Facebook Pixel
Join our Facebook Community

How to Keep Your Blog Hacker, Spammer, and Spyware-free

This guest post is by Sean Sullivan of F-Secure.

It’s a notion that strikes fear deep in the heart of every blogger. No, we’re not talking about getting dooced (fired for blogging). We’re talking about waking up in the morning, loading up your blog, and finding a screen that looks something like this:

The website has been blocked

The website has been blocked

Or perhaps it wasn’t as overt—you just discovered links injected into your site footer containing the anchor text of a certain famed pharmaceutical brand.

In any case, these kinds of scenarios aren’t good news for bloggers. Those fickle web users you work hard to attract can easily be put off by a hacked site and never return. Or, just as bad, being hacked (and not fixing it) risks the search engine equity you’ve built up over years of blogging, and which is time-consuming to restore.

If your site has been hacked or spammed, you’ve likely been through the tedious and time-intensive process of combing through MySQL databases, theme files, and directories on your server. If you’re lucky, you found the problem, removed it, and got things back up quickly (without having it replicate again, which we’ve seen). Or perhaps you had a backup copy and completed a restoration process.

But even then, this situation is not ideal. If you’re anything like us, you feel it’s unacceptable for your blog to be brought down, even for a moment—and especially by hackers.

The single most important tip? An ounce of prevention is worth a pound of cure.

In no area other than security is that adage more important. This is simply because hackers, both the automated and the manual kind, choose the path of least resistance.

To a large extent, many are playing the numbers game to try to build black-hat links or manipulate website content for the benefit of helping illegitimate companies rank higher in search engines. To accomplish this, hackers frequently send crawlers searching around the web, to seek out the most vulnerable sites.

So how can you stay safe?

1. Keep your blogging software up to date

As we know, most bloggers here use WordPress (and definitely most professional bloggers use a self-hosted installation). Keeping it up to date is critical. Since WordPress is so popular, unfortunately that means it’s frequent prey for hackers. By keeping up with the latest updates, you’ll ensure security, and get vulnerability fixes straight from the source, as the WordPress community actively seeks to maintain security of the software.

2. Choose secure logins and passwords

Brute force attacks can easily be prevented: choose a secure login and password. By “secure login” we mean change it from the typical “admin” to be more specific. For a “secure password,” use something that is at least ten characters long, and contains at least one upper-case letter and one symbol, such as an exclamation mark. This will make it virtually impossible for either a human or computer to guess your login details.

3. Beef up security with WordPress plugins

There’s a huge number of free WordPress plugins written by Good Samaritan developers looking to keep their blogging peers safe. A few must-haves include Secure WordPress, which removes some critical meta information that a hacker could use against you from your WordPress install, Limit Login Attempts, which makes a brute-force attack basically impossible, and WP Security Scan, which provides a report about your specific configuration of WordPress and suggests corrective actions.

4. Only blog from a system that is safe, secure, and spyware-free

Computer virus

Computer virus

For those who aren’t so tech savvy: your WordPress install (or any blog install) is software and runs on an operating system, similar to how your own computer runs.

One of the easiest ways for malicious code to find its way onto your blog is through an infected system. In reality, your blogging software is only ever as safe as the system you access it from. The best way to keep your system safe is with a comprehensive Internet security and anti-virus product. Alternatively, you can check with your ISP—many of them now offer Internet security to their subscribers.

5. Automated backups: set it and forget it

You can setup backups to be made easily via a simple plugin. Alternatively, for those who run popular sites and are very serious about the safety of their posts, Automattic (the makers of WordPress) recently started to offer a premium service called VaultPress, which provides the dead-simple backup of not just databases, but all files associated with WordPress. Frequent snapshots of your install are critical and, aside from providing peace of mind, will ensure even if you ever get hacked, you don’t lose your work.

6. Stop spammers in their tracks

You can use Akismet (which analyzes comments via hundreds of tests) to quickly and effortlessly deal with spam comments, or use Bad Behavior (which references bad IP addresses via Project HoneyPot) and block them from even reaching your site in the first place.

What to do in the worst-case scenario

Even with prevention, code compromise is always possible. It happens to even the savviest bloggers. If you ever do get hacked or find webspam on your site, and aren’t sure what to do, don’t panic and start deleting files. This can make the situation much worse.

Instead, take screengrabs of the issue, and send them to someone who specializes in WordPress (or whatever your blogging software is) along with the most recently known good backups. This issue is very common, so there are many who specialize in helping fix just this situation.

Of course, these are just basic tips for prevention that everyone should take. There are more advanced tips (for example, locking down the /wp-admin/ directory with an .htaccess file) but if you can start out by implementing the tips above, you’ll already be a notch safer than most.

Has your site been hacked? Tell us what happened—and how you rectified the problem—in the comments.

Sean Sullivan is security advisor for F-Secure, a provider of award-winning anti-virus and computer security software. You can find more great security tips like this on F-Secure’s Safe and Savvy blog and stay at the cutting edge of the latest online threats via the F-Secure labs blog.

About Guest Blogger
This post was written by a guest contributor. Please see their details in the post above.
  1. Coming from a smaller scale blogger, 200-400 views a day, I often ignore security because I feel like I’m too “little” to have any one want to harm my site. But as I’m begining to see more people affected by this, I’m looking to take more pre-cautions. Thank you for an excellent list of ways to help protect our blogs, I appreciate it and will definitely be implementing these suggestions.

    • My blog is so “little” that I welcome spam e-mail just to know someone cares!
      I just installed one of the suggested plug-ins, though.

  2. I use AVH first defence against spam with project honeypot API, its completely free and i got spams very very rarely. This make me concentrate on core blogging.

  3. I use Akismet to stop spammers and it works very well!

    There always will be hackers and I think the key is really to backup our work. Even with protection, shit happens! Backup kept in a safe placee (for me it’s hard-drive in a safety box) will assure you to still have a copy of what you’ve done!

  4. I use Chuck Norris as my blog security.

  5. Very important topic, Sean.

    Having seen the incredible amount of problems that can experienced, after a very elaborate Trojan hacked into my Home PC(A long while ago Pre= Blogging), I think it is very important for people to stay vigilante with their Blogs(Websites).

    I recovered from the attack on my PC, and learnt some incredible insights into how these nasty things operate, and what to do to reverse the damage.

    I had a number of security software’s installed that the Mal-ware bypassed, or negated.

    Webmaster tools does have a Mal-ware Detector activated.

    Though, I am not all that certain as to how robust it is.

  6. Thanks for all of the information. It’s a big concern in the blogging community and this post covers a lot of useful plug-ins and tips to protect yourself.

  7. I wrote a similar article on WordPress Security, WordPress is the blogging platofrm of choice, but ‘out of the box’ it does need some work


  8. I think a good piece of advice on this topic is to speak with your Web host if you’re ever after some more security advice. A hacked Web site is as much a pain for your Web host as it is for you, so they’re usually more than willing to advise you in order to prevent an attack.


  9. My site was hacked about two years ago and I felt totally violated. I discovered the hack because a photo of the devil had been posted to my home page with the words ‘We hacked you because we could.’ To say I was pissed off would be an underestimation.

    At that time I don’t think I did much in the way of security on my blog. I read as much as I could following the hack to educate myself. My Twitter followers were very supportive and offered me advice about installing security plugins.

    After looking at my blog, my web host said the safest thing would be to rebuild it from scratch. A friend advised me to grab as many cached pages of my site from Google (I managed to get them all). Then I literally copied and pasted every original post into a new post and changed the publish date. It took about a week to finish it all.

    Strangely I found the process quite cathartic.

    Now I have security up the ying yang but I realise nothing is totally hack-proof. The only comfort I have is knowing it isn’t the end of the world and that it can be fixed eventually.

  10. Hi Sean,

    Could you use Akismet and Bad Behaviour together? Akismet has been rather flaky recently at stopping them automatically.

    Cheers for sharing!

  11. It is really important to keep our websites safe and secure from malicious behavior. Has anyone else used the plugins that Sean suggests in his post?

  12. Backup, backup, backup. Change passwords frequently, and don’t use the same password for multiple accounts. Finally, if possible, have a bare minimum pc that you only use to blog and don’t have any other extras that could make you vulnerable to viruses/malware/etc.

  13. Good post Sean. I would especially reiterate a point you made at the beginning, namely that hackers (or at least the majority of them) will always go for the lowest hanging fruit. If a blogger implements even the most basic of security measures on their site then they will remove themselves from that bracket.

    No-one really worries about issues such as web site security or data backup until they are in the situation where they wish they had!

  14. Hey thanks for the great advice. Do you recommend any specific plugins for word press to prevent hacking?


  15. Well, since you asked for my solution, I’ll have to post a link to it, hopefully I won’t get spammed for that because I like problogger blog a lot :)

    Actually I even wrote an article post about the virus I removed and with what tool, the article is called Remove holasionweb.com Virus – Malware.

    Yep, this malware was pretty popular at the time I wrote the article, so if it’s still is, then definitely give this awesome Free tool a try, because it really did help me.

    • well, looks like problogger doesn’t allow links in comments, so just click on my name and then search for “Virus” inside my blog and you should be able to get my article called “Remove holasionweb.com Virus – Malware”

  16. I´m new to blogging, but I found out that your wp-content folder and wp-config.php file are the most important parts of a wordpress blog. Again this points to back up, back up, and back up.

  17. Jennifer says: 06/07/2011 at 3:14 pm

    Great post Sean!
    My site was hacked last winter and then rebuilt from scratch. The web designer knew her stuff and added extra security measures you mentioned in your post. However it hasn’t stopped spammers and daily hacker attacks from coming back frequently and attempting to do more damage.
    So please listen to Sean’s good advice here. It’s better to be safe than sorry…

  18. Thanks for this post. This is the reason I read problogger, I get information that no other blogs have. Information so detailed. I had a blog that was affected by some spammer who hacked into my WP blog due to a vulnerability with WP now fixed. I will have to make sure that i follow some security measures to keep my blog away from hackers.

  19. Thanks so much for these tips! I recently saw a friend’s website had been hacked – I do believe he had it all fixed, but the entire hassle of it all is so annoying.

  20. Sean,
    I’ll have to checkout some of the plugins you mentioned. You can never be too secure these days. If the government can get hacked then why couldn’t a blog get hacked as well.

  21. I was hacked twice last week. It was purely destructive, with nasty images replacing my blog. Basically, it was kids with baseball bats in a carpark, it felt as if someone had broken into my house.

    The first was easily resolved by my host but the hacker had created a login for themselves and I had to change it through phpMyAdmin. I wrote about it and put up some security suggestions, someone obviously took it as a challenge and hacked me again that night. That time my host reinstalled my backup.

    I had done everything on your list except the plugins, although I do have a firewall. They will be installed now! And my database is backed up daily, at least I know I have that.

  22. I find blog comment spam rather amusing thanks to Akismet which stores it all for me in a special folder within my WP admin but hackers are a pain. They can be quickly eliminated by checking your URL several times a day and contacting your web host instantly if a hack occurs: mine have been prompt and helpful in this event. Change your passwords once a month with ten digits including caps and $ signs such as 5Tf78$&gF74. Update your wordpress promptly and check your plugins are the latest version. Change your email passwords regularly too. You can beat the losers at their sad game!

  23. Sean,

    Great topic!

    Unfortunately I have had direct experience with this about 4 months back. Saying that it sucks is an understatement.

    Most people… Well, at least “I” didn’t think to much about security until after my site was well and hacked. It is not a fun situation.

    A little bit of prevention will go a long way to combating this. That is why I think your lessons are actually more important than many of the other (very good) tips about increasing blog traffic and such.


  24. In my four years of blogging I have been hacked 4 times. I have done almost all the above and still this has not prevented a hacker forcing himself into my blog. What I have learnt is these hackers are too smart to be stopped. If companies like GMAIL and Sony can be hacked into, small bloggers like us stand little chance to defend ourselves. The only solution is to always back up your content and learn to clean up the mess when you get hacked.

  25. WordPress security became an important topic for me after two of my blogs became so full of cyber junk, I had to delete everything, reinstall, and start over. I used the WP Security Scan plugin that you mention to scan my sites, and it found so much it would have taken longer to clean everything out that it did to start over.

    I also read an outstanding article about a month ago on why you should never download themes from sites found in a Google search. They used the WP Security Scan on all the themes that showed in the top 10, and EVERY theme had cyber junk in it!

    Two other things that I learned to quickly increase WordPres security:
    First, changing your salt key can greatly increase security. It’s easy to do from the wp-config.php file where you will see the address to paste into your address bar that will give you a new code to past in. From what I understand, this will cut off any cyber junk that is on your site. I’ve done this on all my sites, and it’s a good idea to do this twice a year.

    Another thing to do is to move your .htaccess file to a different folder. You can just drag and drop it into a new folder. This makes it much harder for hackers.

    Thanks for posting this because everyone needs to know about this stuff. When you put months and years of work into something, you don’t want it all going up in smoke!

  26. Hi Sean,
    I keep a “mommy blog” and was upset to find out that it was hacked. I lost quite a lot of content and more importantly, the precious congratulatory messages from wwmy readers on the birth of my child and other parenting and pregnancy posts :-(

    And all because I didn’t take Step 1: Upgrading to the latest version of WordPress. My webhost tried to search for it in Google cache but it’s not there anymore. Besides the need to upgrade WordPress, I also learnt the importance of back-ups.

    Is there any magical trick that you probloggers have up your sleeves to recover missing content and comments? Please, please let me know if you do!

  27. Thank you for this well-timed post. My blog has suddenly started to get hit by tons of spam comments. I am trying out the Bad Behavior plug-in now. :)

  28. My blog was hacked last October. I lost almost everything–my content was still there (sorta), but I lost all my images and, most importantly, an on-site app that I had built especially for my readers (that was stolen completely). It was one of the worst moments of my life… I didn’t know anyone who could help me. I felt powerless. I just woke up and went to check the site out and it was missing (well there was a weird version of it and every page you clicked on was missing). People were twitter-messaging me to let me know they were getting that “malicious site” message when they tried to view my blog. I almost gave up. I almost called it quits and ended things that way. But my readers kept me going… so after a week of searching I found someone who could help me fix my site and get it back online. I never got my images or my on-site app back, unfortunately, but I did learn a valuable lesson.

  29. I was also hacked a while back. Thankfully cleaning up wasn’t too bad as I have a fair bit of php and SQL experience, but convincing Google’s webmaster tools that I was clean was another issue. Thanks to the attack Google now thinks my site is unsuitable for Adsense, which is annoying too…

  30. Wow, this is a great resource for some serious security plugins and more. I would have spent weeks, if not months, looking for this info on my own. THANK YOU for writing this.

  31. Great advice, Sean. I’ve recently been in fear of possible security issues. Do you have any recommendations for anti-trojan software?

  32. As someone who has faced this attack two times in a year the security and things discussed here are of utmost importance. A compromised website is a nightmare to see and the effects are too bad for your reputation. My blog is pushed down in search rankings and loyal visitors turn away after these attacks. Now I have taken almost all steps I have come across on the web to keep it safe but still I feel the most important thing is to have a backup. Whenever you are attacked just wipe your WP installation and install again from backup.It should take not much time and its the best way.Also investigate what caused the attack and plug that hole. I forgot to delete spam comments and that did me in once. Thanks for a great article sean.


  33. Hi. Today I learned that painful truth. Checked my blog, it started acting weird when I tried to edit it. I am new at this. I checked the HTML it had codes I did not recognize. When I deleted it, my blog got deleted too. I had a couple of older blogs and nothing happened to them. My blog is on blogger, some of my friends said it was easy to use, so I tried it.

    I am going through the list you wrote and taking your advise. I have a lot to learn about keeping my work safe. I am just glad that there are so many helpful people, sharing your knowledge on internet safety.



  34. Outstanding info!

    As a new blogger, I’m excited for the day that my site looks interesting enough to be attacked. Right now, I’d welcome the traffic…

    All kidding aside, thanks for the post. I figure this is the best time to put these measures into place.


  35. Thanks so much for these tips.I use Akismet and Bad Behavior to stop spammers. WP-db-backup plugin is great.

  36. Fv antispam Plugin is a great plugin, it handles spam effective on my blog.

A Practical Podcast… to Help You Build a Better Blog

The ProBlogger Podcast

A Practical Podcast…