WordPress Security: Don’t wait until it’s too late!

One year ago, my webcomic, LeyLines, was hacked. Believe me when I say there are few things as devastating to a webcomic creator than to sign on to your site and discover all of it has vanished overnight. I learned a lot about website security the hard way that month.

Many, if not most, of us are using WordPress these days. While a WP blog hosted by WordPress is very secure, whenever it is hosted elsewhere, additional holes manifest that a hacker can exploit.

Don’t assume that you are safe because you are small — I had a grand total of 70 readers at the time I was hacked! Hackers will sometimes write code that impacts a blanket of sites, usually attacking the same security weakness in each.

Here are some first steps to minimizing the damage a hacker can do:

First Steps – Security Level Alpha

1) Back up your databases regularly. Most modern hosts have a database back-up option available in a control panel interface. You can also use FTP downloads, or a Back-up plugins. (And while you’re backing up your databases, don’t forget to back up your files too!)

2) Keep WordPress up to date. Much of WordPress’ updates are to patch the holes that hackers exploit, and updating is a fairly simple process. Despite that, it’s easy to let WP updates slide. Especially since sometimes the updates delete themes or have compatibility issues. Trust me, a little inconvenience now is a lot better than no website later.

3) Be original – don’t use “admin” and “password” Many database set-ups automatically make the username with read/write/execute permissions “admin”. Hackers know this, and it’s the first thing they’ll try. Don’t make it easy for them!

4) Beware Plugin Fever Plugins are amazing add-ons to our websites, but they’re also potential gateways into the guts of our systems. Be selective in what you install on your website, and investigate them before you place them in your code.

Plugins – Security Level Beta

Now that I’ve scared you away from ever installing another Plugin ever again, it turns out that not all Plugins are bad things. Below are some more advanced ways to protect your website and some options for Plugins to do the job.

Note of caution: As before, beware Plugin Fever! Even security Plugins can start causing problems if too many are installed. They may interfere with each other or interfere with WP’s overall functionality, so install with care! Try them out one at a time and test your site each time. If something goes wrong, you’ll always have your back-ups to rely on.

1) Limit the Number of times a user can attempt to log in
Brute force hacking is when a hacker bombards your site with thousand of password combination until they crack your code. These Plugins records the number of times an IP address has attempted to access your WordPress admin page with the wrong username/password. After a certain number of tries (you set the limit) that IP is locked out of the account.
Plugin options: Login Security Solution, Login LockDown, Limit Login Attempts

2) Don’t rely on your host to keep their firewalls maintained — install your own!
Your server SHOULD have a firewall implemented, but that doesn’t mean your host is maintaining it. Besides, inserting an extra layer of protection never hurt! There are lots of options here, from the simple to the complex. Each will block different things, including XSS, CSRF, Base 64, and SQL Booster, SQL injection, and directory traversal attacks. The more complex the plugin, the more it will block, but the more likely it is to mess with WP functionality. Evaluate your options carefully and decide which is the best fit for you!
Plugin options: BulletProof Security, OSE Firewall

3) Spam and Viruses aren’t just email concerns
We’ve all learned about the dangers of email-borne viruses and spam, but there is plenty of malicious code that specifically targets WordPress. Akismet is basic, free, and very popular, but there are other options to consider to make your site more secure for you AND your readers!
Plugin options: AntiVirus, Bad Behaviour, Antispam Bee

All-in-One Plugins For those of you that just one a one-stop-shop, there are also some security plugins that slice, dice, and make Julienne fries. These can be particularly helpful because they avoid conflicting plugin issues. Just make sure you understand where the holes are – no plugin is perfect – and take measures to shore up wheat these “all-in-one” plugins miss.
Plugin options: Better WP Security, 6Scan Security, Wordfence Security.

Coding and Services – Level Omega

For the code-savy, there are ways to alter WP’s code directly to improve security. You can also change permissions on certain files to make it harder for them to be tampered with. However, since this can interfere with WP’s functionality, I’d only recommend you fiddle with files if you are VERY comfortable with code! You can read a little more about WordPress’ recommended practices in the article Hardening WordPress!

If everything I’ve said sounds completely overwhelming, there are also several companies that will perform a full security overhaul. However, these services often cost between $100 – $500 to perform! Chances are, by taking basic precautions and installing a few good Plugins, your site will be as secure as it needs to be. However, if you want to make your website iron-clad, but back-ups, Plugins, and coding scares you, there ARE services available for you to use.

Even if you never get beyond those first few steps, you’ll already be in a much better position to prevent and recover from a hacking attack. Don’t wait until it’s too late! Improve your WordPress security today!

Robin Dempsey is addicted to storytelling, despite all logical reasoning against this irrationally glorious pursuit. By day she works as a Mechanical Engineer, and in every spare moment outside of that she is making comics. Including in her sleep, on occasion. Addicted to world-building, character crafting, and language making, you can find the results of her sprawling storytelling pursuits at LeyLinesComic.com! Or drop a line on Twitter at RobinofLeyLines.

Posted in Featured News, Helpful Hints, Tech and tagged , , .


    • Definitely recommend at the very least level one. Being security conscious can save you a lot of heart-ache and hardship later! It takes very little to back up a site or install a plugin! It cost me over $300 to get my site cleaned and restored when I got hacked, all because I’d done nothing to protect myself!

  1. Plugins are by far the number one culprit in hacked WP sites. A lot of them are written with a lot of security holes, and that’s where the exploits are found.

    My former blog was a victim of a script that got in through a shoddy plugin and sent malicious data to readers. Let me tell you, I lost the trust of quite a few followers for that period of time, and my readership never reached that same level again.

  2. I’ve just started using “Wordfence Security” and I highly recommend it. I have a Multi-Site Word Press installation and it protects all of my client’s sites. I had been having issues with something letting files be saved in the root of my website. I tried for months to figure it out. Installed “Wordfence” and it had it solved in 10 minutes.

    I am sure the others work well too, but I can speak to Wordfence personally.

    But the best thing is to do what Robin said: BACK IT UP! Not just your files, but your Database too! Most hosts will help you with this process. I have Dreamhost and they will back your site up for free once a month. All you have to do is ask them to do it. The one time I was hacked, the back-ups saved my comic from oblivion.

    • You need to disable wordfence security’s auto-scan when you’re not around option, otherwise it pumps up your CPU usage massively on your hosting. But yeah totally worth having.

      Your database can be backed up with phpmyadmin from your hostings control panel (or) minimally wp-admin -> tools -> export

  3. Howdy, I’m not a webcomic guy, but I read Christopher’s comic and he retweeted this, so…

    Another thing you should install is “Stop Spammers” by Keith P. Graham. Not only does it keep most spammers out by filtering site comments through several spam comment databases by checking known IPs and email addresses, it also keeps a list of people who’ve tried to log into your site via wp-login.php, and stops people who try to post or login with spoofed or missing referrer information (which might mean they’re not using a browser, but a spambot.)

    Plus it keeps the spambots out. I installed it on September 5, and it’s stopped over 17700 spam comments since then.

  4. Hey, nice article! More webcomics people definitely need to know this, since it seems like people just install and go. WordPress is popular among webcomic sites, but WP is also insecure as heck by itself and hackers are constantly trying to pry it open. O_O The other day I got notification of someone trying to log in to one of my sites. That creeped me out a little. Once some hacker injected code into the backend of my sites to make every site on that host change the text on the pages to spam. That was easily remedied by my host, but still awful (I didn’t notice at first — I think somehow my browser blocked the spam text replacement??).

    I was just tweeting recently that people using WP should look out for that sort of stuff! It’s actually relatively easy to keep your site from the basic hacks, too. I recently discovered Better WP Security when looking for alternatives to my old security plugin (it was weak). It’s nice. 😀

    • I was definitely one of the people that just “installed and go” and I learned the hard way the trouble that can cause! I hope that others can benefit from my mistakes! Getting hacked is an awful experience!

      I like Better WP Security too. I’ve heard lots of good things on Wordfence too. All of them have holes, but it definitely covers a lot of the bases!

  5. Great article, Robin! It created just the right-amount of fear sprinkled in with enough hope to cause a change. I’m gonna check out some of your wonderful, necessary options right now.

    • Better WP Security and Wordfence Security are both getting high marks from my fellow webcomicers. Take a look at what they cover – each one is a little different – but both are great options.

    • Oh! And if you choose Wordfence Security, you might want to follow Frumph’s suggestion above and “disable wordfence security’s auto-scan when you’re not around option, otherwise it pumps up your CPU usage massively on your hosting.”

  6. One thing I did is change my admin name from admin to something else. Now, you can’t do this directly through wordpress, but you can edit the database directly…back it up first!

    here’s a link to do it if you are comfortable editing your mysql database manually:


    I used option 3 making changes in the phpMyAdmin.

    Option 2 has outdated plug-ins and option 1 is probably the easiest, but you lose the count of the number of posts you made with the admin username. Option 3 just seemed to make more sense to me when I made the change manually.

    I had used the Login Security Plugin, but since my password wasn’t the default length, the very next time I tried to log in, it thought I was an intruder and wouldn’t let me log in. I had to wait until the number of attempts was used up and then it asked me to change my password. It was too frustrating so I went ahead and renamed the admin username via phpMyAdmin.

    Nice article! Can’t stress enough to back up your database on a regular basis!

Leave a Reply

Your email address will not be published. Required fields are marked *