Preventing Damage from Hacking, Spam, and Malware on WordPress

December 28, 2015

Categorized: WordPress

I started this as a comment reply to someone operating an e-commerce site, who indicated they were quite frightened of something happening to their site. This was in response to an overall topic where someone posted for help with a compromised WordPress site.

Back Ups

Take back-ups, take them often. The best way to do this is through automation. Setting a backup to run is a lot more secure than relying on your very human memory and time constraints.

Test back-ups before you have to use them. This is important because if something does happen to your site and you can’t fix it except with restoration, you want to be able to restore it quickly and without a problem. A broken back-up is a huge problem.

I’ve had success on WordPress with Updraft Plus. I also developed a backup workflow myself. However, this workflow only worked for me on a GoDaddy dedicated server, and my JustHost account (I haven’t set it up yet on my newer Linode host yet, bad me — but it would work there, too).

The problem is putting that kind of script on a shared host. Some shared hosts will consider your storage of large backup files as abusing the account for file storage. So many shared hosts disable this sort of script, or will remove it when they know you’re doing it. No need getting your hosting account shut down!



Try not to use the username “admin” or the user ID “1” on WordPress. A unique admin login and ID is harder to crack; this thwarts many brute force attacks which simply try to attack that username/ID. It’s not a guarantee against brute force admin attacks: there are ways to scan a site and discover the admin username, after all. But it definitely helps!

iThemes Security can change these for you if you’re already using admin/UID 1 — but you will need to back up your database before making these changes.


Make sure all passwords are strong.

Your administrator account passwords should be as strong as possible. Use a password manager such as KeePass to ensure your passwords are safe(r). Don’t write passwords down on a post-it note and don’t keep them saved in an unlocked file or sticky note on your desktop.

However, you should not stop at the admin level. In WordPress, even Contributor and Author levels have had vulnerabilities before — even if those users are relatively locked down in WordPress, they could still cause some damage. Although in some cases you may have to compromise security for usability (e.g., in the case of an e-commerce site, forcing strong passwords may annoy the user and result in a loss of return sales) where possible you should enforce strong passwords.

Updates and New Code

Existing Plugins and WordPress Core

Make sure everything is up-to-date. On something like WordPress the biggest cause for hacking/malicious stuff is out-of-date plugins and code.

WordFence Security

If you’re on WordPress, install WordFence Security. It will alert you to any malicious stuff on your site, you can scan your site for stuff manually, you can set lockouts for users, and more.

Adding Plugins, Themes, Etc.

Make sure you are using items from trusted sources. Downloading JoeBob’s Awesome Theme for Awesome People could lead to JoeBob gaining access to your website, where he’ll be free to silently add links or redirects to his site.

Spam Prevention

Use something to prevent spam comments/links/etc. Akismet is a good choice, and Antispam Bee has also worked for me in the past.

Spam usually doesn’t cause actual harm or damage to your site… but it can, of course. Even if spam usually doesn’t directly damage you, spammy comments can hurt your SEO efforts. It also decreases the usefulness of your website in the eyes of your visitors: nobody wants to slog through a bunch of spammy links to get to the good stuff.


Make sure you’re using a reliable host with up-to-date software. Some hosts may be using outdated server-side softwares such as MySQL/phpMyAdmin/etc. Lack of updates on these technologies is just like WordPress — outdated code can result in security issues, regardless of where it is. Unfortunately, the security issues server-side you generally cannot address yourself. It’s the host’s responsibility to update these technologies (unless you’re on a VPS or self-managed dedicated server).

Further Resources

This is hardly a comprehensive guide — it’s actually the barest minimum you can do. There’s quite a bit more you can do in terms of security. For more suggestions, read over the resources — both articles are very long and very comprehensive.