Protect your WordPress Blog from the Bad Guys

Posted 23 Jan 2008 in WordPress

WordPress WednesdaysWordPress is the world’s most popular content management system (CMS) for a reason – it is customizable by anyone with the skills and desire to tweak the program to their specifications.

However, this also opens the door for bad guys to do harm to your WordPress powered blog.

Perhaps the easiest way to protect your blog is to make an empty /wp-content/plugins/index.html file. Create an index.html file with any website creator software like Microsoft FrontPage, Nvu or Komposer – or by hand. Upload to the wp-content/plugins/ directory. Now, the bad guys can’t see your plugins list and try to attack your site via this directory!

Utilize your site’s cPanel (or Administration Panel) to restrict the IP addresses that can access your /wp-admin/ directory. Malicious bad guys will try to gain access to your /wp-admin/ directory – which gives them access to all of your content! Use the help feature in your cPanel to restrict IP addresses – or call your host for assistance. Keep in mind that if you want to access your site via a different computer with a different IP address, you will be unable to.

Update your WordPress when a new version is released. Do not hold on to old versions of WordPress! Upgrades and new versions include fixes to bugs and additional security features. Not only will you be able to access cool features such as built-in tagging support and numerous plugins, but you can sleep easier knowing the bad guys can’t exploit your version of WordPress, because it is the most current and up-to-date software!

Does anyone have additional tips? Let’s hear it in the comments!

WordPress Wednesdays features posts about plugins, themes and general usage of WordPress, the world’s most popular content management system!

Blog Widget by LinkWithin


  1. Another good thing to do is to turn registration off if you’re not using it for any particular reason. The bad guys can’t get past the login to do damage through the admin panels if they can’t register. It also has the side benefit of killing registration spam.

    • That’s a great idea! I disabled registration because it seemed to be a waste of time – nobody was registering; but it has a dual purpose! :mrgreen: