November 5, 2012

Blogging Mistakes: #10 – Not Being Serious About Security

WordPress SecurityThis post is the last in a series of Blogging Mistakes. You’ve heard stories about blogs getting hacked or entire websites taken down. Do you think it can’t happen to you? Do you think it is only really big sites that have security issues?

That kind of thinking is a huge mistake and will cost you a lot of money for putting blinders on. Actually, it doesn’t take a lot of effort to make your blog much more secure and be better prepared for the unexpected problems.

Here are 5 ways you can tighten your security right now.

  1. Change your WordPress password to one with at least 10 characters using capital letters, numbers and symbols. Just for grins, check the strength of your password. If you have the typical 8-character password, it probably takes about 3 minutes for a hacker to guess it, whereas a 10-character password with 1 capital letter, 3 numbers and 2 symbols will take 58 years! If you are hesitating because you worry that you can’t keep up with passwords, then install Roboform to remember them for you.
  2. If your WordPress username is “admin”, change it today! Admin is the first username that hackers try when attempting to login to your dashboard. Check the screenshot from WordFence installed on a small blog. It shows who is trying to login. Notice that the username for all of these break-in attempts is… ADMIN!WordFence Login AttemptsIf your username is admin, go into your WordPress User area and create a new user. Give that user a different username, a strong password and make that user an “administrator”. Log out of your dashboard and log back in as that new user. Then delete the user with admin and attribute all their posts to the new user.
  3. Speaking of WordFence, this is a great plugin, not only to keep an eye on who is visiting your site, but also to scan your site for malware and to lock out people up to no good. Download the free version and if you suspect that your site is being targeted, then upgrade to the premium version.
  4. Keep your software updated including WordPress, themes and plugins — even ones that are not active. Hackers are busy trying to find “back doors” through software files on your server. Good software developers close those back doors as soon as possible by issuing updates. If you drag your feet or ignore these updates, your site will be vulnerable. Some people believe that if you have plugins that haven’t been activated, then no harm can be done. Not so! If you aren’t using certain plugins or themes (other than ones that come with WordPress), delete them.
  5. Hide the contents of your website folders from index browsing. Hackers will many times start their search for a back door or vulnerability by looking in your folders. Any folder that does not contain an index.html or index.php file is open for anyone to browse the contents. An easy way to handle this problem is to put a line in your .htaccess file that reads: Options -Indexes. That prohibits index browsing on all folders.

Don’t wait until after someone breaks in before you put in that security system. Start right now while you are thinking about it. If you have your own information products for sale, check out Digital Content Lockdown for more ways to keep your hard work from being ripped off by cyber thieves.


Christine Cobb

Christine Cobb

is a web technology consultant, a small business online marketing consultant and provides information for new bloggers and affiliate marketers.
Christine Cobb
  • Lea says:

    Oh gawd, seeing those failed logins makes me really scared with many hackers. We should really take note of this things. A strong password is actually very necessary to keep you accounts stable.

  • Magic Webs says:

    Security is very essential to one’s blog. One should treat it like his own house. It should be secured through locks and combinations. As for a blog site, the passwords should be changed often.

  • Margarita says:


    Wow, such a great post. I just installed the WordFence. And from now on, I will be very careful about the software updates. appreciate your thoughtfulness.

    About hiding the content of the folders. Is this the exact code?
    Options -Indexes

  • Bo says:

    I had a site I wasn’t going to regularly get hacked and redirected. I only found out when my hosting service emailed me to say I was being shut down by them; all my sites!!!
    I checked it out, and segregated all files for that site. The host company then agreed to release the others.
    Whew, scary!!!
    Thanks for the article about this issue. Most of us don’t take it seriously enough, especially if there’s not a lot of value in your site yet.

    • Christine Cobb says:

      It really doesn’t matter whether your site has a lot of traffic or a little traffic, it can still be targeted and the hackers don’t care. Thanks for your story Bo. It might help someone else.

  • Hey Chris, great post on 5 ways you can tighten your security on your WordPress site right now. I get tons of log-in attempts for the username “admin” and love how Wordfence blocks those for me.

    For WordPress Security Tip #5, if you want to check to see if Chris’s code works try going to http: // /wp-includes/ and see what you end up with. If it opens a Page Not Found (404 Error) the code is working. If you can see the list of files on that link then you don’t have it added correctly.

    • Christine Cobb says:

      And just to add further explanation for the non-techies, the wp-includes folder has nothing in it that needs to be accessed by your readers or members. The only people looking in there would be those up to no good.

  • Lorenzo C. says:

    Limit Login attempts is another plugin that can protect your WordPress admin against brute force attacks. It will temporarily block IP addresses that exceed a failed login limit that you set.

    You can even enable an option to have it notify you when a lockout occurs.

  • Karon says:

    LOVE Wordfence! A real lifesaver. I can’t tell you how many times it has saved my virtual butt.

  • >