Securing your WordPress blogs

As many of you may have already noticed, Feministe has been having some DDOS problems. Lauren and I have been working on them, and appear to have mostly wrested back control (we’ve just put the site into Maintenance Mode while we test a few thingsover the next few hours) . Here’s a few suggestions for other people on self-hosted WordPress blogs (if you are on a free blog service you are fully protected and don’t need to know any of this):

Update WordPress Now!

The problem was caused by a hacker exploit that affects WordPress versions before v2.8.3 – so if your blog runs on an older version the very first thing you should do is immediately upgrade to the latest version of WordPress. In fact, do that before reading the rest of this post. Make sure you back up your blog content first, using the WordPress Export function. (If you have a huge blog there are some extra concerns, email me). Then change all passwords to a STRONG password – “all users, database, FTP, control panels, everything.”

Your blog might already be compromised

If you have already been hacked, upgrading won’t fix that, because it won’t overwrite some of the scripts that the hackers have place using a backdoor exploit. Read more from Lorelle on what you need to do if you have been hacked. If you’re not particularly confident digging around in the files that you can only access through your domain management control panel (provided through your webhosting service) then you will probably need some help from people who’ve done this sort of thing before.


Make sure all your plugins are upgraded to the latest version. There is a possibility that some plugins you use and love will not be compatible with the latest version, bite the bullet and go and find another up-to-date plugin that offers the same functions (and send an email to the authors of any incompatible plugins to see if they can update it).

There are plugins which will help block the most common hacker avenues and harden your blog’s security generally – I strongly recommend installing at least Secure WordPress, and consider also Login Lockdown, WP Security Scan and WordPress Firewall. There are plenty of other security plugins out there that other people recommend highly, but these are ones that I’ve personally installed on sites where they (a) haven’t broken the blog and (b) are proving useful. Here’s a post that offers 11 suggestions, but I don’t think all of these plugins are necessarily compatible with each other.

Unrelated to security issues

Revisions: the WordPress revisions feature in versions 2.6+ has its uses, but if you’re someone who takes a while to write a post and are saving drafts on multiple occasions, the number of revisions stored can seriously bloat your database.

Okay, I’m off to take a walk before I spend the rest of the day upgrading and securing client sites. I won’t be doing other blogging, but I will monitor this thread and will respond to any questions. Seeya!

Categories: technology


4 replies

  1. I was wondering where Feministe went. I was missing it. Bloody h4ck3r turds.

    • The Maintenance Mode has ended up staying in place longer than I was expecting. It was Lauren’s wedding anniversary today and not unreasonably she didn’t particularly want to tell her husband that she was dedicating the day to the blog instead of to them having a nice time celebrating. So we’ll get back onto it once she wakes up again!

  2. Just commenting to say “Thank you very much!” to Tigtog for her work fixing Feministe

    • *blush*
      A benefit I’m noticing from the security plugins that lock out suspicious IP ranges etc is that Feministe seems to be loading much more quickly now that the bot requests aren’t hogging lots of processing time. So securing your blog makes it more usable for your legitimate readers and commenting community!

%d bloggers like this: