Skip navigation

Firewalling and Hack Proofing Your WordPress Blog

is one of the top security blogs out there keeping an eye on all things blog security and WordPress. They’ve just released two great articles WordPress fans need to check out.

First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.

The second is “How to Firewall Your WordPress Blog” by Jaimie Sirovich of SEO Egghead guest blogging on BlogSecurity. He covers options to help you make your WordPress blog more secure with a variety of WordPress Plugins.

Don’t forget that the best line of defense protection for your WordPress blog begins with a strong password, followed by regularly upgrading your WordPress blog, especially after mandatory security alerts.

There is a lot of misinformation on the web about blog and WordPress Security. Many will tell you that CAPTCHAs and their paid services will protect you and your WordPress blog. They will give you a lot of out-dated steps to take. Don’t be fooled. Get your information from the official and reputable WordPress resources. WordPress is inherently secure. It should be. It is used by some of the top government agencies in the United States and around the world.

The current version of WordPress is very secure with no critical security vulnerabilities reported since its release. There are, however, some security issues with WordPress Plugins so make sure you check in with your favorite WordPress Plugin authors and your Plugins Panel for updates on a regular basis.

Here are some reliable articles on blog and WordPress security:

Site Search Tags: , , , , , , , , ,

Feed on Lorelle on WordPress Subscribe Feedburner iconVia Feedburner Subscribe by Email Visit
Copyright Lorelle VanFossen, the author of Blogging Tips, What Bloggers Won't Tell You About Blogging.


  1. Dan Schulz
    Posted March 7, 2009 at 10:46 pm | Permalink

    It’s not just a strong password, but also creating a special administrative account with a strong password, then deleting the “admin” account.

    • edteach3r
      Posted March 9, 2011 at 9:30 pm | Permalink

      How do you delete the admin account? I created a new account as you had suggested, providing the new user with adminstrative privileges, yet I am unable to delete “admin”.

      • Posted March 10, 2011 at 10:05 am | Permalink

        You cannot delete the primary administration account. If you cannot change the admin name, you either do not have the proper permission levels or you are using an old version of WordPress. You can change it in the database. Check the WordPress Codex for details on how to carefully edit the WordPress database.

  2. Posted March 7, 2009 at 10:50 pm | Permalink

    It’s all the strong password with the good firewall and also the intelligent admin. who have eye on his blog regular.

  3. pop
    Posted March 7, 2009 at 11:15 pm | Permalink

    Thank you! I needed this. One of my blogs was recently hacked. Not sure how and neither was the service provider. I hope this helps.

  4. Posted March 8, 2009 at 12:08 am | Permalink

    This is exactly the article I needed right now! After my blog was hacked into not once but twice last month and causing me to lose more than 1,000 visitors, one of my readers asked how it could be prevented. My answer was “I don’t know.” Now I’m off to find out. Thanks.

  5. Posted March 8, 2009 at 3:14 am | Permalink

    @Dan Schulz: Renaming/removing the “admin” account doesn’t really improve security any. Using a strong password is more important. It’s not really a matter of 1 vs. 2 things to guess.

    Also, about 90% of the hacked sites I’ve seen (which have been plenty) have been a) on shared hosting setups b) with bad security choices in their software (using suPHP is a good start for secure shared systems) and c) the actual hack was performed through some other site’s software and then a script was run to search for and compromise all sites on that server. This is the usual method, once somebody gets into a server, if the security isn’t done right, every site on that server can get hacked automatically.

    Dedicated servers are less likely to be hacked *if* the admin knows what he’s doing. Shared server security is a different bag of tricks, and not many admins are particularly good at it.

  6. Posted March 8, 2009 at 7:29 am | Permalink

    Actually, the biggest WordPress vulnerability is the free reign plugins have. The framework is WIDE OPEN for abuse.

  7. Posted March 8, 2009 at 11:42 am | Permalink

    Staying up-to-date and watching those file permissions is the main one I come across a lot when people come to me with “hey what happened to my WordPress site?” (this is usually followed with “can you help me fix it?”.

    Once those security holes get out, any WordPress site that isn’t being watched will get hammered very quickly. The higher your PageRank, the faster this will happen.

    Back up often to prevent a catastophe!

  8. Posted March 8, 2009 at 1:51 pm | Permalink

    We all need more security, thanks!

  9. Posted March 8, 2009 at 3:52 pm | Permalink

    Big cheers Lorelle. Wow, flattery indeed. Splendid to meet you, and I appreciate your commendation for that ten tips post. (The server’s bearing up at the moment, just about. Next time you link me though, do me a favour and warn me to enable supercache;) the_guv at guvnr.

  10. Rhoda Ozen
    Posted March 8, 2009 at 8:44 pm | Permalink

    You truly do not comprehend the redaction of our Fourth under the House that bush Built, do you? WordPress has disemvoweled me, removed posts, wrote posts without me knowing then acting as if the Vets that read that and many from the Hill do not KNOW that it isn’t me? I used Effector, It took their covert guy 2 days of mucking about with me and now I have a quite tidy paper trail thank you, I do appreciate your naivete’ or towing the Party Line but Gheeez louise have you even read a Constitution?

    • Posted March 9, 2009 at 10:39 pm | Permalink

      @Rhoda: Are you talking about blogging with or a full version WordPress blog? If you were using a full version WordPress blog, then there is nothing anyone from WordPress or Automattic could do to your blog. It’s your blog to do with it what you will. If you were blogging with the free hosted version of and you violated their terms of service, then like anyone else who violates those terms, you would be informed of the violation and given a chance to respond. Sorry you had a bad experience, whatever that was with.

  11. Posted March 8, 2009 at 10:23 pm | Permalink

    Thanks for this info. With a popular cms like wordpress, it is a much bigger target for attacks. WordPress has been pretty secure in my experience, but it’s always good to have as many layers of security as possible.

  12. Posted March 8, 2009 at 10:44 pm | Permalink

    I am also managing my blogs.

    But i have lost two of my favorite blogs one time that I have managed with heart. And I was really unable to have that again as the complete data was lost.

  13. Posted March 8, 2009 at 10:58 pm | Permalink

    Yups.. I agree, using a strong password is more important. Never use your name, family, phone number,or personal information as a password or username. Make a unique username and password.

  14. izle
    Posted March 9, 2009 at 3:41 am | Permalink


  15. aspen
    Posted March 9, 2009 at 4:29 am | Permalink

    I was once told that the safest computer is one that is buried 6 feet below the ground and is unattached. 🙂

  16. Posted March 9, 2009 at 8:39 am | Permalink

    Thanks, a good reminder.
    Will check out some of your links.

  17. Posted March 9, 2009 at 7:11 pm | Permalink

    I would like to know what happens when hacked; they just make me look stupid? There is no financial info connected here. But also what if I use the same password as on my other email accounts. When they hack to they retain knowledge of the password?

    • Posted March 9, 2009 at 11:06 pm | Permalink

      @maaark: If you use the same password for other accounts, and they have a way of tracking you to those accounts, they could use it, but the damage is usually done by machines not humans. When a blog is hacked, they can do a wide variety of damage. They can track everyone who visits your blog. If someone leaves a comment, they can track their email and contact information, then travel to their sites and do damage. They can track passwords, not just on your site, but actually worm their way into your computer by putting ads or links on your blog that you click and unknowingly install a file on your computer. They can pound away at your website, increasing traffic, database hits, and server load, thus driving up your server costs with no benefit to you. At the last, that kind of action can crash your server and your account closed, not to mention the damage they might do across a shared hosting service.

      At the least, they can deface your site, thus ruining your reputation and credibility when people visit your site. And leave a big mess for you to clean up. It’s a lot of work, a lost of wasted time, and painful.

  18. Posted March 10, 2009 at 3:25 pm | Permalink

    Good article to drive home the security need. I had a blog hacked recently (not my primary one thankfully) and it really spurred me to be more careful about my passwords and security in general (so easy to be lazy and use the same passwords).

    I keep a link to this password generator in my bookmarks toolbar so I can quickly come up with something complicated and random anytime I need a new one.

  19. Posted March 14, 2009 at 12:32 pm | Permalink

    Shouldn’t all these safety features come with the WordPress installation itself? Except for the password of course.

    • Posted March 14, 2009 at 5:59 pm | Permalink

      @Joy: WordPress is fairly secure and getting better all the time. These are things that others are doing to further enhance WordPress security. Many of these involve customization of Apache, PHP, and server elements that cannot be controlled nor accessed by Woopra, especially across the wide variety of server types and programs. For those to whom top level security is critical, these are the steps they can take that go beyond what WordPress can, and should, do.

  20. watzabatza
    Posted March 17, 2009 at 5:48 pm | Permalink

    these hackers are stupid.. we’re safe only if we use computer only at our home or our PC. but renting computer in the internet cafe is very dangerous. in most cases, many victims of keylogger.. this really sucks. many accounts (email, personal site, game accounts,etc) had been lost and ruined.. we have to be wise when we gonna protect our personal thing we love.

  21. Portland
    Posted March 29, 2009 at 5:40 pm | Permalink

    always a challenge to stay one step ahead of the hackers… for sure stay away from any password entering on public computers…

  22. Jimmy
    Posted July 27, 2010 at 10:53 pm | Permalink

    I was hacked into one of my sites last year, luckily I only had content on my site
    It really through me for a loop I could not figure out why someone would want to hack
    a site that was of no importance. I guess it was the thrill for them to ruin all the
    time I had in setting it up. I wish I would have found this site earlier. It would
    have saved me from getting wiped out.

    I’ve been using the secure wordpress plugin and I have not had any problems since.
    Good strong word of advise, Back up regularly

  23. Posted August 12, 2010 at 1:58 am | Permalink

    Will this still apply for the version 3?

  24. Marcelo Bessi
    Posted April 14, 2011 at 11:01 am | Permalink

    I wish I would have found this site earlier. It would
    have saved me from getting wiped out

  25. Adam
    Posted March 15, 2014 at 6:40 am | Permalink

    Nice tips and links. But, the number one tip you left off is change the admin name to something different and make sure to use a strong password.

    • Posted March 21, 2014 at 10:47 pm | Permalink

      This article was written in 2009. Changing the admin name and having a strong password is something that is like a default, and should go without saying, though it does always bear repeating. Thanks for the reminder.

15 Trackbacks/Pingbacks

  1. […] Link   […]

  2. […] article with links to some WordPress security resources. Firewalling and Hack Proofing Your WordPress Blog posted under […]

  3. […] Firewalling and Hack Proofing Your WordPress Blog Blog Security is one of the top security blogs out there keeping an eye on all things blog security and WordPress. […] […]

  4. […] Firewalling and Hack Proofing Your WordPress Blog (tags: wordpress blogging security Hack) […]

  5. […] up this excellent article via twitter – Firewalling and Hack Proofing Your WordPress Blog by Lorelle. I think the most chilling part is perhaps the comment below the post on the […]

  6. […] Firewalling and Hack Proofing Your WordPress Blog « Lorelle on WordPress. […]

  7. […] of Lorelle On WordPress fame has written an excellent post about what you should do to firewall and hack proof your WordPress blog. var […]

  8. […] Need help securing your blog? I follow Lorelle On WordPress.  She wrote an article in March that is a must read. Go here. […]

  9. […] Lorelle on WordPress: Comprehensive post and links on  Firewalling and Hack Proofing Your WordPress Blog […]

  10. […] such an offensive mistake it makes me cry a little. As I(and Mark Jaquith and Vladimir Prelovac and many others) have written, using nonces is a must for any plugin which takes options from a user. Strangely […]

  11. […] Firewalling and Hack Proofing Your WordPress Blog […]

  12. […] Firewalling and Hack Proofing Your WordPress Blog […]

  13. […] Firewalling and Hack Proofing Your WordPress Blog […]

  14. […] Firewalling and Hack Proofing Your WordPress Blog […]

  15. […] Protect WordPress Against Malicious URL Requests 13 Vital Tips and Hacks to Protect Your WordPress Admin Area Firewalling and Hack Proofing Your WordPress Blog […]

Post a Comment

Required fields are marked *

%d bloggers like this: