Having your blog hacked isn't fun, and the standard WordPress installation is not impermeable. Here I explain the whys, the whats, and the whatnots.
Not only does a hacked blog result in downtime, while you work with your ISP to track the problem and ensure it doesn't happen again, it can also mean you spend time, for instance, getting your e-mail client resolving properly once more
. All in all, valuable time wasted.
Prevention is better than cure. Here are 10 tips to make WordPress hack-proof.
What You Need
- a WordPress installation
- the WordPress plugin, wp-phpmyadmin
- the WordPress plugin, wp-security-scan
- ftp access to the server on which your blog resides
- backup your files, using your FTP client
- backup your database, using wp-phpmyadmin. If you don't know how to do that, check out this video tutorial:
Ten Steps to a Secure WordPress Installation
1. Upgrade WordPress To the latest version. If you're using 2.7 or later, this can be done from your admin dashboard, at the click of a button, automatically. Just look for the "upgrade" button. If you're using an earlier version, read this.
2. Update Plugins Make sure all are upgraded to their latest versions. If they're not, you are notified on your plugins admin page. Old versions can present a security risk. 
3. Change "wp_" Database Table Prefix
I use wp-security-scan, from the same guys that developed the popular All In One SEO Pack *, Semper Fi Web Design. Once activated, on the left-hand menu, click on "Database" in the "Security" drop-down. The page that loads allows you to easily change the prefix. If that doesn't work, instead throwing an error, do this:
- i. Deactivate all WordPress plugins, as a precaution.
- ii. Backup the database, as explained in the video above.
- iii. Open the downloaded *.sql file with a text editor (where * is the name of your database.)
- iv. Find and replace all instances of your "wp_" prefix with your new prefix.
- v. Within your WordPress database, drop all the tables. DO NOT DROP THE DATABASE itself, only the tables. Wp-phpmyadmin is a great plugin to use.
- vi. Still within your WordPress database, import your newly-amended *.sql file, the one you edited by changing the prefix. Wp-phpmyadmin or similar again.
- vii. Open and edit your wp-config.php file, in the root blog folder, changing $table_prefix = ‘wp_’; to $table_prefix = ’yourNewPrefix_’;.
- viii. Reactivate your plugins.
Article comments
1 - Relevant Trafik
This is a good read and well worth the effort to employ. Also let me add that changing the "powered by Wordpress" to something different is also a good tactic to use. Thanks for posting this.
2 - My Blogging School
Part of the problem is the widespread use of Fantastico for installing Wordpress in the first place. I will be updating my Fantastico Fix report to include the additional plugins you have mentioned, as well as the tweaks for securing Wordpress regardless of the installation method.
Good stuff!
3 - cfazendin
Besides removing the admin account, you should also have each account use a different account name and nickname. Then set their posts to display nickname. Can't hack an account name that doesn't exist.
4 - the_guv
tx folks,
appreciate those comments and tips.
..pleased you like my article.
the_guv
5 - Mike
That makes so much sense. admin is too easy - make it hard to figure out what the admin username is! Brilliant! Thanks!
6 - Joe
Hey these tips worked! Thanks
7 - Cool K
Thanks for the tips! I will try them out.
8 - TV Surfing Solutions
Some brilliant information, these tips are great, something many should follow. Thanks
9 - Dave Metz
Wow, so simple and yet completely out-of-the-box. I will definitely follow this great advice. Many thanks.
10 - Lyle
Excellant information. Many of us don't do these inportant tasks. I will be more aware in the future.
11 - Lyle
Very good I will keep that in mind. I thank you.
12 - Article Directory
Great tips and advice for WP bloggers. As said above, some I would never think of so I'm off to do it right now! :)
13 - Chris Beaumont
"Blog Security" is one of the top security blogs out there keeping an eye on all things blog security and WordPress.
They’ve just released two great articles WordPress fans need to check out.
First is news of a video and blog post by Guvnr called “10 Tips to Make WordPress Hack Proof. The effort involved tips from BlogSecurity’s popular WordPress Security Whitepaper, inspiring them to update and improve it soon.
Enjoy.
14 - the_guv
tx all ..
appreciate your kind words.
and am glad you found this Guvnr.com tutorial handy.
15 - Twitter Trends
Great WP tips!
16 - Larry C.
Excellent Article, will be doing this in the AM. thanks much for the good security topic.
Larry
17 - the_guv
@TwitterTrends and LarryC
pleased you like .. best to you.
18 - Mike
I will have to try this out. Security is the one weakness I see in Wordpress
19 - Zedd
Great article. I will check this out soon.
20 - Bob N
Thanks, Guv. Followed a few of your tips - hope I don't get hacked again! Thanks for writing this up.