Protect Your Blog From Hackers

How to Protect Your Blog

A quick “public service announcement” with a tip to protect your blog from hackers.

Having lost sites in the past, before I knew better, because they were hacked, I now take very seriously the security of my WordPress sites, and use the plugin WordFence because it emails me to warn me of login attempts I'm not expecting.

I'm not sure what was happening this morning, but I looked in my inbox there was a whole stream of login attempts over a few minutes. Below is a screenshot:

protect your blog Sorry it's not very clear, but they are all alerts from Wordfence telling me that users have been locked out from signing in to my blog based on instructions I give to the plugin.

So for instance, should anyone try to sign in with the username “admin”, I've set it up so that's an immediate lockout because using admin as your WordPress username is like an open invitation to hackers!

I get these alerts every so often, but it's fairly unusual to get so many of them so close together. Wordfence tells me what IP address they're from (in case I want to block an exact IP address) and these were all from different IP addresses – although I understand these can be fairly easily spoofed by anyone with evil intent.

My simplistic view of this is that my blog has just two or three trusted users to whom I have granted login privileges. So if any-one else tries to login they are probably “up to no good”.

Much as I would feel if I found someone with a bunch of keys trying to get into my house 🙂

What Should You Do To Protect Your Blog?

Given that it's a free plugin, the minimum I believe you should do is install the Wordfence plugin.

As well as the ability to lock-out attempted logins there are many additional options on the Wordfence dashboard and it's well explained, so do spend a few minutes looking at the various options and tailoring them to what you feel is sensible. (A little further down there's a link to a video on the WordPress site.)

For instance – I felt that by default it allowed too many attempts at logging in, so I brought it right down.

Other Benefits of Wordfence

The WordPress site describing the plugin lists a huge number of benefits, some of them pretty technical – so if you're of a technical bent, head on over to learn more.

For me, these are the highlights.:

  • Hackers often get into your site by means of vulnerabilities in plugins that the plugin authors will fix with a free update. Which is great – unless you don't notice there's been an update. If you're logging in daily, you'll notice the updates, and can fix them. But if you only login to your site (say) weekly – or even less frequently – you're in danger of missing vital updates. However, Wordfence will email you when updates are needed, so you can login to fix them.
  • It will scan your site and warn you of any potential problems.
  • It also speeds up your site! Who wouldn't want that?

You can learn more about the features of Wordfence here.

The Paid Version of Wordfence

Starting off with the free version of Wordfence will give you an immediately improved level of security.

Premium users can also block countries and schedule their scans for specific times and with a higher frequency.

How Do YOU Secure Your WordPress Blog?

There are many other plugins available to protect your blog against hackers. Wordfence just happens to be one I was recommended to use, and it's doing a great job for me.

However, I know I have some very experienced bloggers amongst my readers, so please feel free to add your own recommendations in the comments below.

Update August 2019

This post was originally written in 2015! But the dangers of WordPress security still remain for the unwary.

Since this post was written I have moved to managed WordPress hosting with Pressidium and they handle the security of my site, but I still use the free version of WordFence on clients' sites and everyone has been very happy with it.

However, do read the comments on this post as well because other bloggers with more technical expertise than I have kindly added their own security tips and favorite WordPress security plugins too.

Please share

I left it too late to plan for a financially secure retirement. Don't make my mistake. Start building an extra income with a part-time (or full-time) business online. Think you don't have time? Can't afford the start-up cost? Can't meet sales targets? Contact me for free advice (no obligation) on the best fit for your circumstances.

Tasleem Khan - March 24, 2015


Thank you for this I will install Wordfence, on my blog. Since I have seen my friends blog hacked last week. I was very concerned about mine. So your post was great timing. Thank you 🙂

    Joy - March 25, 2015

    Hi Tasleem

    I’m glad to hear you’re going to take security measures for your blog.

    Do read the comments from Harleena, Jan and Enstine too.

    Glad to have helped 🙂


Jan Kearney - March 25, 2015

You know Joy, I’ve not long removed WordFence. Don’t get me wrong, I like the plugin and I do recommend it. But for my use, I was relying on it to nag me about updates.

Last year, I logged into my email to a mass of mails like you – it went on for hours, streaming through – 100’s of mails, possibly 1000’s. Bots knocking at my front door and getting locked out. My lockout was set at 2 attempts and locked out for 12 hours.

At that point I muttered a LOT and set an extra password level on wp-admin and wp-login.php. If they can’t get to the front door they can’t knock…

Since then, the only point of WordFence was to nag me about updates and monitor any changes to core files. It did come in handy a couple of weeks ago when I managed to remove the password on wp-login.php without knowing I had and started seeing bots locked out again.

But last week, I noticed my site speed, which isn’t great anyway slowing right down. Removing WordFence, shareaholic and tightening up my image squishing shaved off 3 seconds.

But to answer your question, what do I do to help secure WP?

Well other than an extra password layer, my htaccess is practically a novel. I block access to vulnerable files, I block bots. Xmlrpc is off in wp-config. I run through cloudflare (has free version).

I back up regularly and update, change my passwords regularly and try to clean up plugins/themes that I test out and not leave deactivated ones installed (THAT is a challenge!)

New installs are manually installed and wp_ is changed, htaccess tweaked, admin not used etc.

Nothing is 100% online and if people want to get in they will. However, I think I’m pretty much covered for the “every-day” attempts by bots.

    Joy - March 25, 2015

    Wow Jan,

    Thanks for all those extra tips – really technical stuff. Any hacker stupid enough to look at your blog should be running for the hills:-)

    Seems that both you and Harleena agree about the extra load – although Wordfence’s page say they speed up your blog. I’d recently changed my theme to “perk up” the speed (which it seemed to do) so perhaps it’s time for another check on pingdom.

    Appreciate the value you have added with these technical tips!


Harleena Singh - March 25, 2015

Hi Joy,

I can attest that everything you wrote is true because I’m a Wordfence user myself.

It works and is great at keeping the blog safe. It’s just that I feel it uses a bit more server CPU resources. I did try to shut down its live traffic (which is a great feature), yet its high on resources. Having said that, its still worth having it on your blog.

I use its Level 4 “Lockdown” security level when an spam attack is in progress, and along side I also use the CloudFlare and its security features. So, that gives a double protection. Even more, I use some .htaccess codes to further strengthen the security.

I also like the Firewall rules of Wordfence, and it gives us the control that we require on how the site is visited. Though how much ever you protect your site, hackers can still have a way if they want, but probably they won’t think it’s worth that much of effort for our sites, because Wordfence gives them a tough time.

Thank you for providing this public service awareness, Wordfence is the way to go to protect your blog from hackers! Have a nice week ahead 🙂

    Joy - March 25, 2015

    Hi Harleena

    Thanks so much for adding such value to my post. I hoped someone with really detailed technical expertise would pop in with some tips, so I’m delighted to see you here.

    I’m glad you like Wordfence too and appreciate you pointing out the next level of security that I need to look at.

    As you say – hopefully, the presence of Wordfence on my site will send hackers off to the next, easier, target. Like the very prominent (and active!) burglar alarm on my house does.

    Thanks for sharing this additional information. Joy

Sandy - March 25, 2015

Hi Joy, I used to hv Wordfence at the early stage when I started my blog. Got few ‘heart attack’ moments when received those notofication emails on unsuccessful attempts. Deactivated once and later activated again n the attempts started again. That’s when I decided to take the chance and removed it. Instead used strong password.

A dear friend had an unpleadant experience when he was locked out of his own site and could never get in again, with a defence system in place. Hence, I am indecisive…

Oh ya btw, just wonder do you notice a surge in attempts each time u add a new user? That’s what happened to my site then.

    Joy - March 25, 2015

    Hi Sandy

    Thanks for sharing your experiences with Wordfence. I guess my remark would be that perhaps the attempts were still happening while you had Wordfence deactivated, but you just didn’t know about them.

    It’s quite rare for me to add a new user, so perhaps when I have a guest blogger, like James recently, and to be honest I hadn’t really taken much notice, but I’ll watch out in future. I hadn’t added any new users yesterday when this happened.

    That was a horrid experience for your friend! Do you remember which defence system he was using? I keep a “spare” admin login that I hope would rescue me in that event, or at worst I could recover from a backup.

    Thanks for sharing your experiences. Joy

Enstine Muki - March 25, 2015

Hey Joy,
Thanks for making this announcement. I think it’s a great wake-up call to anyone that’s still taking security light.

I also had database issue with my blog yesterday. There were repeated database connection fail messages. At one moment, there was an error message signaling too many connections to the db.

I wondered where those connections suddenly came from. There was no mad rise in traffic so I quickly called the attention of Hostgator who did their job to get things stabilized.

I use iTheme Security which is also a great option.

Hope you are having a wonderful week

    Joy - March 25, 2015

    Hi Enstine

    Thanks for your helpful input – in fact you’ve reminded me that on one of my old (but still current) blogs I noticed that I DIDN’T have Wordfence installed. After a quick panic I spotted that I was using iTheme Security instead, and it has been perfectly OK, so it’s good that you have also found it a reliable alternative.

    Hmm – I too had a lot of problems yesterday, perhaps there’s “mischief afoot”. However I don’t host this blog with Hostgator. I still have a few blogs with them but sadly, since the takeover, I’ve found their timescale for support has deteriorated dreadfully and I still have tickets open from weeks ago. You’re obviously getting better support from them so I’m guessing we have different plans!

    Thanks for reminding me and my readers about iTheme Security which is doing a good “set and forget” for me elsewhere.

    My week is going great so far – hope yours is too.


Dev - March 26, 2015

Hi Joy,

Great reminder about the importance of security. When it comes to security, I use these plugins / tools — WordFence, iThemes Security, and Sucuri.

I think the best way to protect against hackers is to have a proper (& regular) backups of your blog.

Just added your post to Buffer.

    Joy - March 26, 2015

    Hi Dev

    Thanks for mentioning those other plugins. I have also heard good reports of Sucuri (and iThemes, which I remembered I had also used).

    Backups are essential too. It’s not enough to assume your hosting company is doing them. I assumed that once and was horrified to discover their most recent backup was MONTHS out of date. I am no longer with that hosting company!

    I use Buffer too. It’s excellent so thanks for sharing.


Mi Muba - March 26, 2015

Hi Joy

Very important topic you covered in this post and a blogger should never take it lightly.

We can see in our hosting control panel how frequently fraudulent logging attempts are made at our blog.

There are a few other free plus premium plugins to protect our blog but the one you mentioned is so cool and its popularity is rising everywhere.

Apart from this one needs to adopt a few manual ways to secure his blog that includes manually taking the backup on regular basis and changing the login details after regular interval to be safe from malicious attacks.

Thanks a lot for sharing this very useful post as security always come first to continue performing better.

    Joy - March 26, 2015

    Hi Mi Muba

    Thanks for adding these valuable comments, and I’m pleased to hear you think Wordfence is a good plugin.

    Yes, I’ve just done another round of manual backups in addition to the automated ones!

    When I first started blogging (some years ago knowing nothing at all) I remember thinking “My blog is so small, no one would have any reason to hack it”. SO WRONG. It didn’t stop them at all. So I learned the hard way.

    Hope to have warned other people to take the security measures right away.

    Have a good weekend, Joy

Kimsea Sok - March 30, 2015

Thanks for sharing, Joy.

This is really useful article of WordPress Security Defense. Actually, my blog was hacked last year and I lost 72 articles off my blog because I did not backup my blog.

Well, to keep our business and avoid losing posts we have to pay attention on security and backup.

I am currently using Sitelock, the service protect from hacking and bot spam traffic. Also, I have installed Wpbackup plugin to save my blog data.

Anyway, thanks for sharing valuable plugins here…!

    Joy - March 30, 2015

    Hi Kimsea

    So sorry to hear that you lost all that information from your site. That was a harsh way to learn about backups – but it’s probably happened to every “start-up” DIY blogger (including myself) before we learned better.

    Thanks for sharing the plugins that you use to keep your site safe now.


Rachit - May 30, 2015

WordFence in my opinion isn’t enough. Clef offers better security over this plugin. One of my friend got his blog hacked while wordfence on duty.
However wordfence protects your blog from suspected bots and brute force attacks, whereas clef cuts down the chance of bots and brute force by adding two factor authentication.

Additionally one should regularly backup mySql as there is no hardcore protection for it, and if someone hacks it, … damn you are ruined if you don’t have a backup.

But the wordfence plugin too, is quite nice. The only nasty thing it does is creates extra tables, which I don’t like.

    Joy - May 30, 2015

    Hi Rachit

    Well you are indeed correct, as one of my blogs (not this one) was hacked despite having Wordfence installed. Luckily I had a manual backup, but the time wasted has been horrendous.

    I’ll look into Clef – do you happen to know if/how it will work OK with ManageWP?

    Thanks for the suggestion, Joy

Jake - June 2, 2015

Managewp is just a middle man they store your data on 3rd party service like Dropbox and Gdrive.

The best possible solution is using icontrolwp and I have used it. It’s worth the money

Before choosing them try googling icontrolwp review some blogger may have written about them.

    Joy - June 3, 2015

    Hi Jake

    Thanks for drawing my attention to icontrolwp and your good experience of it. I’m pleased you like it. Do you still use it?

    As I’ve already subscribed to ManageWP on the recommendation of Enstine (and very happy with it) I didn’t do extensive research, however on the review that I DID find, ManageWP appeared to come out with more ticks, although there was a typo in the pricing column.

    Anyway, different packages suit different people so I’m grateful to you for pointing out icontrolwp for readers who have yet to make up their mind.

    Thanks for your suggestion, Joy

Jake - June 3, 2015

I don’t use it now because I have switched all my wp installation to managed WordPress hosting and my hosting package comes with icontrolwp backup.

Sometimes your readers will benefit from the review of icontrolwp, here is one that you can add to your blog post http://www.techwibe.com/icontrolwp-rock-solid-backup-service-our-experience-review/

InfiniteWP is another option to try out, basic items are free with it

    Joy - June 4, 2015

    Hi Jake

    Thanks for contributing that review for my readers, and for your thoughts. Is it your blog?

    By the way, I had to take your email out because it gave me an error message when I did the “My Comment Authors” mailing 🙂

    Enjoy the rest of your week, Joy

Comments are closed