaden Terrell about writer expectations and success.

Connecting the Dots vs. Drawing the Whole Damn Picture: A Veteran Ghostwriter Takes Back His Pen and Finds Something To Say

Connecting the Dots vs. Drawing the Whole Damn Picture: A Veteran Ghostwriter Takes Back His Pen and Finds Something To Say

Writing for oneself after a decades-long career as a ghostwriter is a challenge unto itself. Here, author Daniel Paisner discusses his career as a ghostwriter, how the process differs from writing his own work, and if the two ever intersect.

Who Are Sensitivity Editors? And How Much Does Sensitivity Reading Pay?

Who Are Sensitivity Editors? And How Much Does Sensitivity Reading Pay?

Sensitivity readers offer a very specific and focused edit to manuscripts. Here, C. Hope Clark shares what a sensitivity editor is, how much it pays, and where you can start.

Kate White: On Building In Brainstorming Time

Kate White: On Building In Brainstorming Time

New York Times bestselling author Kate White discusses the process of writing her new psychological thriller, The Second Husband.

Poetry Prompt

Wednesday Poetry Prompts: 615

Every Wednesday, Robert Lee Brewer shares a prompt and an example poem to get things started on the Poetic Asides blog. This week, write a desire poem.

Writer's Digest Best Writing Advice Websites for Writers 2022

Writer's Digest Best Writing Advice Websites for Writers 2022

Here are the top writing advice websites as identified in the 24th Annual 101 Best Websites from the May/June 2022 issue of Writer's Digest.

Love the Art. Work the Business. | Nikesha Elise Williams

Nikesha Elise Williams: On the Power of Self-Publishing

In this indie author profile, novelist Nikesha Elise Williams shares her path to self publishing and the creative marketing strategy that's led to her success.

Change of Plans

Change of Plans

Every writer needs a little inspiration once in a while. For today's prompt, there's been a sudden and unforeseen change of plans.

5 Things to Know When Writing About the Music Industry

5 Things to Know When Writing About the Music Industry

Author Ashley M. Coleman gives you her top five tricks for writing about the music industry—even if you're not an industry expert.