Protect Your Blog From Hackers


How to Protect Your Blog

A quick “public service announcement” with a tip to protect your blog from hackers.

Having lost sites in the past, before I knew better, because they were hacked, I now take very seriously the security of my WordPress sites, and use the plugin WordFence because it emails me to warn me of login attempts I'm not expecting.

I'm not sure what was happening this morning, but I looked in my inbox there was a whole stream of login attempts over a few minutes. Below is a screenshot:

protect your blog Sorry it's not very clear, but they are all alerts from Wordfence telling me that users have been locked out from signing in to my blog based on instructions I give to the plugin.

So for instance, should anyone try to sign in with the username “admin”, I've set it up so that's an immediate lockout because using admin as your WordPress username is like an open invitation to hackers!

I get these alerts every so often, but it's fairly unusual to get so many of them so close together. Wordfence tells me what IP address they're from (in case I want to block an exact IP address) and these were all from different IP addresses – although I understand these can be fairly easily spoofed by anyone with evil intent.

My simplistic view of this is that my blog has just two or three trusted users to whom I have granted login privileges. So if any-one else tries to login they are probably “up to no good”.

Much as I would feel if I found someone with a bunch of keys trying to get into my house 🙂

What Should You Do To Protect Your Blog?

Given that it's a free plugin, the minimum I believe you should do is install the Wordfence plugin.

As well as the ability to lock-out attempted logins there are many additional options on the Wordfence dashboard and it's well explained, so do spend a few minutes looking at the various options and tailoring them to what you feel is sensible. (A little further down there's a link to a video on the WordPress site.)

For instance – I felt that by default it allowed too many attempts at logging in, so I brought it right down.

Other Benefits of Wordfence

The WordPress site describing the plugin lists a huge number of benefits, some of them pretty technical – so if you're of a technical bent, head on over to learn more.

For me, these are the highlights.:

  • Hackers often get into your site by means of vulnerabilities in plugins that the plugin authors will fix with a free update. Which is great – unless you don't notice there's been an update. If you're logging in daily, you'll notice the updates, and can fix them. But if you only login to your site (say) weekly – or even less frequently – you're in danger of missing vital updates. However, Wordfence will email you when updates are needed, so you can login to fix them.
  • It will scan your site and warn you of any potential problems.
  • It also speeds up your site! Who wouldn't want that?

You can learn more about the features of Wordfence here.

The Paid Version of Wordfence

Starting off with the free version of Wordfence will give you an immediately improved level of security.

Premium users can also block countries and schedule their scans for specific times and with a higher frequency.

How Do YOU Secure Your WordPress Blog?

There are many other plugins available to protect your blog against hackers. Wordfence just happens to be one I was recommended to use, and it's doing a great job for me.

However, I know I have some very experienced bloggers amongst my readers, so please feel free to add your own recommendations in the comments below.

Update August 2019

This post was originally written in 2015! But the dangers of WordPress security still remain for the unwary.

Since this post was written I have moved to managed WordPress hosting with Pressidium and they handle the security of my site, but I still use the free version of WordFence on clients' sites and everyone has been very happy with it.

However, do read the comments on this post as well because other bloggers with more technical expertise than I have kindly added their own security tips and favorite WordPress security plugins too.

Please share

I left it too late to plan for a financially secure retirement. Don't make my mistake. Start building an extra income with a part-time (or full-time) business online. Think you don't have time? Can't afford the start-up cost? Can't meet sales targets? Contact me for free advice (no obligation) on the best fit for your circumstances.

  • Tasleem Khan says:


    Thank you for this I will install Wordfence, on my blog. Since I have seen my friends blog hacked last week. I was very concerned about mine. So your post was great timing. Thank you 🙂

    • Joy says:

      Hi Tasleem

      I’m glad to hear you’re going to take security measures for your blog.

      Do read the comments from Harleena, Jan and Enstine too.

      Glad to have helped 🙂


  • Jan Kearney says:

    You know Joy, I’ve not long removed WordFence. Don’t get me wrong, I like the plugin and I do recommend it. But for my use, I was relying on it to nag me about updates.

    Last year, I logged into my email to a mass of mails like you – it went on for hours, streaming through – 100’s of mails, possibly 1000’s. Bots knocking at my front door and getting locked out. My lockout was set at 2 attempts and locked out for 12 hours.

    At that point I muttered a LOT and set an extra password level on wp-admin and wp-login.php. If they can’t get to the front door they can’t knock…

    Since then, the only point of WordFence was to nag me about updates and monitor any changes to core files. It did come in handy a couple of weeks ago when I managed to remove the password on wp-login.php without knowing I had and started seeing bots locked out again.

    But last week, I noticed my site speed, which isn’t great anyway slowing right down. Removing WordFence, shareaholic and tightening up my image squishing shaved off 3 seconds.

    But to answer your question, what do I do to help secure WP?

    Well other than an extra password layer, my htaccess is practically a novel. I block access to vulnerable files, I block bots. Xmlrpc is off in wp-config. I run through cloudflare (has free version).

    I back up regularly and update, change my passwords regularly and try to clean up plugins/themes that I test out and not leave deactivated ones installed (THAT is a challenge!)

    New installs are manually installed and wp_ is changed, htaccess tweaked, admin not used etc.

    Nothing is 100% online and if people want to get in they will. However, I think I’m pretty much covered for the “every-day” attempts by bots.

    • Joy says:

      Wow Jan,

      Thanks for all those extra tips – really technical stuff. Any hacker stupid enough to look at your blog should be running for the hills:-)

      Seems that both you and Harleena agree about the extra load – although Wordfence’s page say they speed up your blog. I’d recently changed my theme to “perk up” the speed (which it seemed to do) so perhaps it’s time for another check on pingdom.

      Appreciate the value you have added with these technical tips!


  • Hi Joy,

    I can attest that everything you wrote is true because I’m a Wordfence user myself.

    It works and is great at keeping the blog safe. It’s just that I feel it uses a bit more server CPU resources. I did try to shut down its live traffic (which is a great feature), yet its high on resources. Having said that, its still worth having it on your blog.

    I use its Level 4 “Lockdown” security level when an spam attack is in progress, and along side I also use the CloudFlare and its security features. So, that gives a double protection. Even more, I use some .htaccess codes to further strengthen the security.

    I also like the Firewall rules of Wordfence, and it gives us the control that we require on how the site is visited. Though how much ever you protect your site, hackers can still have a way if they want, but probably they won’t think it’s worth that much of effort for our sites, because Wordfence gives them a tough time.

    Thank you for providing this public service awareness, Wordfence is the way to go to protect your blog from hackers! Have a nice week ahead 🙂

    • Joy says:

      Hi Harleena

      Thanks so much for adding such value to my post. I hoped someone with really detailed technical expertise would pop in with some tips, so I’m delighted to see you here.

      I’m glad you like Wordfence too and appreciate you pointing out the next level of security that I need to look at.

      As you say – hopefully, the presence of Wordfence on my site will send hackers off to the next, easier, target. Like the very prominent (and active!) burglar alarm on my house does.

      Thanks for sharing this additional information. Joy

  • Sandy says:

    Hi Joy, I used to hv Wordfence at the early stage when I started my blog. Got few ‘heart attack’ moments when received those notofication emails on unsuccessful attempts. Deactivated once and later activated again n the attempts started again. That’s when I decided to take the chance and removed it. Instead used strong password.

    A dear friend had an unpleadant experience when he was locked out of his own site and could never get in again, with a defence system in place. Hence, I am indecisive…

    Oh ya btw, just wonder do you notice a surge in attempts each time u add a new user? That’s what happened to my site then.

    • Joy says:

      Hi Sandy

      Thanks for sharing your experiences with Wordfence. I guess my remark would be that perhaps the attempts were still happening while you had Wordfence deactivated, but you just didn’t know about them.

      It’s quite rare for me to add a new user, so perhaps when I have a guest blogger, like James recently, and to be honest I hadn’t really taken much notice, but I’ll watch out in future. I hadn’t added any new users yesterday when this happened.

      That was a horrid experience for your friend! Do you remember which defence system he was using? I keep a “spare” admin login that I hope would rescue me in that event, or at worst I could recover from a backup.

      Thanks for sharing your experiences. Joy

  • Enstine Muki says:

    Hey Joy,
    Thanks for making this announcement. I think it’s a great wake-up call to anyone that’s still taking security light.

    I also had database issue with my blog yesterday. There were repeated database connection fail messages. At one moment, there was an error message signaling too many connections to the db.

    I wondered where those connections suddenly came from. There was no mad rise in traffic so I quickly called the attention of Hostgator who did their job to get things stabilized.

    I use iTheme Security which is also a great option.

    Hope you are having a wonderful week

    • Joy says:

      Hi Enstine

      Thanks for your helpful input – in fact you’ve reminded me that on one of my old (but still current) blogs I noticed that I DIDN’T have Wordfence installed. After a quick panic I spotted that I was using iTheme Security instead, and it has been perfectly OK, so it’s good that you have also found it a reliable alternative.

      Hmm – I too had a lot of problems yesterday, perhaps there’s “mischief afoot”. However I don’t host this blog with Hostgator. I still have a few blogs with them but sadly, since the takeover, I’ve found their timescale for support has deteriorated dreadfully and I still have tickets open from weeks ago. You’re obviously getting better support from them so I’m guessing we have different plans!

      Thanks for reminding me and my readers about iTheme Security which is doing a good “set and forget” for me elsewhere.

      My week is going great so far – hope yours is too.


  • Dev says:

    Hi Joy,

    Great reminder about the importance of security. When it comes to security, I use these plugins / tools — WordFence, iThemes Security, and Sucuri.

    I think the best way to protect against hackers is to have a proper (& regular) backups of your blog.

    Just added your post to Buffer.

    • Joy says:

      Hi Dev

      Thanks for mentioning those other plugins. I have also heard good reports of Sucuri (and iThemes, which I remembered I had also used).

      Backups are essential too. It’s not enough to assume your hosting company is doing them. I assumed that once and was horrified to discover their most recent backup was MONTHS out of date. I am no longer with that hosting company!

      I use Buffer too. It’s excellent so thanks for sharing.


  • Mi Muba says:

    Hi Joy

    Very important topic you covered in this post and a blogger should never take it lightly.

    We can see in our hosting control panel how frequently fraudulent logging attempts are made at our blog.

    There are a few other free plus premium plugins to protect our blog but the one you mentioned is so cool and its popularity is rising everywhere.

    Apart from this one needs to adopt a few manual ways to secure his blog that includes manually taking the backup on regular basis and changing the login details after regular interval to be safe from malicious attacks.

    Thanks a lot for sharing this very useful post as security always come first to continue performing better.

    • Joy says:

      Hi Mi Muba

      Thanks for adding these valuable comments, and I’m pleased to hear you think Wordfence is a good plugin.

      Yes, I’ve just done another round of manual backups in addition to the automated ones!

      When I first started blogging (some years ago knowing nothing at all) I remember thinking “My blog is so small, no one would have any reason to hack it”. SO WRONG. It didn’t stop them at all. So I learned the hard way.

      Hope to have warned other people to take the security measures right away.

      Have a good weekend, Joy

  • Kimsea Sok says:

    Thanks for sharing, Joy.

    This is really useful article of WordPress Security Defense. Actually, my blog was hacked last year and I lost 72 articles off my blog because I did not backup my blog.

    Well, to keep our business and avoid losing posts we have to pay attention on security and backup.

    I am currently using Sitelock, the service protect from hacking and bot spam traffic. Also, I have installed Wpbackup plugin to save my blog data.

    Anyway, thanks for sharing valuable plugins here…!

    • Joy says:

      Hi Kimsea

      So sorry to hear that you lost all that information from your site. That was a harsh way to learn about backups – but it’s probably happened to every “start-up” DIY blogger (including myself) before we learned better.

      Thanks for sharing the plugins that you use to keep your site safe now.


  • Rachit says:

    WordFence in my opinion isn’t enough. Clef offers better security over this plugin. One of my friend got his blog hacked while wordfence on duty.
    However wordfence protects your blog from suspected bots and brute force attacks, whereas clef cuts down the chance of bots and brute force by adding two factor authentication.

    Additionally one should regularly backup mySql as there is no hardcore protection for it, and if someone hacks it, … damn you are ruined if you don’t have a backup.

    But the wordfence plugin too, is quite nice. The only nasty thing it does is creates extra tables, which I don’t like.

    • Joy says:

      Hi Rachit

      Well you are indeed correct, as one of my blogs (not this one) was hacked despite having Wordfence installed. Luckily I had a manual backup, but the time wasted has been horrendous.

      I’ll look into Clef – do you happen to know if/how it will work OK with ManageWP?

      Thanks for the suggestion, Joy

  • Jake says:

    Managewp is just a middle man they store your data on 3rd party service like Dropbox and Gdrive.

    The best possible solution is using icontrolwp and I have used it. It’s worth the money

    Before choosing them try googling icontrolwp review some blogger may have written about them.

    • Joy says:

      Hi Jake

      Thanks for drawing my attention to icontrolwp and your good experience of it. I’m pleased you like it. Do you still use it?

      As I’ve already subscribed to ManageWP on the recommendation of Enstine (and very happy with it) I didn’t do extensive research, however on the review that I DID find, ManageWP appeared to come out with more ticks, although there was a typo in the pricing column.

      Anyway, different packages suit different people so I’m grateful to you for pointing out icontrolwp for readers who have yet to make up their mind.

      Thanks for your suggestion, Joy

  • Jake says:

    I don’t use it now because I have switched all my wp installation to managed WordPress hosting and my hosting package comes with icontrolwp backup.

    Sometimes your readers will benefit from the review of icontrolwp, here is one that you can add to your blog post http://www.techwibe.com/icontrolwp-rock-solid-backup-service-our-experience-review/

    InfiniteWP is another option to try out, basic items are free with it

    • Joy says:

      Hi Jake

      Thanks for contributing that review for my readers, and for your thoughts. Is it your blog?

      By the way, I had to take your email out because it gave me an error message when I did the “My Comment Authors” mailing 🙂

      Enjoy the rest of your week, Joy

  • >