How To Secure Your WordPress Sites From Hackers


I recently had one of my servers hacked. These hackers were actually even more sinister than most as they installed several “Phishing Sites” on MY SERVER!

If you’re not familiar with phishing, it is a way scammers attempt to get people’s information such as usernames, passwords, and credit card details by pretending to be a bank or financial institution.

I’m not sure how long these phishing sites were hosted on my server, but it was for at least a few days before I received a notice from Google telling me that my sites had been removed from the Google search engine for hosting phishing pages.

Google also gave my examples of some of the phishing sites on my server and after having my server techs investigate…Secure Your WordPress Sites

It turns out that the hackers gained access to my server through WordPress.

This blog post is about how to secure your WordPress sites from hackers so hopefully you don’t have to go through what I’ve gone through over the last couple of days cleaning and securing my sites.

I’ve known (and practiced) the basics of WordPress Security for a long time.

Stuff such as:

  • Always keep your WordPress install updated to the latest version (each version fixes security flaws in previous versions).
  • Don’t use unofficial/untrusted themes and plugins.
  • Don’t share your login info (if you need to give someone access to your site create their own login info for them and remove it when they no longer need access to your site).

I thought I was being pretty good about keeping my WordPress sites secure from hackers

It turns out I missed a couple of things that allowed the hackers in to exploit my site.

Even though I always keep my ACTIVE WordPress sites up to date, that hackers gained access to my server through an outdated version of WordPress for a domain that wasn’t even active any more (I had even let the domain name expire).

It turns out that since the old/inactive domain was an add on domain on my server and the files/database was still live on the server (even though the domain wasn’t active) the hackers were still able to exploit that outdated version of WordPress and gain access to my server.

It was a lesson learned the hard way and a mistake that you’ll hopefully avoid!

Here are the things I did (in addition to the basics above) to better secure my WordPress sites and to minimize the chance of something like this happening again:

  1. Completely remove old WordPress sites from your server if they’re no longer active. Don’t just let the domain name expire, completely delete all of the WordPress files PLUS the database from your server.
  2. If the login info for any of your WordPress sites is still “admin”, change it to something else that the hackers can’t guess. For WordPress installs done in the past via automatic methods in cPanel like “Fantasticos”, the default login username used to be “admin”. It is no longer the default, but if you installed your site in the past your login name may still be “admin”. Of my 50+ WordPress installs, about 10 had “admin” as the username. If your login name is “admin” you should change it to something more secure. The problem is, you can’t change the username in WordPress after it’s set so what you have to do is a) Add a new user and set their role as “administrator” then, b) delete the user “admin” and assign all posts and comments to your new user. You will then login to your WordPress admin area using the NEW USER’S login info.
  3. Just to be extra cautious I also changed my password for cPanel and ALL of my WordPress sites. It’s a good idea to change your passwords on a regular basis.

Hopefully these tips on how to secure your WordPress sites form hackers will help prevent you from having your sites taken over by hackers like mine were!

Please leave a comment and let me know what you think!



  • Ray Borkowski

    Reply Reply January 20, 2012


    I really appreciate you taking the time to share really helpful advice on protecting our WordPress sites.

    Thank you,

    Raymond Bork

  • Brian McQuirk

    Reply Reply January 21, 2012

    I too was recently hacked in a WP blog. I don't know how they got in but it was a while before I found out and took quite a while to fix since they had gained access to 31 sites. I spent quite a long time searching for what they had done. They had altered the db in one case had altered all the htaccess files. They had also altered the settings, all the blog posts and more.
    With the help of my hosting techs I managed to get everything back to normal. Changed all passwords to MUCH stronger ones and installed Bullet Proof Security.
    However, without knowing how they got in I don't know if all doors are now closed or not. I am just continuing trying to fix weaknesses as I go along.
    Interesting point about expired add-ons though I will have to check this out.

    • Ryan

      Reply Reply January 20, 2012

      Yes, make sure to check out the expired Add On domains and remove them (and their databases) from your server. That is how they got into my sites and I wouldn’t be surprised if that is how they accessed yours as well. It’s something I would have never figured out, luckily I have some smart server techs that were able to determine that is where we were compromised.

    • Ryan Even

      Reply Reply January 21, 2012

      Yes, make sure to check out the expired Add On domains and remove them (and their databases) from your server. That is how they got into my sites and I wouldn’t be surprised if that is how they accessed yours as well. It’s something I would have never figured out, luckily I have some smart server techs that were able to determine that is where we were compromised.

  • Ed DeJoliet

    Reply Reply January 20, 2012

    Thanks for heads up. I have recently heard of a growing number of WordPress sites that have been hacked. It is a great platform but its uniformity apparently is also part of what makes it vulnerable.

    I really appreciate you for taking the time to share your experience.

  • Scott Inman

    Reply Reply January 20, 2012

    Hey Ryan,

    Sorry to hear about this issue. I know how it is. I’ve never personally been hacked but had hosted some client’s sites on a particular reseller account and all their sites were hacked.

    I agree, I always tell my customers who buy my plr blogs to change not only their usernames from “admin” but ideally use a 30+ character password (including symbols like ‘;@~ etc.)

    With a username like admin, it means hackers only need to figure out your password and even if you have a unique username/password, it still is “hackable” and using plugins like “secure wordpress” and “login lockdown” help. However, even that may not be enough. Ultimately, it may mean changing the database names from wp_ to something else but that makes it hard to just automatically update to the latest version of WP.

    Anyway, long, unusual usernames and long (very long) unusual passwords is a start.

    Glad to hear you got it sorted and hopefully that’ll be the last time you get hacked.



  • Thor Hammaraxx

    Reply Reply January 20, 2012

    Cheers Ryan, great article and a very good tip about deleting old sites from your server.
    I experienced sites being hacked a few years ago and narrowed it down to an expired and forgotten about add on domain too.
    Even though the domain name may be inactive and no longer pointing to the files, the server was still displaying a public address like http://www.server.com/~setup_name
    :Keep your website software up to date & Delete old website files:
    Thank you for sharing your experiences and helping others.

  • Free Advice

    Reply Reply January 20, 2012

    Thanks for the free advice about securing wordpress installations.

    In return for your kindness, I would like to share something in return:

    Google “Crawl protect” and install it.

    It is free, and shields you from many, as yet undiscovered security exploits even before the wordpress team knows about them.

    When you see the program’s stats telling you how many attempts were made to breach your security, you will be VERY glad you took my advice.

    Good luck.

  • Gaylynn Fox

    Reply Reply January 21, 2012

    I am so sorry this has happened to you, but I can understand you frustration I too have had my e-mail accts hacked into this past week and I tell you what they are pissing me off, it's like they have nothing better to do than disrupt our lives!

  • Dave Whitworth

    Reply Reply January 21, 2012

    Hi Ryan,
    Thanks for the tips. It is unfortunate that we don’t usually check our security until after the event.

    It is probably the won’t happen to me syndrome.

    Something slightly different happened to me recently.

    I had a tell a friend script and hackers were sending spam through it.

    Within a week of me installing the site around 75,000 spam emails were sent using that script and I only found out because emails that I tried to send were blocked because I had gone over my hourly limit.

    If they had kept the quantity down I would never have found out.

    I too have some old WordPress sites and I will be removing them asap.


  • Patricia Reszetylo

    Reply Reply January 21, 2012

    Never, ever use fantastico to install WordPress – it leaves a whole bunch of vulnerabilities for hackers to exploit! The manual install is so simple, you can do it nearly as fast as fantastico. Also, don't use some of the (basically) useless plugins in the default set up. Just delete the plugin out..

  • Rachel Speal

    Reply Reply January 21, 2012

    I have Website Defender. It's an excellent free plug-in that lets me know if ANYTHING untoward is going on at my site, and e-mails me with an alert to let me know. It's great.

  • Jason Rushton

    Reply Reply January 30, 2012

    I can speak from experience that this does happen, and way more often than you would think. It is always wise to change both username and password to something that is unique. Also using a mixture of letters, Numbers, and capitals makes for stronger passwords.

    O-M-T Online-Marketing-Tools

    • Soumitra

      Reply Reply March 4, 2012

      agree with you 100 %. In addition , I suggest :-

      1. Typing out the posts in word , save & then upload on site

      2. When we install wp initially , take a backup WITHOUT content.

  • irene

    Reply Reply January 31, 2012

    This really is good info as i have had major problems with someone in a similar niche coping my blog word for word it is hard to take..

  • Albert F A Matthews

    Reply Reply February 6, 2012

    I always install login lock plugin to secure my wordpress as it tells you when someone has tried to many times to get in and locks there ip out for 60mins and provides a number of security enhancing features, Good Post Ryan, Speak Soon WeedoGroup.

    • Soumitra

      Reply Reply March 4, 2012

      how does it help to protect from hackers ?

    • Steve

      Reply Reply March 4, 2012

      @Albert F A Matthews Where can we find that lock plugin ?

  • Soumitra

    Reply Reply March 4, 2012

    Thanks ryan , for a wonderful article.

    In fact after your article , I immediately implemented the step of changing the admin , as till the time i was thinking , i can’t change the default name.

    I have also rolled out some of additional tips + a video too.

    Some people like us , may get benefitted from that, hope so !

  • already shared on my pages, thanks.

Leave A Response

* Denotes Required Field