4 Steps To Protecting Your WordPress Blog
I don’t know about you but, I want to protect my blog from hackers as much as I can. Right now, there are thousands of dodgy characters who could hack into your WordPress blog at any moment. Think about it… What would you do if your blog was the target of some 12-year-old kid hacker?
Your pages, posts, traffic, lead flow and income are at risk, and it could even be lost for good. Seriously, if you’re running a blog that gets at least some traffic, you are in fact at risk. I know guys who have 10-50 hackers try to access their blog EVERY DAY. Of course, they have authority blogs, but that doesn’t mean yours is safe.
Fortunately for you, you’ve come at the right time and you can lock down your blog so it’s hacker-free in minutes. WordPress is actually somewhat secure without the extra protection; I mean they have A TON of updates. Unfortunately, you must update stuff manually. Anyway, if you follow along and do everything below you’ll make your blog 10x safer.
1. Delete Admin Account
Keeping your admin account is like leaving a very large back door open. Then broadcasting the news to a really bad neighborhood. (Yah, it’s really that bad)
Pretty much all WordPress bloggers leave their username as Admin. When they do that, hackers instantly have 50% of what they need to know. Then all they have to do is find out your password. Lucky for them, there are tools out there that can automatically figure out your password.
They just have to input your username and the software uses brute force to break into your blog. Dangerous, dangerous, dangerous. If you’re about to install WordPress, you can choose a different username upon install.
If you’ve already been posting under the admin account, here’s what to do. Go into your dashboard, click users and then select add new user. You need to create a brand new user with admin rights. Once done, log out of your admin account and log back in with your new account.
Now go straight back to the user’s page and go ahead and delete the admin account. Upon deletion, you’ll see that you can transfer all posts to another account. Just transfer them to your new user account and you won’t have any problems.
2. Move WP-Config.php Up One Level
Yep, moving your wp-config.php file up just one level makes a huge difference. The wp-config.php basically has all of your WordPress configuration settings and information. Meaning if a dirty hacker got hold of it… say goodbye to your site. All of your posts, pages, and comments could vanish overnight.
Also, there are a ton of bots that can “get hold of” this file because they know exactly where to look. So, you can move the file above the WordPress root. Normally, wp-config.php is located here:
~/home/user/public_html/wp-config.php
So generally hackers know exactly where to look. All you have to do is FTP into your server and literally drag the wp-config.php file above the public_html directory. So, once done the file should be located here:
~/home/user/wp-config.php
Super easy to do, very important. Now hackers (bots) won’t be able to find the file. Nothing else to do, takes under 2 minutes and can possibly save years worth of work.
3. Always Update Plugins, WordPress & Theme
This is a really obvious one that most people already do. BUT, did you know that leaving WordPress, themes, or plugins not updated is like leaving a massive window open in the middle of the night? Well, it opens up doors so just update your stuff ok? There are actually plugins that can automatically update everything for you; a simple search will do the trick.
4. Install WordPress Security Plugins
There are hundreds of plugins available that supposedly make your site more secure… but not all of them truly work. I spent a good afternoon making sure my blog was properly secure and everyone kept recommending the same two plugins.
WP Security Scan (checked as of July, 2024) & Secure WordPress (checked as of July, 2024)
Honestly, don’t ask me why you should install these plugins. I’m just going to tell you that they do some really advanced techy stuff that makes no sense to me. And… I checked MANY authority blogs in our niche and others, they all recommend them.
Be Aware
Just be careful! Seriously, I don’t think there’s any way of fully protecting your WordPress blog. Think about the massive authority sites that are constantly getting hacked. Think about when the FBI’s site got hacked, tons of multimillion/billion dollar companies have had their sites hacked in the past. Who knows how, I just keep hearing about loopholes and backdoors. All sounds a little strange to me. Anyway, just be careful and take 10 minutes to do all of the above. Perhaps it will help you sleep at night?
In prosperity,
David Wood
P.S. Please leave your comments, thoughts, and questions in the box below. 
4 steps to protecting your wordpress blog, admin account, protecting wordpress, protecting your blog, Protecting Your WordPress Blog, wordpress, wordpress blog, wordpress configuration settings, wordpress security, wordpress security plugins
Comments (carried over from the previous site)
Ken A, August 14 2011, 12:31
Good Advice. I’m installing those plug-ins now!
Tyronne Ratcliff, August 14 2011, 12:35
That’s a good list you got there Des, thanks!
Des, August 14 2011, 12:40
Hey David,
Good information about WordPress security. If you want to take it to another level then carry out these steps:
1. Remove the readme.html file which advertises your WordPress version
2. Remove install.php and installhelper.php from the Wp-admin directory
3. Install Limit Login plugin to further protect Wp login.
4. Install Wp File Monitor plugin.
There are other steps you can take but these involve technical tasks and can become a little complicated.
All the best,
Des
Ajnabii, August 14 2011, 12:45
Nice Post David, great tips to protect WordPress blogs, would you tell me please how to move config file to another directory and how to password protect to wp-admin directory?
Your Help much more appreciated!
