Ask Janice/ Tools & Gadgets/ Uncategorized

5 Tips to Prevent Your WordPress Blog From Being Hacked

I hate that I have to write this post. I hate that there are mean bad people who spend their time trying to find vulnerabilities in WordPress.

Yesterday I spent the evening helping my friend Rachel of Running Rachel recover her blog because we suspected that it may have been hacked. Whenever she visited her site with Internet Explorer (IE), it redirected her to spammy looking sites. Fast forward two hours and lots of fiddling and googling later, I found that the cause of the problem was the Instagram widget she had on her site, so I deleted the code from her sidebar and VOILA! No more hanging, and no more redirects.

The unfortunate part was that we suspected her site had been hacked. If we had taken the time to PREVENT HACKING then we wouldn’t have had an issue. As well, if we had a current back up of her site we would have found out rather quickly that it wasn’t hacked and that the problem was elsewhere…. Ahhh the lessons I learned that I’m now going to share with you:

5 Tips to Prevent Your WordPress Blog From Being Hacked

5 Tips to Prevent Your WordPress Blog From Being Hacked

  1. Use a Sucuri safe theme like Headway (affiliate link).
    ALL of my own sites have been designed with Headway because it’s really easy to use – you just drag and drop boxes to create the layout you want. The Headway theme uses the proper APIs provided by the project thus avoiding direct database manipulations, and other actions that could make your theme vulnerable to SQL injections, XSS and CSRF attacks. (Trust me, vulnerable = bad).
  2. Keep your WordPress Core and Plugins Updated.
    WordPress is one of the most targeted programs by hackers because it holds the keys to so many millions of websites. This puts a target on your back, and therefore your website has a great likelihood of being hacked. A WordPress update is your software’s way of helping you fix the problem before it starts. If you ignore the update, you’re ignoring the solution to a problem that is already out there ready to attack.
  3. Use strong passwords for all entry points.
    I’m surprised to find out how many of my friends use the WordPress admin password generated by WordPress during the initial install. The WordPress admin password generated during install time is normally pretty strong (consists lowercase and uppercase letters with numbers and symbols) so there is nothing wrong with that. However I’m totally shocked to find out how many of their ftp/cPanel passwords are not that strong. It gets even better … one friend wasusing her partner’s name as the password (Did I mention that her partner’s name is mentioned on her blog’s ËœAbout’ page?)! The ftp/cPanel password for your domain is equally important as your WordPress’s password. If someone can access your cPanel then that person can delete your WordPress database from the cPanel->;Databases->;MySQL Databases. Anyway, the bottom line is to use strong passwords for all entry points not just one.
  4. Backup Your Data
    I can’t stress this enough … always keep backups of all your important files. I always backup my WordPress Database and WordPress files in case of emergency. What would you do if you lost all your blog’s content? Eeeek! Use a backup plugin like BackUpWordPress that backs up both your database AND your files. Knowing your site has been backed up will help you sleep better at night.
  5. Secure your blog with Better WP Security.
    Almost an Ã…”all-in-one  security plugin for WordPress. This plugin takes the best WordPress security features and techniques and combines them in a single plugin thereby ensuring that as many security holes as possible are patched without having to worry about conflicting features or the possibility of missing anything on your site.

Has your blog ever been hacked?


You Might Also Like

  • Rachel
    September 28, 2012 at 10:30 am

    Great post!! Thank you for your HELP and words of wisdom!!

  • Erin
    September 28, 2012 at 10:59 am

    Omg this is really stupid of me but I never realized my blog could get hacked! Thanks for the reminder!

    • Janice - The Fitness Cheerleader
      September 28, 2012 at 11:15 am

      Oh yes – nothing is sacred unfortunately 🙁 If anything, start making either daily or weekly back ups of your blog so that you can restore a clean version if you ever get injected with malicious code. Fingers crossed that it never happens to you!

  • Kasey Bandy Shuler (
    September 28, 2012 at 12:26 pm

    I just downloaded the backup plug-in after I read “What would you do if you lost all your blog’s content?” because I think I would just cry for a few days haha. Thank you so much for the tips!!

    • Janice - The Fitness Cheerleader
      September 28, 2012 at 4:24 pm

      Yes – themes & plugin settings can be easily replaced, but content would take years to recreate.

  • PavementRunner
    September 28, 2012 at 1:06 pm

    agggghhh. I’m scared now. I don’t want it to happen to me. I post pictures of me dressed like a crab…

  • misszippy1
    September 28, 2012 at 4:07 pm

    Great advice, much of which I didn’t know. Thanks so much for sharing. I’ve also been told not to have the user name “admin” b/c it is very common and easy for hackers to try.

    • Janice - The Fitness Cheerleader
      September 28, 2012 at 4:34 pm

      Yes – the plugin in step 5 directs you to change the admin username, and change it’s user ID

  • Kymberly (
    September 28, 2012 at 7:23 pm

    Thank you for sharing your insights. Like you, I totally don’t get the hacker mindset. Why spend time just to be mean?

  • Robin | Farewell, Stranger
    September 30, 2012 at 2:24 pm

    Good stuff. And phew, I do most of that. 😉

    Question about backups – I use that plugin and it’s scheduled to run automatically. (Although I just looked – it’s supposed to run daily and it isn’t. Hmm…) Anyway, what do you suggest doing with the backups? Mine just runs and is stored on the server. Is that enough to recover? Or would I need to download it periodically?

    • Janice - The Fitness Cheerleader
      September 30, 2012 at 2:42 pm

      Truthfully, I would make a point of downloading it, or having it automatically zipped and emailed to you. Several years ago I had a host claim I had violated their terms and conditions and lock me out of my account and all of my data. Fortunately I had local backups so I was able to restore my blog within a few hours on another host.

  • BadgePLZ
    October 8, 2012 at 10:33 am

    Problem solved. usable. set 11 February 2011 as the first instagram widget for blogs.
    Competitors tried to lure customers.

  • BadgePLZ
    October 18, 2012 at 7:29 am

    Sucuri Verified Website
    Sorry for any inconvenience. completely safe and is checked several times a day. You can again use widget


    Don't miss a single delicious recipe - sign up for real food recipes, challenging workouts + everything salads 4 lunch!