Help! My WordPress Has Been Hacked!

Wordpress Hacked

The last thing you want to see when you go to your website is that it’s been hacked.

So how do you prevent someone from hacking your site?

Thre are some common sense things to do – first and foremost is to ensure that your password is something more difficult to guess than say your name or a simple word.  Use COMPLEX passwords where you use a combination of letters, numbers and if possible special characters.

Over at you can generate up to 5 passwords at a time, varying in size from 4 characters to 20 characters and you can choose from letters/numbers/upper case characters and special characters.  You can even specify which characters not to use.

A strong password is one that is at least 12 characters, includes a random combination of letters, numbers, and symbols.

Warning! Keep your passwords long.  Yes, they are hard to remember — but what is convenience worth over security?


Something else you should be doing is to create blank INDEX files on your server in various directories.  I do this all the time.  My IMAGES directory has a blank INDEX file.  You could actually create the index file to point the user back to your main site (aka redirect).

Go ahead, try and look at my IMAGES directory and see what happens… actually I don’t do anything nasty, it’s just a blank page.

HTACCESS FILE Modifications

Another technique is to make use of your HTACCESS file.

Here are some resources for you to work with the HTACCESS file:

Another technique, well it’s really not a technique but a suggestion – STAY UP TO DATE WITH SOFTWARE!  Patches are released for good reason, otherwise Microsoft wouldn’t be issuing dozens of security patches!!  ;-)   Ensure your WordPress installation is running the latest version all the time.

You can also secure your WP-ADMIN directory by limiting the IP that can access the directory.  This might be OK, but it does limit you to a few IP addresses.  Ideally this list of accessible addresses should be short.

If you want to take this route, it’s pretty easy.  Create a .HTACCESS in your WP-ADMIN folder and add this into it:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “WP-ADMIN Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
allow from

The “allow from” is where you would put in your IP addresses that you want to permit access from.  Use the website to find out what your IP address is.

Do I use any of these?  Sure, I make extensive use of the blank INDEX files and some modifications to my HTACCESS files.  I also ensure ALL my passwords are hard to guess.

If you’ve got other suggestions on how to protect your website or WordPress install, I’d love to hear them!


About Rob 'n Mo

I'm a man of mystery. I like anonymity, but on the WWW there is not much of it...
This entry was posted in Internet Business and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *



You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>