How to Protect Your WordPress Site

Lock down your WordPress siteHere, from the voice of experience, is some advice for protecting your WordPress blog from hacking, or recovering quickly in case it happens to you:

  • Take upgrades seriously — Check this list, and if your WordPress version is one of these with known vulnerabilities, or if you are using anything lower than the latest version, upgrade immediately. Not sure which version of WordPress you are using? Log in to your WordPress admin panel dashboard. Scroll down to the bottom of the page. You will see the version listed there. Remember, you can always find the latest version of WordPress software here. If you do your own tech work, download it yourself. Or contact your webmaster.
  • Carefully research any plugins before you download them — See if there are any reported insecurities. Plugins sometimes are backdoors for hackers to exploit. Go here to see known plugin vulnerabilities.


  • Do not allow self-registration for new users — Self-registration gives hackers a way in. Once in, they can exploit certain versions of WordPress and gain control of parts of your site. Go into your WordPress admin dashboard; click the “Options” tab and then on the “General” sub-tab.  Make sure the box stating “anyone can register” is unchecked.
  • Change all your passwords — This is just a good thing to do periodically. And it’s a must if you’ve been hacked (you never know — your hacker may now have your passwords).
  • Check your site to see if it’s already compromised — I discovered that a friend’s blog had been compromised without her being aware of it! You want to check for hidden links. In your browser, click on the “View” menu, and then choose “Source.” This will open up a little window where you can easily see your code. Look for links to sites you do not recognize. They may appear near HTML code “display:none” or “hidden.” Both codes mean what they suggest: that links are being hidden from casual view. Maybe there’s a legitimate use for such HTML in your site — but then again, it may be the work of hackers. Even better, use this tool to view your site as the Googlebot sees it, including hidden links.
  • Check your site’s outbound links — Another tool to check your site is the Outbound Links Report from Vertical Leap. This free report will show you links emanating from your site that may have been hidden by hackers in directories you normally do not see. This report will help you identify if part of your site has been hijacked without your knowledge.
  • Get qualified help immediately — I’d like to think that intelligent business people could recover on their own from a hacking. However, I could not have cleaned up all the hackers’ gunk and recovered without the help of my webmaster and hosting company. These hackers are crafty. It took more technical expertise than I have to fix the sneaky damage. In fact, my webmaster Tim has set up a service called Fix WordPress just to help those whose WordPress installations have been hacked. (In every dark cloud, there’s an entrepreneurial opportunity.)
  • Forewarned is forearmed. Educate yourself — Read up about hacking activity. Better yet, think like a hacker. Even if you have a technical staff to handle the details, you can save time, money and worry by being a proactive site owner or user. The more knowledge you have, the better able you will be to (1) spot suspicious activity or (2) avoid behaviors that leave you wide open.

For more educational sources that are especially helpful, see:

Three tips to protect your WordPress installation

Lorelle also has good advice for protecting your WordPress blog

White paper: Trends in Badware 2007

White paper: How to Create a Secure WordPress Install (PDF)

If you’d like to read my experience with a WordPress exploit, read:
Hacked: It Could Never Happen to My Site (Famous Last Words).

More in: 19 Comments ▼

Anita Campbell Anita Campbell is the Founder, CEO and Publisher of Small Business Trends and has been following trends in small businesses since 2003. She is the owner of BizSugar, a social media site for small businesses.

19 Reactions
  1. I am a new WordPress user, but only the online version at Do you think these issues go back to that version as well?

  2. This is a really helpful list of tips. I’m sure this will prevent a ton of needless headaches.

  3. Excellent information on WordPress vulnerabilities. Everyone using WordPress should read the hacker post as well so as to prevent security breaches.

  4. Great tips to protect our WordPress blogs. One of my clients blogs was hacked last week by some Russian hackers. They replaced the index.php file with an image of the Kremlin and a Russian Czar staring at you with big red eyes. They also changed the title to Hacked by (some Russian names that I can’t remember).

    I found out that the file permissions were changed which allowed them access to change the files. Here are the recommended file permissions from


  5. What an Awesome blog entry. I so appreciate your being so open and honest about your terrible hacking experience. One of my clients word press blogs was hacked after only being up for 4 weeks. I was mortified. How could this happen to a site that was not even up and running that long. I was even more upset at my host when they charged me a fee to restore the last backup after the hacking. I now backup all my blogs on a regular. I also use a website to backup all the blog content
    So thanks again for your wonderfully candid blog entry, I have already applied many of the steps you mention.

  6. Jeffrey,

    Thank you for pointing out the backup link. It’s not really clear on their site, but is their service always free? If so, that’s an awesome deal.

  7. This is excellent. I use WP for several sites, and am always looking for info to make them better in terms of security and SEO.

  8. Thank you for this information. 🙂