Genius Startup
Ideas, tools and strategies for building websites that get visitors and make money
  • Home
  • Get Started
  • Search Engine Optimization
  • Make Money
  • Tools
  • Ideas
  • About
Disclosure: Some posts on this site contains affiliate links for companies like HostGator, which means I receive a commission if you decide to buy using the link. That said, I only recommend products and services I use and like.

WordPress Security – 10 Quick Ways To Protect Your Website

According to Google, there are almost 10,000 newly hacked websites every day. The trouble is, most site owners don’t take security of their website seriously until they get swamped by complaints about viruses, automatic dialers and other harmful software.

The problem can be caused by a malicious program (malware) that’s been installed on your web server, harmful code in blog comments or techniques like SQL Injection that involve tricking login forms into allowing access to password protected areas.

Whatever the method, if it happens on your site it’s your reputation that takes a nosedive and it’s your problem to fix.

What else happens if your site is hacked?

Aside from the danger of losing all your content – and the time and expense of fixing the problem – Google will blacklist your site.

That means no one using Google Chrome (the most popular web browser) can visit your site. Instead they’ll see a nasty warning about how dangerous your site is.

Because Firefox uses the same site blacklist as Chrome, Firefox users will also be shown an unsafe site warning you see below instead of your content.

Depending on the severity of the risk, your site will either have a This site may harm your computer warning added to its Google search results or be completely removed from the index.

Basically, it’s bye-bye website and revenue until you get rid of the malware.

The thing is, as a web developer I’ve seen this scenario enough to know two things:

1. It causes a lot of stress to the website owner.

2. Most of the time it could have been prevented by following some basic steps.

How to protect your website

Most of the time malware, viruses and other nasties gain access to your site through security holes, so plugging those significantly reduces your risk.

Here are the most common security issues and how to fix them.

1. Don’t use Admin as a username
Because hackers prefer the easy way of doing things where possible, they’ll often try to login with the username Admin. That means if there’s an active account called Admin, they already have half the information they need to force their way into your site.

In the past, WordPress automatically created an Admin account when first installed. So if your site has been online for more than a couple of years, check to make sure it doesn’t have an Admin account. Even if it’s not being used by anyone, it’s still a security risk.

To delete the account, go to Users > All Users. If you’re currently logged in as Admin, you’ll need to create a new login and sign in with it before you can delete the Admin profile.

2. Don’t use an obvious password
What’s an obvious password? Here are a few: 1234, god, work, ilove and master.

Where did I get these from?

They’re a selection from the top 30 passwords stolen in the recent LinkedIn security breach, where a Russian hacker stole 6.5 million passwords and posted them on a web forum.

These same words turn up continually in lists of stolen passwords. Hackers know there are literally millions of people using these passwords, so these are the ones they try first.

If you’re using any of these as your password you should change it ASAP.

3. Use a strong password
Hackers often use a technique called brute force to gain access to password protected areas.

In a nutshell, this means using automatic software to guess your password. Since it’s automated, a huge number of passwords can be tried quickly – which is why it’s often successful.

Because the software uses a dictionary to generate passwords, don’t use a real word as your password. Instead, use random letters mixed with numbers and punctuation characters until the password strength indicator in WordPress admin shows you’ve created a strong password.

4. Don’t leave your login details on a Post-It note stuck to your monitor
Just sayin’ because you’d be amazed the amount of people who do that.

5. If your site has multiple authors, make sure they’re following these guidelines
Also, don’t leave accounts open for people who no longer need them. If you want to keep an author name active to maintain bylines on posts, change the password for the account by going to the Users > All Users page.

6. Don’t use a free WordPress theme unless it’s from an official WordPress site
There have been plenty of cases of unscrupulous directories giving away free themes containing hidden links to harmful sites.

The idea is that website owners using the free themes are unwittingly creating thousands of links back to a site that otherwise wouldn’t get any. If you need a free WordPress theme, get it from WordPress.org which vets themes before they go online.

Or better still, go the more professional route and get a premium theme.

7. Keep WordPress updated
When new versions of WordPress are released, it’s sometimes for new features but usually for security improvements.

WordPress is the single most popular online publishing system. That means when a security flaw is found, every hacker and his cat is on the net using software to find sites using the old, unsafe, version of WordPress.

Not keeping your copy updated is like leaving your front door unlocked. When new versions are released, update as soon as possible.

In the past, it was a pain to update, but now it’s easy. Just click the link that appears across the top of the admin area whenever a new version is available.

You don’t need to do anything technical.

If you’re worried about something going wrong in the upgrade process, make sure you’re making regular backups so you can safely “rewind” if needed. See, “How to make automatic backups” below.

8. Keep your plugins updated
A similar thing applies to plugins – they’re often updated for security reasons.

Go to the main Plugins page in WordPress and you’ll see an upgrade notice next to any that need updating.

To update, just click the link. Again, there’s no technical knowledge required.

9. Keep all your sites updated
Don’t forget about the sites you may have that you rarely work on – they need to be kept updated too.

10. Don’t use cheap or free hosting
If you’re using hosting that costs a dollar a month – or God Forbid – free hosting, you’re asking for trouble because the pile-it-high, charge-very-little approach means the web hosting company can’t afford to put effective security measures in place.

Stick with web hosts who have a good record in security like Host Gator or Media Temple.

Advanced resources

If you’re the technical type, or need to pass information on to your web developer, take a look at these advanced tips from Smashing Magazine.

Alternatively, try this free plugin which performs many of those tasks for you.

How to make automatic backups

Sooner or later, something’s going to go wrong. That’s life.

Losing all your blog content because of a hacker, server failure or database crash is not something you want to risk happening.

For more information on making backups, see my post here. The shortcut for non-technical types is to use a service like Backup Buddy for a set and forget system that can also be integrated with Dropbox, Amazon S3 and other services.

Site hacked? Here’s what to do

If your site has been hacked, or you or your visitors are seeing warnings about malware or viruses you can resolve the problem with these three steps.

1. Get your website scanned to see if there really is a problem. Sometimes there are false alarms. You can get an instant scan from the service I use Website Defender – there are free and paid accounts and you can get a scan with either.

2. If there is a problem with your site, take the steps recommended by Website Defender to clean your site.

3. Report the problem as fixed to Google, so they can restore your site to their search engine rankings. To do this, you need to either submit a Site Reconsideration Request or submit an update via Google Webmaster Tools.

Using Webmaster Tools is a much quicker way of getting your site reconsidered, usually taking around six hours. Just go to the Malware section and follow the instructions.



6 Responses to "WordPress Security – 10 Quick Ways To Protect Your Website"

  • KatDmt - August 24, 2012

    Great article! We can’t stress enough the importance of a secure password, as well as the other topics covered in this article as they are issues we definitely run into daily. We also wanted to thank you for the recommendation of our services here at (mt)! We appreciate the positive feedback and are always here to help if there are any questions! Have a great day!

    Kat D.
    (mt) Media Temple
    Social Media Team

  • Anders - August 24, 2012

    Cool list of important things to get done…

    I’ve recently published a WordPress Security Checklist which can be downloaded for free on http://www.wpsecuritychecklist.com.

    My checklist has a few more items on it and includes step by step instructions on how to get the job done…

    Hopefully the checklist can help other people securing their WordPress sites…

  • Annetta Powell - September 18, 2012

    Hi Caimin,

    Great post indeed! I was a victim myself of the hack about a month back and all that you have mentioned about the stress is terrible. I have no clue as how all these began. My Facebook fans started sending me mails that the site is showing some error and warning.

    In Google search results, BIG red flags next to my pages. No way I could access the site from Chrome. Firefox also flagged the site and IE was the only browser left me alone :D

    I had to shut down my site for an entire day and get someone to clear all the mess. Within couple of hours after we requested to review the site again through Google Webmaster, I got back and Google removed all the red flags from the search results too. Luckily, I didn’t lose any data.

    I have a question about deleting the admin user. What happens to all the blog posts I have under the user “Admin” when I delete admin? Does WP allow me to transfer all of them to the other user I am loged in?

  • Caimin - September 18, 2012

    Hi Annetta,

    Sorry to hear about your site being hacked – glad you’re back online now.

    Google is pretty quick to restore site listings once they can see a site is “clean” again, but being hacked is a headache whichever way you look at it.

    Yes, when you delete any user in WordPress you’ll get an option to change the author name to another user.

    Hope this helps. Thanks for your comment.

    • Annetta Powell - September 22, 2012

      This is really funny, my site was hacked 2nd time in a month after I published my previous comment. You may not believe me, I ignored your first commandment :D The user “admin”. I see that you answered my question about the content. I should have acted quickly.

      Someone just deleted all my content! I mean all the published content and the 10 posts I had in my draft. Thanks to Godaddy and to the back up plan I had. They put all my content back within 12 hours although they said it may take up to 12 hours.

      I should have acted bit quickly about deleting the admin user. Thank to you Caimin, I have no more admin user!

  • Caimin - September 22, 2012

    Ouch. You’re having a rough time lately!

    Kudos to GoDaddy for helping you out so quickly. Not every hosting company does that – many leave you stranded with your backup files and let you try to figure it out on your own.


  • Need More Google Traffic?


    Get my best-selling Kindle / Paperback:

    SEO Step-by-Step - The Complete Beginner's Guide to Getting Traffic from Google
    "A Must Have Manual" - Amazon Reviewer