alex sysoef

Triple “P” Of Total WordPress Security

WordPress security is one of the most overlooked aspects of Blogging, be it a blogging to make money or blogging for fun. And I don’t believe it is due to ignorance but more due to wrong advice or sometimes even wrong script used for blog installation!

And yet – WordPress Security is one aspect that has potential to damage your reputation, possibly even lead to your blog being banned from Search Engine results!

Triple “P” Of WordPress Security Is A New Concept I have Coined That Is Designed As A Complete Solution to WordPress Protection!

Based on personal experience gained through helping people recover their blogs as well as dealing with my own sites being hacked this concept will deliver End-To-End defense approach to those willing to follow…

As I worked through the issues associated with compromised WordPress blogs I have discovered certain recurring patterns in how the security penetrated. In fact majority of the hacks don’t come from someone sitting in front of computer and actively trying to exploit your specific blog – Hacking Is Automated!

There are couple ways to deal with the process of staying ahead of the game:

  • You can dedicate effort to stay current or…
  • You can Design Security Into Your Blog

I like second approach as it helps me stay sane when I’m off on vacation in some remote location and simply don’t have the ability to Upgrade as soon as new version of WordPress is released.

While what I describe below is not applicable to every blog 100% especially if you have used Fantastico to install the blog – you can still make sure your installation is a LOT MORE secure against bots and worms.

Triple “P” Of WordPress Security

Idea behind the concept is to implement as many safeguards as needed without compromising functionality of your blog or what is even worth performance. Approach is separated into 3 stages as shown below:


I like systematic approach as it insures nothing important is missed…

Preemptive Security – First “P” or Stage 1

This stage consists of measures you take during installation and Preemptive Actions You Take to keep your blog secure! I’m an advocate of using either a manual blog install or one of the scripted solutions that provide you with secure automated blog installation, such as our own Expert WordPress.

1. Secure Blog Installation

Security should be ensured during your blog installation and is accomplished by simply making sure that values in your wp-config.php are hard to guess. This will avoid a lot of MySQL injection attacks!


I have highlighted all the values in image above that MUST be unique and hard to guess on each and every blog installed. Unfortunately Fantastico installation creates those value easily guess able and I have seen one of the third party WordPress installation scripts that actually removes the 4 Auth keys provided by WordPress for sake of simplicity of install.

They claim to have 15,000 and growing number of “victims” and all I can say to those people – Read On! Stages 2 and 3 will be of utmost importance to you guys!

2. Regular Backups

I like to use WordPress Database Backup plugin and we install it on all our customers blogs as it allows us to schedule backups to be emailed to us. I like to use account as this way I can store all my blogs DB backup in one place and if need be – being able to restore each blog to same state it was night before the hack.

Also because SQL Injection hacks sometimes are not discovered until later – i recommend you keep at least a month worth of backups – for incremental restore if needed! Time consuming but beats re-writing content!

Also at the very least you should each month download some of the files unique to your blog from your hosting account. Here are some more common:

  • wp-content/ (directory)
  • wp-config.php
  • .htaccess
  • sitemap.xml
  • sitemap.xml.gz

Any other unique files you have must be backed up as well! This will allow you to recover file-system if compromised.

3. Timely Upgrades

While you might not have instant access to upgrade your blog to latest version you should do it as soon as opportunity presented! And since ability to upgrade your plugins and WordPress core is now provided to you via One Click simplicity – you should do it!

Preventive Security – Second “P” or Stage 2

This stage will be especially useful if you have installed your blog using Fantastico or been victimized by a promise of functionality and got yourself a blog or few of them using some other tool.

In this stage we will be working on creating Defense Perimeter Around Your Blog to stop most common attacks.

1. Comment SPAM Defense

I consider comment spam a primitive form of hack attack that comes from automated SPAM bots and easily killed and lately often from manual submission. And here is why..

Consider this fact last few hack attacks against blogs were not designed to destroy your blog but rather take control of it without you knowing about it and inject links into your theme files or blog content to a sites they are trying to push, most often not family friendly sites.

When a Comment Spammer leaves a comment on your blog with a link to similar site – to me it is simply a primitive form of hack attack and I treat it as such! I have described my own fights against comment spam multiple times on this blog but now I use following plugins for protection:

  1. Akismet due to its superb support I can rely on
  2. AntiSpam Bee – this one works together or instead of Akismet and one of the best I tried for functionality + compatibility

2. Brute Force Password Hack Attack

By default WordPress allows you to try to login as many times as you like until you are able to remember correct password. Excellent for functionality – not so much for security!

Since most people use “admin” for administrative account – attacker can run a script against your blog login to try guessing administrative password until he succeeds.

Yes, you can prevent this attack to some extent by renaming administrative account or creating new account with administrator privileges and deleting default – but what if you have a lot of posts now under that account?

  • Limit Login Attempts plugin is a solution I have tested for myself and can highly recommend. I know there are others similar in functionality but this one worked for me and hence recommendation. Idea is very simple – try to login too many times and your IP will be blocked. Default settings it comes with will work just fine for most!

3. File System Protection

This one is designed to help you protect yourself against attack on through your hosting account. Basically an attacker can hack someone’s account on shared hosting server where your site is and then slowly take control over sites hosted there – including yours!

I fell victim to this type of attack, although my host never admitted it!

Since then I have used and highly recommend WordPress File Monitor plugin. Its functionality is simple and yet, very effective – it monitors the files on your hosting account and notifies you when files are changed. Notification delivered to your Blog Admin dashboard and to email address you give.

Not only you can learn nearly in real time when you files are compromised but also which files will need to restored to fix the problem!

Huge Time Saver!

I know there are many more plugins to help you protect even more and I describe many of them in my post 5 Steps To Practical WordPress Security but here I want to help you create a solid Defense Perimeter against attacks while still retaining simple functionality!

Post-Mortem Security – Third “P” or Stage 3

Is one you hopefully will never have to deal with. But I do believe in being ready and I do my best to teach my customers to do the same!

This step or rather its execution can mean a difference between your blog restored in a matter of hours or days, if ever, as it will depend on your hosting support and how well they do backups for you! You will discover that many hosts don’t!

There are really only 3 things in this stage:

  1. Have a backup handy! Assuming that you have followed my advice in Stage 1 it is not a problem and you are all set!
  2. KNOW how to use it! Knowledge is power and knowing how to restore your blog, not theoretically but actually do it can pay dividends when time comes! If you are afraid to do it on production blog, which is fully understandable, I recommend you install a test blog into sub-folder and go through the entire process! You can thank me later!
  3. Secure Your Hosting! Even if your blog was compromised via SQL injection you would want to change your cPanel password and I actually recommend creating a new user with new password and assign it to your blog database and then change wp-config.php accordingly. Simply delete old DB user after that to make sure that your Database access restored to secure level.

Conclusion And Additional Reading

I don’t believe absolute security of your blog can accomplished or that it even exists and anyone promising you that is simply misleading you! But I also believe that we should take at least some basic precautions to protect our blogs to avoid being exploited by “script kiddies” who got their hand on latest “hack script”.

Level of protection you choose is really up to you and plugins I have listed in this post are only designed to give you solid level of protection through staged approach without impacting your blog functionality. There are some superb Security Guides available for WordPress and if you are willing to extend your horizons  – dig in!

Need Additional, Visual Guidance?

Get FREE DVD – Lock Your Blog! FREE Access to The Ultimate Step-By-Step Video Guide To WordPress Security!

Filed under WordPress
Tags: , , , ,

117 Responses to “Triple “P” Of Total WordPress Security”

  1. Andy says:

    Thanks for a good post. Thankfully I’m already using some of the measures you’ve highlighhted but some I’m afraid to say not. I’ll definately be implementing those as soon as possible

  2. Jayesh says:


    Nice Post.

    I do use a blog but did not know much about all these things.

  3. Great post, Alex – when someone is using their blog as part of an online business, it’s easy to get busy and think ‘I’ll update it later’ – problem is, all to often later is too late! With more and more blog hacks happening every day, this advice is priceless to anyone dependent on the internet for their living!
    .-= Doug Champigny´s last blog ..Learning From Your Mistakes May Be Your Biggest Mistake =-.

    • TheSpotter says:

      Exactly Doug!

      Case to the point – I have searched last night Google for “clickbank membership script” and top 3 sites listed in results for me were blogs that were clearly marked as “This site can damage your computer” by Google. And from the looks of it – those guys were actually trying to sell the “CB Membership” script. All I can say – good luck to them!

  4. Vince says:

    One of the main reasons why I love your blog so much is because of its high value advices.:) Really really really great!!! Thank you very much Alex!
    .-= Vince´s last blog ..Sermon Illustrations About Influencing Others =-.

  5. Thanks for this information, Alex. I see information all day every day talking about blogs – that you need them, how to set them up, how to get content, etc. – but few, if any, even mention the security issue. And most of these folks are suggesting a Fantastico installation, which is even scarier. As you say, a few minutes of work can save hours of frustration.
    .-= Jacque LaMantia´s last blog ..Getting Backlinks Can Be Fun! =-.

  6. WSD says:

    Great post. I found that modifying your .htaccess file for the wp-admin also helps. Limit access to your home or work IP address.
    In addition, cookies for comments plugin also helps with preventing automated bots for spam.
    .-= WSD´s last blog ..Internet Services for Website Owners =-.

  7. Jim Clary says:

    Thanks for some AWESOME advice on securing your blog. I have already implemented many of these plugins.

    Jim Clary
    .-= Jim Clary´s last blog ..Article Marketing and Search Engine Optimization =-.

  8. Armen says:

    Dude, this is an excellent post. Glad I stumbled across.
    .-= Armen´s last blog ..Chrome Frame: All IE6 Problems Solved Forever? =-.

  9. Alex, I’ve got to say that I’m one of those that put off upgrading to new versions of WordPress. You’ve pointed out in great detail why I must start taking blog security seriously. I’ll start by backing up on a regular basis and also follow the other steps you talk about. Thanks.
    .-= Luca Di Nicola´s last blog ..How to Choose the Best List Provider – Autoresponder Service =-.

    • TheSpotter says:

      Thanks Luca, hope it helps you 🙂 In my experience it is not “if you get hacked” it is more of “when you get hacked”, especially when your blog becomes popular.

  10. Thanks for your submission to the Sixty Sixth edition of the Blog Carnival: Blogging. Your post has been accepted and its live:

  11. Dawn says:

    You are right. I always try to protect my site. Thanks for post.
    .-= Dawn´s last blog ..Spacecraft see ‘damp’ Moon soils – BBC News =-.


  1. RT @TheSpotter: Triple "P" Of Total WordPress Security: WordPress security an overlooked aspects of Blogging, be it…

  2. Eric Bonnici says:

    RT @TheSpotter: RT @caravan RT @TheSpotter Triple "P" Of WordPress Security

  3. […] Sysoef presents Triple “P” Of Total WordPress Security posted at WordPress Howto Spotter. saying, WordPress security is one of the most overlooked aspects […]

  4. RT @TheSpotter Triple "P" Of WordPress Security