Important Tips to Prevent WordPress Attacks from Hackers and Scripts

Posted on May 30, 2013 by Dan Doicaru in WordPress Category

Protecting your WordPress Blog is very important and not so easy as you think. Every day your website suffers of more than hundred attacks that could harm your site. These attacks are often done most of the time by an automatic software, so in this article we will show you the most common dangerous attacks and how to protect your blog from hackers.

Get Rid of Unwanted Spam Comments

The most common problem for WordPress users is the massive spam with different comments on your articles. As it is impossible to not receive spam comment, you can install this plugin named "Captcha" which is very efficient and it will reduce the spam number significantly. Or you can just use reCAPTCHA Plugin for WordPress.


Also in Settings - Discussion Menu, be sure to have this option activated: "An administrator must always approve the comment".

Secure the Default Administrator Username

The most common problem is that more and more WordPress Blogs are compromised because of using the default username "admin" by administrators. The first general hacking attempt is to guess the password obviously for the username "admin", until the password is guessed.

Make sure that your password is not easy to guess such as "admin123", "123456", "facebook" or something similar. Always use long and unique passwords, but NOT with your name, your birthday or anything related to that!

Users reports that the automatic password generator is not so safe anymore. The best use of a password is a long and mixed one with lowercase, upperscase and characters. Here are some examples "iLoveExtremeDesignStudi0!" or "EXtremeDEsignSTudi01!".


You can easily change the username by creating a new Administrator User with your desired details. After you are done with it, log out from "admin" account and log into your new account, go to Users and delete the old admin user and simply attribute all your articles to your new account when you are asked before deleting.

Remember, admin user can be easily found if he exists just by trying in the login form or by accessing the author link (/author/admin).

Secure WordPress Login Form

If you prefer not to change your Administrator Username, you can secure your Login Form with Limit Login Attempts Plugin for WrodPress. If you have a visited blog and you want to test how your account is trying to be hacked, this plugin will help you see that. You can block the user IP for a certain time, after 3 login attempts.

WordPress Login Protection

Avoid Using Timthumb or Free Themes with Timthumb

Most of the free themes contains the popular script named Timthumb (timthumb.php) that will crop your images, especially thumbnails. Hackers can attack your blog very easy just by using your theme path to that file.

We recently had a lot of attacks from automatic bots, searching in random paths for the timthumb.php file. As it's very easy to find everyone's main theme path by checking the source code of the site and see where their CSS is pointing at. Most of the themes are using the CSS style file in the same root as the theme.

So the advice is to STOP using timthumb.php! Find an alternative or simply just crop your files with some apps like Photoshop.


In the end, you should care more about your WordPress Security if you have a public website. You can't see those attacks, but you can prevent them and also your blog will run more smoothly. We hope that this article will help you.

Rate & Share
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Related Articles
Hint: Wrap your code syntax (html, css or others) between <pre> and </pre> tags. All comments are moderated.

5 + = 11

Subscribe by E-mail

HTML-TUTS is created and maintained by Dan Doicaru.
This website is a rebrand to Extreme Design Studio (, built under WordPress platform.