Is Your WordPress Blog Safe? Here Is How To Bullet Proof It

How to protect your blog from hackers and other evil Yes, this post is about how to protect your blog from hackers and other evil out there.

It might sound technical and a boring read but, I promise to give you a light read and real advice that you, the non-programmer individual, can actually follow and implement.

Why did I choose this topic you ask, if I think it’s tedious… well, I had SocialMouths hacked a while back and more recently had a couple of friends go through similar experiences. It’s no fun. In my case, my site went completely blank, the database was disconnected and a few other nasty things that made it very hard to fix.

The funny thing is that it wasn’t even my fault, it was that famous Network Solutions hack attack a few months ago. Even tough NetSol got the site back up fairly quickly, the site kept crashing. The worst part was not fixing the issues, they finally did, the worst part was that my site was labeled as vulnerable. The site was now considered target of more attacks and it could cause harm to others as well.

When this happens they put a warning on the site, when somebody follows a link to your site or actually type the URL, they first get a nice and very discrete (I’m being sarcastic by the way… just in case) red screen to advice your visitor they’re entering hell.

Attacked Page Warning

I know what you’re thinking, nothing like a full-screen red warning with a button that reads “Get me out of here!” to welcome your visitors and start building some trust in your market. Removing this page took about a week by the way. Good times.

But there are things you can do to avoid having your blog hacked, abducted by aliens or just in case of any other issues. To your surprise, these things are doable by anybody that is familiar with how WordPress and plugins work on the surface. Don’t think I’m about to drop a ton of technical jargon here. Let’s go through this list of things you can do to protect your blog:

Strong Password

A no brainer, right? Well, I’ve seen passwords out there my 8 year-old could crack in a few minutes. I’m talking really strong, even if it’s something you will not be able to remember for a while.

Change your password to something that looks like this: Hy%&?83aNP$#g(


Best way to be safe is by preventing. If something happens to your blog and you don’t have any backups, that could pretty much be the end of it and you’ll end up relying on your hosting service, which is most likely not to be running any backups for you. I had a client that was *lucky* enough to have the hosting company recover his for a fee of $120. I don’t wanna say the name of the company but it starts with a “G” and ends with a “Y”.

First thing you need to know is that there are 2 different types of files you need to back up when we’re talking about WordPress:

  • Blog Files: These are the files that contain all the WordPress code, plugins, themes, etc.
  • Database: Is all your content, in other words, posts and pages are stored in a database every time you publish something

Both important as you can see and both very different, in terms of backing them up I mean. Let’s look at how we can conduct easy backups for both types of files:

Blog Files

Doing a backup for your blog files is like moving documents from one directory to another.

There is only one tool you need to do this manually, an FTP Client. I use Transmit from Panic which is about $35 but there are plenty of free ones out there for both Mac and PC. If you have a blog, you should have a FTP Client in place in order to connect to your server.

Then it’s just a matter of grabbing the files you need and copy them into your hard drive, external drive or even better, send a copy to the cloud. One little trick I like to do to store these files outside my computer is to save a copy on a Dropbox account and as you can see in the following image, I grab the files from my server right into the Dropbox folder on my computer. Now I can access those files from my laptop, my desktop, my iPhone or online.

Backup your blog files via ftp connection

This obviously can be done with any other web service that allows you to store files like Google Docs, which I also use.

If you want to “burn a DVD” you can do that too, just don’t tell anybody… save the embarrassment.


One of the things you need to consider is how much these files change to determine how often you should back them up. Maybe once a week or once a month. Now you’ll see why backing up your database more often will be smart.

Monitoring Your Files

Since you are not backing up these files on a daily basis, it could be a good idea to at least have an eye open in case anything weird happens. Have you seen how banks sometimes give you alerts for any unusual behavior in your account? or directly freeze your account until you call in? That’s what the plugin WordPress File Monitor does.

This plugin performs scheduled scans of all your blog files to see if it detects any changes, if it does it alerts you via email. It’s also very easy to configure, look at the following image:

Wordpress file monitor

You can also run a manual scan at any time.

Blog Database

Now the database is more critical for a couple of reasons:

  • You probably don’t know anything about how to manage or troubleshoot a mySQL database… don’t worry, me neither. And hope I never will.
  • The content of your blog is most likely to change more frequently than theme files, right? Unless you post new content every 3 months…

Automatic Backups with Plugins

Fortunately in this case you can easily set up a system that runs these backups on a regular basis without you having to do anything. There are a few Wordpress Plugins that can perform a remote backup of your entire database.

The one I’ve been using for a while is called Remote Database Backup, it’s very easy to configure and it gives you very few options to worry about. You can manually run a backup at any moment and drop it in your hard drive or  you can schedule hourly, daily or weekly backups to be delivered via email as you can see in the following image.

Scheduling blog database backups

Set it up and forget about it! Even better, if you have an additional email account to manage your subscriptions and other services, have your backups go to that address, you don’t need to be looking at this stuff every day.

Your email looks a little like this:

Wordpress backup delivered via email

Automatic Backups to Dropbox

Shiny! This is a fairly new plugin that you can also install via your WordPress admin panel and will run scheduled backups. The difference here is that this puppy sends your backups directly to your Dropbox account. This is my recomendation because you not only can forget about it but your data is now on the cloud in a private account.

In this case you have to connect WordPress with your Dropbox account as part of the configuration, which is only 2 clicks (not that I always count clicks… sometimes I don’t).

Step 1: Install the Plugin WordPress Backup to Dropbox and activate

Step 2: Click “Authorize” to be redirected to your Dropbox account

Connect WordPress and Dropbox to run blog backups

Step 3: Allow. That’s it

Connect WordPress and Dropbox to run blog backups

After that is a matter of configuring the location and the frequency to store your backups.

Configure WordPress to Dropbox backups

It’s a walk in the park.

But there is one more thing…


VaultPress is a full solution for your website backups and activity monitoring. It is from Automattic, the creator of WordPress and other very popular toys.

VaultPress from Automattic

Now, if you’re thinking that this doesn’t look like a free service, you are absolutely right. The Basic service starts at $15/month per site while other more robust packages can go all the way to $350/month on large scale installations.

Do you need something like this? It really depends, I always say that just because the Internet is full of free shit it doesn’t mean is the right solution. We entrepreneurs sometimes make the mistake to go with free stuff because of our “guerilla spirit” but, what if I told you that you need to invest $40/month to protect your online business that generates a good chunk of your income? or what if your blog is the hottest piece of marketing your business owns out there?

VaultPress might just be something to consider. Nothing to do here, get it and sleep like a baby every night.

Final Thought

So the point for this post was to provide you with some solutions at different levels, something in plain English that you can do yourself to protect your site. Don’t think it’s not gonna happen to you because your blog is not super popular, it happened to SocialMouths and it happened to a few people I know with smaller sites.

WordPress is the biggest self-publishing platform in the planet. It is also open source software. This is why it’s also very popular with hackers.

Get your protection in place.

  • Maria Reyes-McDavis

    This is such an important post for bloggers!  So many times I see bloggers suffer because they did not take the time to protect their stuff 🙂  Great tips Francisco!

  • Robert Dempsey

    Awesome post Francisco. Backups are so important, and always the #1 thing never in place.

    Another plugin to help with security is Login Lockdown. This free plugin can help prevent people from continually trying to hack into your WordPress admin dashboard. Out of the box it will stop allowing logins from a person after 3 failed attempts.

    That, along with the backups you mentioned as well as the use of an insanely complex password works wonders.

  • Jane Sheeba

    Wonderful. I am reading a lot about being hacked and how to be really w to be safe. You have really given some solid advice here. I especially like the part about backing up directly to Dropbox, and there’s a plugin. So sweet!

  • DJ. Perez

    Great info as always Francisco! I had one of my old sites hacked a few months ago as well and it wasn’t easy to clean my code and site. Once I got fix, I made sure to get in to the habit of backing all of my files at least once per month.

    Thanks for sharing this with us.

  • Kristi Hines

    I had been interested in using Vaultpress, but their pricing per site would be very expensive for me in the end as I have at least 7 sites I’d want backed up regularly so I’ll probably stick with a WordPress plugin for that.  Great suggestions!

  • Hesham Zebida


    I had a very strange hack attempts recently, they could login to my ftp account and then run their scripts on my server! This simply cause many 500 errors and slow down WordPress load, and it mostly end up with server crash!

    The solution was to change password to a hard to break one, and restore all files on server, then start using SFTP as a secured login protocol instead of FTP to upload files, and some times it requires IP panning to avoid attacks or asking your hosting company to block all IPs except yours from logging in to the server!

    I was really having a mess all around! And man, I run a website with many WordPress setups for demonstration and testing purposes, and I was having hard time when I had to resolve this issue without having a full backup from all files on my server!

    I mean imagine life without backups! I am sure you know what I mean! 

    I do fine following your steps is really important for those who are serious about running their businesses more safely!

    Thanks Fransisco for the great post! 

  • Ryan Critchett

    Solid stuff man. 

  • Kmedias

    This is very interesting, thanks.

  • CRM SocialMedia

     Great post! This is really detailed information. I’ve been looking into a hassle free way to back up my WordPress database! Thank you!

  • Lorna Li Social SEO

    Thank you so much for this awesome info Francisco – I’ve been agonizing over WP database backup for some time. The Time Machine plugin will back up my smaller sites but times out on my main site, WP Backup To Dropbox apparently won’t work because my site is “too large”, which at about 300 pages IMO isn’t that large at all.  Vaultpress is pretty expensive as I have several sites, but unless I can get 1 plugin to work for me, just 1, I may consider this as a solution.

  • Lorna Li Social SEO

    I have not been able to get a single WP database Plugin to work for me. According to my WP developer, backup plugins work well when he site is less than 25-50MB and the files around 100-200MB.

    WP Time machine croaks on my site, which, at about 300 pages smaller than yours, and my WP developer suspects WP Backup to DropBox will probably croak as well, since my site is around 50 MB.

  • Tom Handy

    I have a dropbox account and will try this.

  • Anonymous

    Never use admin as your administrator login name. Idiots will use software to guess the password and then deface your blog. 

  • Extreme John

    Thank you so much for such an excellent post Francisco! It really pays to protect your blog from hackers all over the world. If big businesses have big enemies, local businesses have local enemies too so whether big or small, protection should still be a top priority. You got a very helpful list of ways here to protect any WP blog.

  • Tony Ahn

    I’m really surprised you didn’t mention the Bulletproof plugin which stops SQL injections and .htaccess mods…

  • Tony Ahn

    I’d also recommend Bulletproof Security, a plugin that protects your WordPress site from XSS, CSRF, Base64_encode and SQL Injection hacking attempts. Among other things it secures your .htaccess file. Easy installation, easy to use. I use it on all my sites. (I am not affiliated with the plugin developer, even though this reads like a commercial. I just really like the plugin.)

  • Gabriella – The Stepford Wife

    Backups are one of the most important things ever! Not even for possible hack attacks, but when you’re tweaking something… one little mistake can do a lot of damage and if you do not have backups…. the thought is just depressing!

  • Dian Reid

    Thanks for the reminder, Francisco. I back up my hard drive regularly since losing my data a couple years back, but I’m far less consistent about my WP back-ups. It’s so easy to think, “Nah, won’t happen to me…” As of this morning, my blog is officially bullet-proof again. Cheers!

  • WebVisible

    WordPress security and backups: step-by-step guide on how to protect your WordPress blog and schedule automatic backups.

  • AllieRambles


    Thank you so much for the information.  I can tell you are really concerned about getting this info out to other bloggers so the same bad thing doesn’t happen to us.  It is too bad this happen to you but, honestly, I am thankful it did (sorry) because now I can learn from you.

    Great post.  I will definitely be following your advice.


  • eBridge advertising

     The site was now considered target of more attacks and it could cause harm to others as well.


    I am already follow those steps so now i have feel my wordpress is safe. i have doubt my ways are right? but now i am cleared. thanks for this post. –

  • Ethan Waldman

    Thanks for the article. I am happy to say that my site has never been hacked *knock on wood*, but I have been doing the daily emailed database backup, as well as a monthly manual WP-Content backup via ftp.  My question is: What do I DO with these files if something actually goes wrong? Maybe you could do a followup post?

  • iPhone Spare Parts

    Its a big businesses have big enemies, local businesses have local enemies too so whether big or small, protection should still be a top priority.

  • Anonymous

    Yes, my WordPress Blog is really safe,I try everything to protect it.

  • software development database

    From long time i was searching for Good security plugins and i found here best. I m trying to apply some plugins from this awesome list and hope i make my blog more secure. Thanks for publish this valuable list. It will help new bloggers for create secure environment for WordPress 🙂 Some new stuff about wordpress security i would like to try few…thanx for sharing your knowledge

  • wireless bluetooth headphones

    It might sound technical and a boring read but, I promise to give you a light read and real advice that you, the non-programmer individual, can actually follow and implement.

  • Brian Barnes

    Not many bloggers think of these things. It is good that this information was put out there! I had this happen to me and it was not fun, due to the fact that the host was a “backroom”, I’ll take your money and give you crap company. (Yeah I still a little steamed) So this hit home for me!

  • car error

    Really you given some solid advice here.This is very nice one and gives indepth information

  • Cash for Used Cell Phones

    Glad to know that NetSol got the site back up fairly quickly, the site kept crashing. .. Thanks for giving the following steps to  Install the Plugin WordPress Backup to Dropbox …It has very lots of information…

  • Shawn Dahl

    I really love all the great stuff you provide. Thanks again and keep it coming.. Great suggestions!

  • Tatianna

    Thank you for this article, I had to deal with this problem today ( not as bad as you, but enough to get me paranoid as hell ).  I got a bulletproop security plug inn, is that a good Idea?

  • Home Protect Home Warranty

    Very interesting article, congratulations for your job!Now i have feel my wordpress is safe. 

  • Home Protect Home Warranty

    Very interesting article, congratulations for your job!Now i have feel my wordpress is safe. 

  • Kripaluji Maharaj

    I would like to thank you a million times for making my blog bulletproof. I am very happy with the same regards and i am looking forward to educate others with the same technique!

  • Brampton Homes for Sale

    This website is refreshed daily with new
    WordPress Blog Great Wordpress security and backups: step-by-step guide thanks for sharing with us 

  • Swami Prakashanand Saraswati

    The idea of bullet-proofing our wordpress-blogs was just amazing, it helped a lot.

  • Personal training course

    I’m touched to be featured in your blog. Amazing.Well these Great post.  I will definitely be following your advice.

  • florists bakersfield

    When this happens they put a warning on the site,

  • Noellan

    It might sound technical and a boring read but, I promise to give you
    a light read and real advice that you, the non-programmer individual,
    can actually follow and implement.

  • police officer exam

    It’s no fun. In my case, my site went completely blank, the database was
    disconnected and a few other nasty things that made it very hard to

  • John Hoefer

    THanks for the post.
    My blog is going up July 1 and I am hosting with Synthesis and will be using Backup Buddy to a dropbox. Double backups, double the fun.

  • RapidSSL WildCard

    Excellent tips to secure wordpress blog, however we would like to ask an question that is this really necessary aspect that having backup on weekly bases if we running post a blog based on month? 

    According to blog that there is weekly based backup option checked, so would it possible to make it on monthly based. Looking for advise………..Thanks

  • Shawnee

    I’d want backed up regularly so I’ll probably stick with a WordPress plugin for that.  Great suggestions!

  • will-trust-probate

    This is why it’s also very popular with hackers.

  • Barry Overstreet

    Outstanding post! And I really like how you kept it light with your humor. This definitely could be a dry topic, but I actually found myself laughing several times (I’m sure you weren’t laughing when you were hacked….). At least you can make some light of it now.

    Blog security is extremely important, though. For most bloggers, their blog is their biggest revenue generator. To have all that content and hard work disappear because of a hacker could very well be devastating in a number of ways.

    I’ve got a couple of different backup and security plugins running. I hope that is enough to keep me rolling.

    Thanks again for the great information!