10 Quick Ways To Protect Your WordPress Site

10 Quick Ways To Protect Your WordPress Site

According to Google, there are almost 10,000 newly hacked websites every day. The trouble is, most site owners don’t take security of their website seriously until they get swamped by complaints about viruses, automatic dialers and other harmful software.

The problem can be caused by a malicious program (malware) that’s been installed on your web server, harmful code in blog comments or techniques like SQL Injection that involve tricking login forms into allowing access to password protected areas.

Whatever the method, if it happens on your site it’s your reputation that takes a nosedive and it’s your problem to fix.

What else happens if your site is hacked?

Aside from the danger of losing all your content – and the time and expense of fixing the problem – Google will blacklist your site.

That means no one using Google Chrome (the most popular web browser) can visit your site. Instead they’ll see a nasty warning about how dangerous your site is.

Because Firefox uses the same site blacklist as Chrome, Firefox users will also be shown an unsafe site warning you see below instead of your content.

firefoxwarningDepending on the severity of the risk, your site will either have a This site may harm your computer warning added to its Google search results or be completely removed from the index.

Basically, it’s bye-bye website and revenue until you get rid of the malware.

The thing is, as a web developer I’ve seen this scenario enough to know two things:

1. It causes a lot of stress to the website owner.

2. Most of the time it could have been prevented by following some basic steps.

How to protect your website

Most of the time malware, viruses and other nasties gain access to your site through security holes, so plugging those significantlyreduces your risk.

Here are the most common security issues and how to fix them.

1. Don’t use Admin as a username
Because hackers prefer the easy way of doing things where possible, they’ll often try to login with the username Admin. That means if there’s an active account called Admin, they already have half the information they need to force their way into your site.

In the past, WordPress automatically created an Admin account when first installed. So if your site has been online for more than a couple of years, check to make sure it doesn’t have an Admin account. Even if it’s not being used by anyone, it’s still a security risk.

To delete the account, go to Users > All Users. If you’re currently logged in as Admin, you’ll need to create a new login and sign in with it before you can delete the Admin profile.

2. Don’t use an obvious password
What’s an obvious password? Here are a few: 1234, god, work, ilove and master.

Where did I get these from?

They’re a selection from the top 30 passwords stolen in the recent LinkedIn security breach, where a Russian hacker stole 6.5 million passwords and posted them on a web forum.

These same words turn up continually in lists of stolen passwords. Hackers know there are literally millions of people using these passwords, so these are the ones they try first.

If you’re using any of these as your password you should change it ASAP.

3. Use a strong password
Hackers often use a technique called brute forceto gain access to password protected areas.

In a nutshell, this means using automatic software to guess your password. Since it’s automated, a huge number of passwords can be tried quickly – which is why it’s often successful.

Because the software uses a dictionary to generate passwords, don’t use a real word as your password. Instead, use random letters mixed with numbers and punctuation characters until the password strength indicator in WordPress admin shows you’ve created a strong password.

4. Don’t leave your login details on a Post-It note stuck to your monitor
Just sayin’ because you’d be amazed the amount of people who do that.

5. If your site has multiple authors, make sure they’re following these guidelines
Also, don’t leave accounts open for people who no longer need them. If you want to keep an author name active to maintain bylines on posts, change the password for the account by going to the Users > All Users page.

6. Don’t use a free WordPress theme unless it’s from an official WordPress site
There have been plenty of cases of unscrupulous directories giving away free themes containing hidden links to harmful sites.

The idea is that website owners using the free themes are unwittingly creating thousands of links back to a site that otherwise wouldn’t get any. If you need a free WordPress theme, get it from WordPress.org which vets themes before they go online.

Or better still, go the more professional route and get a premium theme.

7. Keep WordPress updated
When new versions of WordPress are released, it’s sometimes for new features but usually for security improvements.

WordPress is the single most popular online publishing system. That means when a security flaw is found, every hacker and his cat is on the net using software to find sites using the old, unsafe, version of WordPress.

Not keeping your copy updated is like leaving your front door unlocked. When new versions are released, update as soon as possible.

In the past, it was a pain to update, but now it’s easy. Just click the link that appears across the top of the admin area whenever a new version is available.

You don’t need to do anything technical.

If you’re worried about something going wrong in the upgrade process, make sure you’re making regular backups so you can safely “rewind” if needed. See, “How to make automatic backups” below.

8. Keep your plugins updated
A similar thing applies to plugins – they’re often updated for security reasons.

Go to the main Plugins page in WordPress and you’ll see an upgrade notice next to any that need updating.

To update, just click the link. Again, there’s no technical knowledge required.

9. Keep all your sites updated
Don’t forget about the sites you may have that you rarely work on – they need to be kept updated too.

10. Don’t use cheap or free hosting
If you’re using hosting that costs a dollar a month – or God Forbid – free hosting, you’re asking for trouble because the pile-it-high, charge-very-little approach means the web hosting company can’t afford to put effective security measures in place.

Stick with web hosts who have a good record in security like Host Gator or my favorite Media Temple.

Advanced resources

If you’re the technical type, or need to pass information on to your web developer, take a look at these advanced tips from Smashing Magazine.

Alternatively, try this free plugin which performs many of those tasks for you.

How to make automatic backups

Sooner or later, something’s going to go wrong. That’s life.

Losing all your blog content because of a hacker, server failure or database crash is not something you want to risk happening.

See my previous post for more information on making WordPress backups.  The shortcut for non-technical types is to use a service like Backup Buddy for a set and forget system that can also be integrated with Dropbox, Amazon S3 and other services.

Site hacked? Here’s what to do

If your site has been hacked, or you or your visitors are seeing warnings about malware or viruses you can resolve the problem with these three steps.

1. Get your website scanned to see if there really is a problem. Sometimes there are false alarms. You can get an instant scan from the service I use Website Defender- there are free and paid accounts and you can get a scan with either.

2. If there is a problem with your site,take the steps recommended by Website Defender to clean your site.

3. Report the problem as fixed to Google, so they can restore your site to their search engine rankings. To do this, you need to either submit a Site Reconsideration Request or submit an update via Google Webmaster Tools.

Using Webmaster Tools is a much quicker way of getting your site reconsidered, usually taking around six hours. Just go to the Malware section and follow the instructions.


  1. Acaba de cumplir 1 año de la adquisición del aparato y hace poco recibí un correo de Inouttv diciendo que si quería mantener los servicios tenía que pagar 35 euros al año. Si no pagas, no es solo que no tengas una guia al último detalle, ni que no puedas alquilar películas con el servicio butaca, sino que te capan” las funciones de tu pvr de forma arbitraria para forzarte al pago. Antes de adquirir el aparato, en la publicidad de la web de siemens, de inouttv y de redcoon, nadie avisaba que me comprometía a pagar una cantidad al año. Desde Minimoka inauguramos este capítulo de nuestra historia con una nueva web que aspira a convertirse en un refugio para los más cafeteros.

  2. Nuestra empresa, con más de 24 anos de experiencia, respeta y sigue las normas de calidad establecidas por Corbero para las reparaciones de su Frigorificos Corbero, ya que creemos que es la mejor manera de satisfacer al cliente tanto técnica como económicamente, al tiempo que prolongamos la vida de la Frigorificos utilizando recambios originales Corbero.

  3. 87775 848732Hi, you used to write exceptional articles, but the last several posts have been kinda lackluster I miss your super writing. Past few posts are just slightly out of track! 887737

  4. 267687 633591Hiya. Really cool website!! Man .. Beautiful .. Fantastic .. I will bookmark your internet internet site and take the feeds additionallyI am pleased to locate numerous valuable information here within the post. Thank you for sharing 628597

  5. 309928 782462It is difficult to get knowledgeable individuals within this subject, nonetheless, you appear to be guess what happens you are dealing with! Thanks 961111

  6. 483598 59093I need to test with you here. Which is not one thing I normally do! I enjoy studying a submit that will make people believe. Also, thanks for allowing me to comment! 490133

  7. 812937 714617Excellently written write-up, doubts all bloggers offered the identical content material since you, the internet has to be far much better location. Please stay the top! 922659

  8. 209471 688965A thoughtful opinion and suggestions Ill use on my web page. Youve certainly spent some time on this. Properly carried out! 825815

  9. 560203 951632Your talent is actually appreciated!! Thank you. You saved me lots of frustration. I switched from Joomla to Drupal to the WordPress platform and Ive fully embraced WordPress. Its so a lot easier and easier to tweak. Anyway, thanks once more. Awesome domain! 508297

  10. 166311 924699Hi there! Someone in my Myspace group shared this web site with us so I came to give it a look. Im definitely loving the information. Im bookmarking and will be tweeting this to my followers! Outstanding weblog and great style and design. 967334

  11. 746520 634832I discovered your blog internet site internet site on the search engines and check several of your early posts. Always sustain up the really great operate. I recently additional increase Rss to my MSN News Reader. Looking for toward reading much much more on your part later on! 531619

  12. 724497 854779Aw, it was an incredibly excellent post. In thought I would like to set up writing comparable to this furthermore – taking time and actual effort to create a very excellent article but exactly what do I say I procrastinate alot and also no means manage to go done. 605292


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.