Locking Down the Internet — Tips To Keep Your WordPress Site Safe from Hacking

Pat Marcello

Jun 11, 20136 min read
Locking Down the Internet

Some not-so-nice people from all over the world delight in hacking websites. They see defacing someone else’s property as climbing Mt. Everest. They do it because they can. Sometimes, it’s a protest move. Other times, it’s just plain rotten and dangerous, such as when they grab your site for phishing or they install malware that messes with your visitors’ computers.

People don’t think too much about this. They figure hacking only happens to corporations and/or governments. You know — those Big Dogs.

But listen up, because it matters NOT whether your site is BIG or small. If you don’t have the proper security, your site, you, and your visitors are all at risk.

And then, there’s W3 Total Cache and Super Cache issue that popped up in April 2013. These plugins are well-known in the SEO arena and are used to help speed up your WordPress site. A quick page load speed isn’t just important for a better visitor experience, but also for SEO. Speed is everything, and sites with logy load times are downgraded in search. Who needs that?

Anyway, both of these plugins are very helpful. At least they were, until holes in the plugin code allowed hackers to get in and make messes of 1 in 4 WordPress blogs around the Internet. One in Four! That’s a BIG, huge, ugly mess! If you were one of the WordPress sites that was hacked, you have my deepest sympathy.

What Can Be Done?

First, if you’re running either W3 Super Cache or Total Cache, make sure the plugin is updated. If it’s not, you’re still in the woods waiting for the wolf to arrive. Get the plugin updated today!

Actually, it’s important to keep ALL of your plugins, your theme, and WordPress up to date and it’s especially important when any or all of that needs updating because of security holes.

Many of the free plugins you get at WordPress.org or even plugins you buy may have these vulnerabilities and you’ll never know it, until you’re hit with that “Magic Lugie.” Sure, you can check out the plugin’s ratings at WordPress.org, if it’s free, and make sure that the plugin is compatible with the version of WordPress that you’re running, but for security, you’re pretty much in the dark.

Many of us in the SEO world love the W3 plugins (and yes, they’re still great), but you know what happened there. So, you have to consciously protect yourself and your site. You can’t expect plugin developers to do that for you.

It’s painfully EASY to update plugins and WordPress now, which makes you really silly if you aren’t keeping up with this administrative task.

What To Do

For those of you who aren't WordPress Warriors, you’ll see a number next to the update symbol in the admin ribbon at the top of your blog when you are logged in.

In this case, it means there are 8 items to be updated on this blog! If you didn’t know about this, now you do. If you have someone else working on your website, you need to be sure that they’re following this simple rule: Keep things up to date.

But if you’re doing things yourself…click on that number shown above, and WordPress will take you to a page that shows what needs updating — plugins, themes, and/or WordPress itself.

It’s really simple from there.

Just select the plugin to be updated and click “Update, “and WordPress does the rest for you. That is, unless you have a theme that requires going to the theme site to get the update, for example. Sometimes, you’re going to need to do the updating the old-fashioned way by uploading files via FTP. For instructions on how to do most anything WordPress, including manual upgrades, you can visit the codex here.

Don’t Lose Your Stuff

Before you update anything, back up everything! When logged into your site, be sure (at least) to go to “Tools,” and then, Export, and then, export “all content.” WordPress tells you, “This will contain all of your posts, pages, comments, custom fields, terms, navigation menus and custom posts.” Voila!

BUT, If you’ve made any code changes to your theme or changes to the database itself, you’ll want to back up the entire database first. Backing up the database is a longer explanation, so I’ll just send you to this WordPress.org article with instructions on how to do that. It’s an important step.


Because plugins don’t always play nicely together. Though they worked together before, once they’re updated, it’s possible that they could wipe out your entire site. It happens. The easy fix is to deactivate or delete the offending plugin via FTP, so when updating you should perform each operation one by one. That way you’ll know which plugin is causing problems.

Here are five more things you can to do make your WordPress website more secure:

Update Your Config’s Secret Keys

Every WordPress installation has a wp-config.php file, and in it are instructions on how to create and install your own unique security keys. The code begins on line 39 in the code and looks like this:

wp-config.php secret keys

If you visit, api.wordpress.org/secret-key/1.1 WordPress will automatically create unique security keys for your site. Replace the existing code with the keys that you get from WordPress, and upload the new file to your site via FTP.

Admin Be Gone!

Don’t allow your WP Username to be “Admin.” WordPress automatically populates that field with the word during installation, but you can change it. Make it something familiar to you, but no one else.

Install WordPress Manually

When WordPress is installed through Fantastico, Elephante, or other quick-install programs, create a database with the _wrdp extension, as in “username_wrdp,” and hackers know this. It just makes your database easier to hack. These services probably won’t get the updates right away, either. So, you have to wait to upgrade your site. When you install WordPress manually, the software for your site takes care of notifying and updating immediately for you.

Use a Secure Password

Make your password un-hackable.OK, I know that anything can be hacked, but at least make hackers work for it! Use at least six letters, numbers, and/or characters when creating your secret word. Trust me on this: Monkey1 won’t be secure. If you want to add a second layer of protection to your password, use a captcha code plugin for logging in, too.

Use a Security Plugin

Another thing you can do is to install a security plugin. Two that have been recommended to me (though I have heard good and bad about all of them) are Wordfence, WordPress Security Lab, and Bulletproof Security, but there are several options. The plugin you choose also depends on how high you want your security level to be.

If you have an ecommerce store, I’d say you should have a high level of security. You don’t want your customers’ information stolen or your site to be hacked into oblivion when you’re trying to make sales. But if you’re just writing in a personal blog, you still want security. You just may not want it to be as secure as the Popemobile.

The problem with these plugins is that they can make you crazy. If you have to enter security codes every time you want to log into the back office of your site, or if you can’t do anything in FTP without 20 alarms going off, security can be a real pain.

But just think of the alternative.

Proper protection becomes more important every day. Keep your site updated, add some security provisions, and keep your site running, safe, and hack-free. When you see your Internet pal’s site with the skull and cross-bones or some rude remarks or even porn on the screen instead of his or her website, you’ll be really glad you followed some simple advice.

Author Photo
Pat MarcelloPat Marcello is President and SEO Manager at MagnaSites.com, a full-service digital marketing company that serves small- to medium-sized businesses. Follow her on Facebook, Twitter or Google+. Pat’s last article for Semrush was "Google's Fetch and Render: Why It's Important."
Subscribe to learn more about SEO
By clicking “Subscribe” you agree to Semrush Privacy Policy and consent to Semrush using your contact data for newsletter purposes