protect blog from botnet hackers

How To Protect Your Blog From Botnet Hackers

30,000 WordPress sites are being hacked by botnets every day. The situation is so bad that even major news media are buzzing with news. The featured image is a screenshot from Forbes. If you don’t know how to protect your blog from botnet hackers and if you don’t take action to protect your blog you will be next. At the rate the botnets are attacking WordPress sites, it is inevitable.

Yesterday I watched to an excellent webinar on this subject. It was given by two amazing internet marketers and software developers, Peter Garety and Paul Clifford. I have taken copious notes and today I’d like to share what I have learned.

In this post I will address:

  1. The consequences of being hacked
  2. What is botnet
  3. Why are botnets concentrating on wordpress blogs
  4. How to protect your blog from botnet hackers

Consequences Of Being Attacked By Botnet  Hackers

  • Your site gets infected
  • Your site gets de-indexed
  • you and your site will get flagged as spammer
  • Huge amount of time and even money lost in recovery efforts (if it is at all possible)

What is botnet?

According to Wikipedia a botnet is “a collection of internet-connected programs communicating with other similar programs in order to perform tasks. This can be a mundane task or it could be used to send spam email or participate in DDoS (a distributed denial of service) attacks. The word botnet stems from the two words robot and network.”

In his article Peter Cohan, said that “botnets do much more than just DDoS attacks. They are mostly used for SPAM, attacking other servers, stealing credentials and credit cards, committing bank account fraud and recently for penetrating organizations and taking out sensitive business data.”

One can think of botnets as an army of computers that are controlled by “Bot masters” and can be used by cybercriminals in various ways in order to earn them staggering profits. The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the most “high-quality” infected machines. (In addition to the fraud, it sound to me also like some sort of perverted game the hackers play).

Why Are Botnets Attacking WordPress?

The simple answer to this questions is, because it is easy. In a way one can say that this happens because WordPress is leaving the back door opened for these hackers.

For example, WordPress will actually tell its user whether the user name is right or wrong. I purposely entered the correct user name and a wrong password. This is what WordPress let me know:

ERROR: The password you entered for the username admin is incorrect. Lost your password?

A hacker bot will use common user names until he finds a correct one. That it is a correct one will be revealed to him by WordPress and the hacker is told that he only needs to find the correct password. The bots can use brute-force attacks on the blogs (continuous login attempts) until the password is cracked.

There are other weaknesses in WordPress that hackers are aware of and that is why it is so easy to attack our blogs. With 700 million WP sites there are treasures to be found. But because it seems that it is like a game for hackers to get the most “bots”, any WP site is a fair game to them.

5 Steps To Protect Your Blog From Botnet Hackers

In this section I will show you five steps you can take to shut the WordPress backdoor and stop the botnet hackers cold.

You can take other security measures including free WP plugins such as Better WP Security. Some of these plugins may be difficult to set up or may make it difficult to manage your site.

These steps are simple yet effective and all of them can be done by you.

1. Change your login information.

Get rid of the user name if it is a week one. The most commonly used user name is “admin”, name of the site, your name, etc. Replace it with a unique user name.

You cannot just delete the user name. For a detailed, step by step instructions please read: How to change the “admin” user name.

As well, change the password to make it more secure. Make it at least 10-12 characters long, interchange capital and small letters, use numbers and symbols($, %, @, &) within your passwords.

I use a completely free service Lastpass. It remembers all your passwords and user names and securely contains them. When you have to log in to a website it automatically fills out the login information. You can create very complex passwords and you do not have to fear that you are going to forget them.

2. Update your WordPress, all the plugins and your theme.

It is highly recommended to perform a back-up of your site before you update either one. Hackers can exploit the vulnerabilities of the older versions of WordPress.

3. Change information that is displayed on failed login attempts.

As I mentioned above, by default on failed login attempts WordPress will tell you whether username or password is wrong. An attacker can use that to find out which usernames are active on your system and then use brute-force methods to hack the password.

Solution to this problem is simple. Whether the user enters wrong username or wrong password you can always tell him “wrong username or password” so that he doesn’t know which of two is wrong. Open your theme’s functions.php file and copy/paste the following code there:

function wrong_login() {
  return 'Wrong username or password.';
add_filter('login_errors', 'wrong_login');


4. Rename readme.html and install.php files.

You can  hide the exact version of readme.html you are using. It contains WP version information and if left on the default location (WP root) attackers can easily find out your WP version. This is a very easy problem to solve. Rename the file to something more unique like “readme-876.html” or delete it .

There have already been a couple of security issues regarding the install.php file. Once you install WP this file becomes useless and there is no reason to keep it in the default location and accessible via HTTP. Rename install.php (you’ll find it in the wp-admin folder) to something more unique like “install-876.php” or delete it as you don’t need it.

5. Remove access To Upload Files

Make sure that your upload files are not browsable. By removing access to upload files you prevent  anyone to view all files in the uploads folder and disallow them to easily download all your uploaded files. It’s a security and a copyright issue.

To fix the problem open .htaccess and add this directive into it:

Options – Indexes

There are many more steps one can take to make it difficult for hackers to access and or steal or corrupt  your information. Paul Clifford mentioned well over 30 changes that could easily be done, including a captcha box at WP login and disallowing access to login after a certain number of login attempts.

The first question asked during this webinar was whether the incorporation of these changes can somehow be done automatically. At this point he introduced his newly developed plugin, Secure Scan Pro that tests the site for all the vulnerabilities and allows one to change most of them with a simple click of a button. This is a great relief for those of us who are not the most technically endowed.

The other changes that this plugin does and I really liked were adding a simple captcha box to the WordPress login and blocking IP addresses that are brute-force attacking  a site.

A Free WordPress Plugin To Protect Your Blog From Botnet Hackers,

Since I wrote this article I came across another great plugin which will help protect your blog from botnet hackers. The plugin is called WordFence and it is an amazing plugin, that protects your blog. It also lets you know about the attacks that are happening to your site. As well it reminds you of any vulnerabilities on your blog.

You can find out more about the plugin on WordFence home page. Make sure to opt-in for the free option. Later, if you feel it is necessary you may upgrade.

In addition, you can access the plugin straight from within your WordPress blog, from the Add New plugin’s dashboard. Just enter WordFence in the search field.

In summary, in this article I showed you how to protect your blog from botnet hackers. I showed you 5 relatively simple steps you can take immediately to protect your blog, so there is no reason why your WordPress blog should remain vulnerable to the ever growing danger of botnet hackers. As well, I added a new option, the free Wordfence plugin. If you will not take steps to secure your WordPress blog, your site will be attacked. With this fast growing global threat the question is no longer “IF” but rather “WHEN”.

Please make sure to leave a comment or suggestions. I’d love to hear from you.


millionaire's brain ad


, , , , , , ,

22 Responses to How To Protect Your Blog From Botnet Hackers

  1. Jordan October 22, 2013 at 11:33 pm #

    Great post! I was a victim of hackers a few months back. Thanks for the advice, it will help greatly!

    Jordan recently posted…Reasons Why Jane and Joe Soap Click Off Your Website QuicklyMy Profile

  2. Nilesh Patil July 6, 2013 at 3:57 am #

    Thanks for this great info.. many of peoples like me still not overwhelmed these type of attack but its necessary to understand all precautions for that..

    Thanks again..
    Nilesh Patil recently posted…How To Index Blog Posts On Google Very FastMy Profile

    • Dita Irvine July 6, 2013 at 9:53 am #

      Hi Nilesh,

      Thanks for stopping by. These attacks are easy to prevent just with a simple modifications as I mentioned in the article.



  3. Robert June 26, 2013 at 1:13 pm #

    Excellent resource for those concerned with security. In this day and age you can never be too careful – especially when it’s your site at stake. Another insidious form of attack launched through botnets are DDoS attacks. Although they do not destroy your data, only take your site offline, they can be just as devastating.
    Robert recently posted…DDoS Attacks for Hire: The Good, The Bad, The UglyMy Profile

  4. Cararta May 8, 2013 at 4:34 pm #

    Hi Dita,

    Thanks again for the share…I missed the webinar..helping a neighbor, but that was more important at the time!

    Copied some of your suggestions, I’m not very Techi so hope I can do the changes, will do a backup before I try, just in case!

    I really need to know something about deleting the leftovers in my .htaccess file from WPSuper cache and also in my sql config file. Guess I’ll take your suggestion and find a super geek on the Warrior Forum….

    My site isn’t afflicted with malware, just has 3 homepage urls which I think goes back to the sql config file!

    Thanks again….
    Cararta recently posted…Know What You Want From Your Blog!My Profile

  5. AlishaRoy May 7, 2013 at 6:34 am #


    This is nice and very informative things……………..

    Thanks for this ……………..

  6. Dave E Wilkes April 28, 2013 at 4:45 am #

    Hi Dita

    I had a problem with hacking and that made me take more care with security.

    One of my “lazy” problems that I have now overcome was leaving a couple of my sites without regularly going to check to see if all the plugins are up to date etc.

    Now the WordFence plugin tells me when I need to update.

    But the changes you suggest here in points 3, 4 and 5 seem invaluable.

    I’m not too confident with coding and so I will check out how to make the changes with your instructions…

    Many thanks for your help
    Dave E Wilkes recently posted…A Brain Waves Meditation To Give You Incredible ResultsMy Profile

    • Dita Irvine May 2, 2013 at 10:03 pm #

      Hi Dave,

      Nice to see you here. I am so glad that I was able to help you. Hope it works. Those steps that you are going to use are easy to implement.

      Best wishes,


  7. Shan April 27, 2013 at 11:27 am #

    Hi Dita

    So glad I found your post. One of my blogs was hacked two weeks ago so I’ve been changing passwords and on the hunt for a decent security plugin. Thanks to you, I now have Secure Scan Pro on three out of five. The remaining two will be done today.

    It’s a pain. I’ll be contacting Adrienne about blocking IP addresses on the server….


    • Dita Irvine May 2, 2013 at 10:11 pm #

      Hi Shan,

      sorry to respond so late. I am really glad my post was able to help. That is why I write.

      All the best,


  8. Sandy Halliday April 27, 2013 at 10:36 am #

    Good tips Dita.

    I changed my password to something very secure ( I hope) after I got my email account hacked so I am relying on that to a certain extent.

    I have read that these botnets try different dictionary words to log in so if your username or password is not in the dictionary then they probably will not be able to hack your blog.

    I have WordPress Firewall 2 plugin installed which monitors web requests to identify and stop the most obvious attacks.

    I am hoping that these measures will protect my blog but I will take these extra precautions that you mention as you cannot be too careful.

    Sandy Halliday recently posted…5 Internal Linking Tips For Your Blog SEOMy Profile

    • Dita Irvine May 2, 2013 at 10:05 pm #

      Hi Sandy,

      I really believe if you implement these steps you will have the protection from these criminals.

      Thanks for stopping by.


  9. Glenn Shepherd April 27, 2013 at 4:51 am #

    Hey Dita,

    Thanks for the great information as always. Although I have done a lot to secure my site already there are a few things in here that I may still need to take a look at. The more we can do to protect ourselves and make things more difficult for hackers, the better
    Glenn Shepherd recently posted…Are You Consistently Consistent?My Profile

    • Dita Irvine May 2, 2013 at 10:07 pm #

      Hi Glen,

      Yes, we definitely need to be diligent about our security. These steps are really simple to implement.

      Take care,


  10. Matt Kendo April 26, 2013 at 8:26 pm #


    Great article. This is something most people completely overlook. I need to spend more time with these methods on all my sites! Thank you, thank you, thank you!

    • Dita Irvine May 2, 2013 at 10:09 pm #

      You welcome, you welcome, you welcome!


  11. Enstine Muki April 24, 2013 at 3:28 pm #

    Hey Dita,
    Thanks for coming over to my blog and dropping a comment. This lead me to discovering your wonderful blog.

    That’s an excellent article on wp security. WP is so vulnerable to these attacks. We have to be on the alert constantly updating and changing things. One can hardly be 100% sure but we have to do at least the minimum.

    Thanks for sharing and I’m happy I read this 😉
    Enstine Muki recently posted…How Affiliate Product Reviews are Hurting your Blog and ReputationMy Profile

    • Dita Irvine April 26, 2013 at 7:44 pm #

      Hi Enstine,

      Thank you for your compliment. I am glad you enjoyed the article.

      I agree with you we have to be very diligent about the security of our blogs.

      Take care,


  12. Adrienne April 24, 2013 at 2:10 pm #

    Hi Dita,

    I’ve heard of some people being hit by these attacks. I have a plug-in on my blog that informs me when someone is trying to hack into mine. Yesterday I had 22 attempts all one right after the other with different IP addresses so what I do is copy those addresses and block them on my server. They can no longer even attempt to access my blog.

    Of course I don’t have an easy login name or password so those things are covered. I do have some security plug-ins and have done the necessary steps to secure my blog to the best of my ability.

    I do remember a police officer telling me a long time ago after my car had been broken into in a VERY secure location that if the thefts want in, they’ll find a way. I’m sure it’s the same with them. We just need to make it as difficult for them as possible so they’ll move on to someone else.

    Thanks for this information Dita, it’s very helpful.


    • Dita Irvine April 26, 2013 at 7:42 pm #

      Hi Adrienne,

      I had one on as well, I was shocked by the numbers of attacks I had. Unfortunately, that particular plugin had one issue and that was that it did not allow my blog to be idle for more than 60 minutes. After I lost my post, I did not realize I did not save it during that period I lost my writing. So I gave up.

      But I use secure user name and password. But when Paul came out with this plugin I was quite pleased and I have it installed now. I feel quite comfortable with i.

      I am sure you are right if someone wants to hack us badly enough they will keep trying.

      Have a great weekend.