Call Us
Free Reviews Tracking Free Web Health Grader Free Ebooks

How to Secure a WordPress Site From Hacking

This week I am diverging from my Healthcare Marketing Series to discuss a very important and extremely relevant topic.  This morning I woke up to find 429 site lockout notifications for our site.  These notifications are generated by our WordPress Security package when we detect that a hacker is attempting to gain access to our site.  Our security package blocks access based on IP address and then sends and email to me informing me of the action.  I am used to seeing 1, 2, or even 5 of these notifications come through each day.  I have never seen over 400 of them in just 8 hours.  Below is a partial list of some of the IPs that were blocked.

We have spent some time writing about website security and WordPress security in particular.  This month we released our WordPress Security ebook, our WordPress Security Case Study, and we also discussed Securing Your Plugins.

Earlier this month Trend Micro announced it had discovered about 195,000 domains and IPs that have been infected by this latest attack.  That is 195,000 sites running either WordPress, Joomla, or Drupal as their content management system that are now actively working to infect other systems.  The common denominator between these sites is their lack of basic security practices.

Today my goal is to give you a WordPress security checklist that you can pass on to your IT Director or web developer to ensure that your WordPress install is as secure as possible.  I’ve even ranked the checklist in order of priority.

  1. Enforce strong passwords for all users (WordPress, FTP, etc) and SSL connections
  2. Hide your WordPress admin area
  3. Only allow admin logins from a whitelist of IP addresses OR block repeated failed login attempts based on IP address
  4. Subscribe to a known bad hosts resource such as
  5. Ensure that wp-config.php and .htaccess files are not writable by the web server user
  6. Regularly backup your WordPress database and site files
  7. Actively monitor site for changed files
  8. Block access to URLs over 255 characters long
  9. Regularly update your WordPress installation and all plugins
  10. Only install plugins from known and trusted sources

And that is it.  Following these recommendations will set your site into the 99th percentile for security and most hackers will simply move on to easier targets allowing you to rest assured that your site is safe for your visitors.

Edit: As I typed this article, I received 5 more site lockout notifications from our site.  If you are not actively protecting your site, chances are very good that it will be infected or is already infected.  Please forward this checklist on to your webmaster to ensure your site isn’t easy pickings for the hackers.



If you enjoyed this post, please consider leaving a comment below or following us on Twitter and Facebook

Related Posts:

  • No Related Posts
About Marc
Marc Ohmann is president of Digital Solutions, Inc in Minneapolis. Digital Solutions is the company behind the MDWebPro blog and tool set. Marc was a computer science and engineering student at the University of Minnesota in 1999 when he started Digital Solutions. Marc, now a husband and father of 3, greatly enjoys the clients and creativity he is involved in each day through Digital Solutions. Follow Marc on Twitter @marcohmann and @MDWebPro and also on Google Plus

This entry was posted in WordPress Security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2015 by Digital Solutions, Inc All Rights Reserved. - Digital Solutions, Inc - 1313 Chestnut Ave Ste 200 - Minneapolis, MN 55403 - (952) 703-3996