How To Protect Your WordPress Blog From Hackers

prevent WordPress hackers

As Kristen pointed out in a recent post, blogging is a great tool for online entrepreneurs. And WordPress is the best content management system for those who want an internet presence.

You can run a variety of business operations using WordPress. Affiliate marketing, blogs, drop-shipping, e-commerce sites, job boards…many people use WordPress to make money every day. According to, about 64 million individual blogs and websites use the system all over the world.


But this popularity comes at a cost. WordPress is a big target for hackers. And if you run a WP blog, you may have noticed an increase in unauthorized log in attempts in last month.

I run a few sites. I have them set up so I know when an IP address gets locked out. Usually for too many log in attempts. I’m fairly new to blogging. I didn’t know what was happening when the hacking started last month…at first I took it personally!

Who are these bastards trying to hack into my sites!

In my head I pictured some malicious teen hacker in his parent’s basement, targeting me specifically. But I learned that the attacks on my blogs were actually just part of a larger wave of “botnet” attacks.

“A botnet is a collection of internet-connected programs communicating with other similar programs in order to perform tasks.” – Wikipedia 

And these attacks were happening all over the world. The attackers tried to gain control of WordPress sites using brute force. They used weak common usernames like “Admin” and “admin” and then repeatedly tried password combinations to get access to sites.

What Happened?

Cloudflare has a post outlining the basics. There is a lot of speculation about who is behind the hacking attempts. Why is this happening? Who did it?

No one knows for sure.

The attacks originated from small PCs. But experts think the goal is to take over larger servers. Then they can launch larger-scale attacks later on. Basically, this will happen again. And the attempts may become more aggressive and frequent.

So…these attacks are just the beginning. How can you protect your blog? There are things you can do to tighten it up. Let’s go over a few ways to do it.

Two-Step Authentication

Two-step authentication is one way to protect your site. It’s an easy way to tighten up security. You might be familiar with it already…Gmail offers two-step.

How does it work?

When you log on to your WordPress site, the plugin will send you a text code to your cell phone. You enter the code from your phone to log in. Two-step is an effective way to stop hackers, although inconvenient for some. Still, worth it.

WordPress now has two-step authentication using the Google authenticator app for your smart phone. And Duo Security offers a premium two-step plugin.

Backend Security

You should also install a backend security plugin. It’s an easy way to make your site stronger. There are several to choose from, but I’ve been using Better WP Security. It was installed last month during the botnet attacks. I was happy with the results. It’s free and fairly easy to set up and customize.

Better WP Security Features 

Hide Login. The plugin has an option to hide your login pages, including the admin page.

Backup. The plugin also has a backup database function. I’ve set mine to do automatic updates every single day. You still need to download the backup to your hard drive though.

IP Lockout. One thing I like about his plugin is that it lets you lock out unauthorized logins. Without using c-panel. And it will send you an automatic email when it locks out a specific address. You can also set it up to permanently block IP addresses after one too many failed logins. The plugin even tells you where the hacking attempt originated from…interesting and infuriating at the same time.

Strong Password

A strong password is obviously very important. The longer and more complex, the better. WordPress allows long passwords. I personally use the “blind mash” method. I just push buttons randomly on my keyboard to come up with passwords. They are harder to remember but much more secure than using a single name or email address.

Make sure to use a combo of upper and lower case letters, numbers, and special characters. Here’s an example of a strong username and password combination:

  • Username: %$CxP$9dn3
  • Password:  $%cef5$$r8F#$&Vp

And if you don’t like my method, you can always use an online password generator. or Norton’s free password generator are good options.

Hard Username

Strong passwords are only half the battle. A secure username is just as important.

Sometimes you can pick your username when you set up your WordPress site. Then you can set a strong username from the beginning. But depending on your host, sometimes the default will be your email address or a “soft” username.

I noticed that when I set up my blogs my hosting company was assigning a weak username for my WordPress logins. But you can change your username with the PHP My Admin function in c-panel.

Changing a username is a little complicated. Really, the entire procedure is beyond the scope of this post. But here is a great article if you’d like more information on how to change your WordPress username in just a few minutes.

Newest Version

The last tip is simple. Just keep your WordPress site updated with the newest version of WordPress. This will limit vulnerability.

The recent hack attacks raised awareness about the need for strong WordPress security. Hacking is frustrating; it makes you want to fight back but leaves you pretty much helpless to do so. Just take these precautions and your site will be more secure from potential hacks.

What other WordPress security tips do you have?

About Carson Derrow

My name is Carson Derrow I'm an entrepreneur, professional blogger, and marketer from Arkansas. I've been writing for startups and small businesses since 2012. I share the latest business news, tools, resources, and marketing tips to help startups and small businesses to grow their business.


  1. This is great! I know a lot of my blogging friends have had some issues, and one of the simplest things they’ve changed is getting rid of the “admin” username to log into there site, because it’s the easiest to hack into.

  2. Thanks for the heads up. I may take some of this advice, but I’m pretty sure I’m safe. My password is a jumble of stuff thrown together hahahaha.

Speak Your Mind

This site uses Akismet to reduce spam. Learn how your comment data is processed.