Blog Security For WordPress

I wrote this a bit ago and was just going to pass it on to friends who need to increase their blog security but I have seen so many hacked wordpress blogs lately that I hope by posting it I am able to help someone else remove a blog virus and protect themselves from going through this in the first place.

These steps apply to self hosted wordpress blogs. If you have been attacked then you should ideally get go through each step systematically. If you have not, it is still in your best interest to take action on as many of the preventative measures as possible.


  1. Make sure you have the most current ftp download version on your computer. I like and trust Smart FTP. As of writing this the most current version is 4.0. It is a paid program. It initially costs around $60. It is worth it.
  2. Login to cpanel (at the host level) and change the password. Make it easy you are going to change it again.
  3. Login to wp-admin and change the password. Make it easy you are going to change it again.
  4. While changing your password in the wp-admin check for any strange admins that may have registered. There should only be you and whoever else you gave priveledges to. I had at least one weird one on each infected blog. One was named MYSQL and the other was Feedburner. They are fake users. You may also find that you have one or two ‘hidden’. You need to follow these steps to get rid of them:
  5. Next make sure that you are using the most current version of wordpress and all your plugins. Update any as necessary through you smartftp.
  6. If you are all update to date congrats but you are still going to overwrite all your files with a fresh download of wp and all plugins. Do this in smartftp and make sure you OVERWRITE the files.
  7. Now that the files are updated take a look in smartftp for anything unusual. Sort the files by date modified. You will most likely find a strange file or two. Compare the file list to the new versions you just uploaded. See anything that doesn’t belong? I found index.main.php and lots of other strangely worded index and cat pages. Double check that they are not part of the wp download and then delete them.
  8. Take a look at your .htaccess file in your root. It should only have this unless you are using some plugins like wp-cache that would re-write it. Even so, those plugins should clearly identify themselves. Code should be:
  9. # BEGIN WordPress

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]

    # END WordPress

    You will more than likely find that your .htaccess has been changed. Edit to the above code, reupload and then change file permissions to 644 (see 12 if you don’t know how to do that)

  10. Install these three plugins:,, and and activate them all
  11. Run exploit scanner. You will find it under the dashboard link. It probably won’t find anything but do it anyway.
  12. Run Security. This will likely be down at the very bottom on your left column. It will probably give you a list of things in red that they find. We are going to fix those next.
  13. Run Security-Scanner. Here are all your file permissions that are out of whack. You need to fix these in smartftp. You click on the file, then right click, then hit properties, view the permissions tab and change it to whatever they tell you.
  14. Now click back to Security-security. These are the things we are going to fix. WARNING! You NEED to know your way around your database for this. Don’t attempt if you are not completely comfortable. You have to do this to make your wp as secure as possible so you may need to get some help if you are unsure what you are doing.
  15. Login to your cpanel and go to “Mysql Databases”. Under current databases delete the user that is there. There should only be one. Go back. Add a new user with a very strong password. Give that user permission to access that database. It should have all permissions.
  16. Now go back to cpanel-home. Navigate to ‘phpmyadmin’. Back up your database. If you need a reminder read:
  17. Follow the steps here to change your wp_ prefix:
  18. Go to SmartFTP. Edit wp-config in your root (public-html unless you have your blog in a folder) with the new password and the new db prefix. Use the wp link provided to change your secret keys too. Save and reupload.
  19. Remove your newly loaded wp-config to one level up. This means if it is in public_html you are going to drag it all the way to the ip folder up top and drop it in those ip numbers. If your blog is in a folder than don’t do this.
  20. Just double check that everything is OK. If you are prompted to re-install wp you did something wrong .Don’t panic. Just repeat steps 16, 17, 18
  21. Now back to the database. Click on Structure. Click on _users, browse. Edit admin. Change admin to your new user name. You will change it in 2 or 3 spots depending on how you had it set up to begin with. You will login to wp with that name now instead of the default “admin”.
  22. Go to wordpress admin panel. You will be prompted to re-login in with your new user name.
  23. Clicking on Security-Security again the last thing in red you should see is a prompt about putting .htaccess in the wp-admin folder. If you consistently access your panel from one or two computers with a static IP then this is a GREAT security step. However if you use a dynamic IP and/or access your wp panel from other computers don’t do this. If you share this blog with someone else you need to put there ips in as well. Follow this article:
  24. Install a database back up plugin: Have a copy emailed to yourself depending on the frequency you post. Note on this: I had to manually create the file on smartftp on each blog I installed it on. Make sure after you create the folder and the plugin installs correctly to change the permissions back to 777. Have it emailed to you so that it does not stay on the server with a 777 permission code
  25. Change your wp-admin password and cpanel password to something strong. Write these down!
  26. Last but not least: re-run both Security and Exploit plugins. Re login and out. Check everything. You should be good to go and way more secure than ever.

PR Monday: Your Reputation

Last week I had a great lunch with some blogging friends and Chris Byrne, The Toy Guy. The topic of conversation eventually turned to moms and reviews and giveaways. We all agreed on this basic truth: Your reputation in blogging is all you really have. Being a somewhat anonymous venue it is hard sometimes to remember that everything you do and say contributes to that reputation whether positively or negatively. But at the end of the day and all the SEO and traffic tricks out there, if people don’t trust you the gig is up.

So, how do you focus on being trust worthy?

  • Be consistent with your social media. Your personality on your blog should be YOU and YOU should be YOU across all venues. Don’t fall victim to multiple blogger personality syndrome.
  • If you take a PR opp, DO IT! Sadly it doesn’t always happen. Communicate with the PR Rep if you are having issues getting an opp done. They are depending on you but they also understand that we are moms first. Communicating is really all they ask.
  • Make sure any sponsored posts or ads fit into your value system and personality of your blog.
  • Take giveaways seriously. Get your winner their prizes asap.
  • Manage your offline personality. There shouldn’t be any separation in this day and age. Choices you make in real life will affect your online reputation.
  • Being real doesn’t mean being nasty (unless you really are). Also, if you get a product to review don’t write something fabulous if you don’t mean it. Talk about the pros and cons of products. No one will be believe you if everything you write about is the most fabulous thing on earth.
  • Write reviews about stuff you pay for too (I said too because there is nothing wrong with getting things for review).

Bottom line is that your readers (and PR reps) have a lot of options on where they can go. Be real, genuine, and trustworthy and you will be around a long time :)

PR Monday: Stop Selling Yourself Short! PLEASE!

Sadly it seems that the middle ground for the pitches I receive is rapidly disappearing. I either get really, really great pitches or really, really bad ones. This is one of those that falls in the really bad category. I want to share it with some of you to show WHY I think this is a pitch that most people should pass on. I know when you are new to this you get all bubbly when a PR firm picks you and it is easy to get tricked into taking all the pitches that come your way. So lets dissect this one and if you still think it is worth your time at the end that is OK! We all have our things we will work for peanuts for. Just be educated about when you are doing it.

Hi, I have an item that you may like for your Blog. Blah Blah Company (I changed the name), a leading provider of school uniforms, this week launched a $15,000 contest in which kids who attend a school that has a dress code can show the world what makes them unique and special. The contest is titled, “Blah Blah Contest,” and it is designed to provide a forum for kids to express their individuality. Kids and their parents can enter the contest by visiting and following the instructions regarding submitting a video or essay along with pictures. The final day to submit an entry is September 15.

OK, so lets look at this in specific regards to me. I HOMESCHOOL. Now, I do say that my older one is going to Catholic school next year so maybe that was their thought but he has a liberal dress code so right off the bat I am not interested.

The link above? Right now has a google page rank of 0 and an alexa rank in the 4 millions.

On November 1, Blah Blah  will be posting the 10 finalists and the public will be able to vote for the grand prize winner – who will win $10,000 in cash and their school will receive $5,000 in vouchers from Blah Blah. The grand prize winner will be announced on November 30.

More than 1 in 5 public schools now have a dress code, and that’s on top of the many private, parochial and charter schools that have dress codes. Please let me know if you need any additional information, or if you’d like to speak to someone at Blah Blah.

As part of this outreach to parents and kids, Blah Blah is looking for 25 Blah Blah Brand Ambassadors (the first 25 who respond in the affirmative), who will help make moms and kids aware of the contest. As a Blah Blah Brand Ambassador, we will expect:

OK, this is where is gets good. Ready?

–         A total of three mentions/discussions of the contest – 1) A mention of the contest on your blog during the first two weeks of the contest, a follow-on mention/discussion in June, and a third in September.

–         At least two mentions – 1 in May and another in June – of our contest to your followers and fans on Twitter and Facebook

So, they want a total of three blog posts and 2 mentions to my social networks. Lets do the math. I get at least $10 for each ‘commercial’ tweet I send through Sponsored Tweets (referral link) So, I could make $20 for those two social network contacts leaving me $30 to run 3 posts on my blog.

We have established that this blog is not really the most organic place for this so these posts fall into ‘advertising’ in my book. Depending on which blog, time of year and my schedule I charge anywhere from $100-$300 for a sponsored post, usually around $250. I know putting my rates out there may be silly but honestly new bloggers need to know that $10 a post is INSANE. $10 for a tweet–sure, not bad, but a mention in a post? No freakin’ way. I should say, I can get that on some of my niche blogs (and I really don’t post advertorials here) but in talking with other bloggers I have found out their rates are $30-$75 per 300 word post. I, also, want to clarify that this is for a post that is ‘advertising’ not a product review or editorial for something that is organic to your blog. I don’t charge beyond the product for those.

In return, Blah Blah will provide a reciprocal link to your site on the site and a $50 gift certificate after your last posting in September.

A link? On a PR 0 site? Oh yeah….I covered that above.

That giftcard? Given the average mark-up of 43% for family clothing they are really paying you $28.50 that you can only spend in their store. That $5.70 for your five points of contact. Minimum wage in my state is currently $7.24. Granted those 5 points of contact are probably not going to take you 5 hours. It took you a hell of a lot longer than that if you figure in the time you put building your blog audience and social networks. To essentially have a company come bless you with the opportunity to use your platform for less than minimum wage.
Sadly, I am sure they were flooded with responses. Mine was this:

Thanks for your pitch. However, you do realize you are compensating bloggers less than $10 per post…

I currently charge $250 for a featured post on my tween blog in cash, not a gift card to the company. Thanks

Something interesting: I did a quick scan and according to the average full time journalist position in the US pays $26,000-$47,000 a year. If you go on the low side of $30,000 a year and you post 350 times that year you would be making $85 a post. Even if you aren’t interested in being a full time blogger, you are a media source! You are a journalist.

Mom-101 wrote a great post about this as well. I hope you go read it. For some reason I can’t link direct to her post but right now it is the third one down.

We all do things to get “in” with a company but take it from me, the pitches from these companies don’t tend to get better.

I will leave you with this….

you work really hard on your blog, don’t let someone take advantage of you!

Since we are all working on our own, I think it really helps to know what average rates are. I would love it if you shared yours below or any other thoughts on this.