How to Stop WordPress Hackers From Hijacking Your Blog and Ruining Your Reputation

I was devastated… All of my order links and affiliate links had been changed and hundreds of dollars had already gone to some hacker’s PayPal account. And if that wasn’t bad enough, I got an email from Google saying they had temporarily frozen my account!

How could this happen? I created a password that I thought was impossible to hack.

So I started doing some research to find out how some criminal could hack my site and how to stop him.

I found terms like Phishing, Remote Administration Tools, Key Loggers, and Trojan Horses. But those referred to hackers getting into your PC. And this guy hacked my MySQL database.

So I went back to Google and found some information on “SQL Injection” which is a technique used to hack into your database by breaking your login form. But I had no clue how to stop it.

So I went to FreeLancer.com and posted my project. The initial bid was $180. But after he saw how bad it was, he change the bid to $295 to fix my database and lock down my site. Considering how much I’d already lost. I decided it was worth it.

Two days later, Yousaf marked the job as complete. I said, “Hold on, I need to know exactly how the hacker got in and how I can prevent this from happening again.”

He said “They most likely hacked your wp-config.php file and got your root MySQL password”.

That’s when I figured out why Google had temporarily frozen my account. The hacker had also installed a script that changed all my links to point to malware (malicious software) sites.

It was a nightmare! Don’t let that happen to you. Lock down your site, secure WordPress, and keep everything up to date.

Here is the WordPress lock down procedure that I learned from Yousaf:

  1. Set permissions on wp-config.php and .htaccess to read only or CHMOD 0400.
  2. Turn off error checking by adding the following code to your index.php file: error_reporting(0); (this will stop the SQL Injection technique)
  3. Change the wp_ extension of your database tables to something a hacker can’t guess.
  4. Never use “admin” as your login username.
  5. Always use super-strong passwords to log in to your WordPress site.
  6. Remove the version information from the footer of WordPress.
  7. Disable the WordPress editor.
  8. Install a plugin to limit login attempts.
  9. Use a different password for every WordPress database.
  10. Keep WordPress and all plugins updated to the latest version.

If this process seems complicated, I can create a short video series to show you how to complete these steps in 15 minutes or less.

But only if enough people leave a comment below…

10 comments on “How to Stop WordPress Hackers From Hijacking Your Blog and Ruining Your Reputation

  • Orvel Sternberg

    Instead of “you had me at hello”, you lost me at “set permissions at wp-config.php”. PLEASE make an instructional/tutorial video on protecting our WP sites.

  • Karmen

    I have a new website. Lately, I have received emails indicating that someone is trying to access the site using “admin” as user a name. I have installed the Word fence plugin and it’s been helpful identifying the IP address and the country of origin (France). The person had tried to access the website 20 times.Finally the plug in blocked the person from further attempts. Hopefully you will receive enough comments on this post. It will be helpful to see the video.

  • Sophie

    Hi Derrick,

    Thanks for sharing these 10 steps for securing a WP blog.
    Would be great to see your video…

  • jim garvin

    It is getting really bad out there in cyber space. It seems that anyone or any company can be hacked . Thanks for sharing this

  • Dale

    Thanks for the information!!!

    Here’s one more tip for you…

    I go to strongpasswordgenerator.com and generate a strong password and use that for the user name instead of admin…

    Cheers!

  • Clarence

    So sorry to hear about what happened. For non-techie folks like me, I hope you will produce a video.

    Thanks