How To Protect and Secure Your WordPress Website From Spam and Hacks

I’ve had a few emails from people asking me how they can secure and protect their WordPress install from all of the comment spam and what steps they can take to reduce the change of getting hacked. WordPress is one of the largest blogging platforms in the world and it is open source. Because of this it has become a prime target for comment spam and hackers. Luckily there are some relatively simple things you can do to help reduce spam and secure your WordPress install.

How To Reduce WordPress Spam

WordPress comment spamming has become a huge issue among blog owners and authors. The reason that blogs get so much spam these days is that SEO (Search Engine Optimization) people are trying to get your website to link to theirs – increasing their page rankings in Google. Because WordPress is open source and so common, virtually every WordPress site uses the same commenting system that the spammers are now exploiting. Here are some ways you can change the way your comment system works – foiling the spammers evil plans of dropping a penis enlargement link on your website.


Akismet is a plugin that comes with WordPress, but you need to pay a monthly fee to subscribe to their services.

Aksimet works by checking the commenters IP Address against it’s own database of known spammers. If the commenter’s IP is listed by Aksimet, then the comment gets rejected. There are only two problems with this service. 1) It’s not free 2) Although it significantly reduces spam, it’s not 100% effective in stopping comment spam and can sometimes block a genuine comment by mistake. Download



Another great WordPress plugin is NoSpamNX. This plugin is completely free and is very successful at stopping automated spam bots from commenting on your site.

NoSpamNX works by inserting an empty text box on your comment form that is invisible to a human but a spam bot will be able to see. Most spam bots will see this extra box and decide to fill it out with random junk. So basically if it is a human adding a comment, we will leave the extra text box empty (as we cant see it and don’t know it’s there) but a spam bot will fill it out. If the comment is submitted with that extra box filled out then the comment gets rejected! Download


Be very careful if you decide to implement this. I would recommend against doing this if you are not particularly tech savvy or do not know basic coding. Before you do anything, please, please, please, make a backup of your functions.php – just in case. Place the following code inside your functions.php.

function verify_comment_referer() {
    if (!wp_get_referer()) {
        wp_die( __('You cannot post comment at this time, may be you need to enable referrers in your browser.') );
add_action('check_comment_flood', 'verify_comment_referer');

Basically this works by checking the referral of the commenter before deciding to accept the comment or not. Most spam bots will have a ‘poor referrer’ and will be denied. This options is far from being 100% successful, but I find it helps prevent the odd comment that the first two options miss.

How To Secure and Protect Your WordPress Website

Now I’ll talk about all of the ways you can protect your install from unwanted access and hacks. Some of them are easy, others are more complicated with lots of options and should be implemented with care. I’ll start off by listing the easier and safer methods of protecting and securing your WordPress website. And of course, always keep your install updated when possible.

Removing Unimportant Files From Your Server

There are many ways you can do this: FTP or maybe just through your hosts file manager. Either way all you have to do is delete these files:


The reason for this is that those two files are not important in any way to run your site, but contain the WordPress version that you have. This information could be used by hackers to help gain access to your site!

Secure WordPress

This plugin comes with multiple ‘minor’ security features, but there are two that you should be most interested in. The first is the ability to create an index.html in each sub folder. This stops a random person from browsing and being able to access files in the directories of your site. The second is the ability to remove default WordPress headers such as the WordPress version. It is important to hide what version of WordPress you are running from hackers so that they don’t know how to exploit your site if you are using an outdated version. The plugin also does multiple other things to keep your install protected such as blocking any bad and malicious queries that could be harmful to your WordPress website and removing plugin-update information for non-admins. Download

Semisecure Login Reimagined

This simple but nifty plugin secures your login information by encrypting it from the client side using JavaScript. It is most useful for situations where SSL is not available, but the administrator wishes to have some additional security measures in place without sacrificing convenience.Download

Limit Login Attempts

You don’t have to be a computer wiz to know what this plugin does. This is most useful in stopping some random hacker from just trying to guess what your username and password is. Many customization features such as email notification are available as well. Download

WebsiteDefender WordPress Security

This WordPress plugin/service constantly scans your server to make sure nothing malicious finds it’s way onto your install. It also has a very important feature that allows you to change the prefex of your WordPress tables away from the default _wp. Furthermore this plugin also gives suggestions on how to further tighten up security on your site and will email you if anything important happens. Download

  • Paige

    Some great tips here. My wordpress blog was hacked into somehow this week but I didn’t do anything you listed here. Hopefuly after installing some of these plugins at least will help protect me!

    • Patti

      Thanks for wtriing such an informative article, I know this will come in useful. Well done! ~Patti Collins

  • Jacqui

    This is a great article and I found it very helpful. I’ve never had my wordpress site hacked before but I do get a ton of comment spam. I’ll be implementing every single one of these on my site!

    PS: I came here from twitter 🙂

  • Thank you for this article because it is so helpful and informative. I really appreciate your effort and your writing skills. Keep it up.

  • sleekymeerkat

    What a fantastic article. I can finally sleep at night without having to worry if my blog is going to get hacked or not!

  • ox

    NoSpamNX has just saved my life

  • GreagorePhors

    Great article and a great list of plugins and hacks to secure my site

  • brobionireecy

    Thanks for this post. Beautiful website btw. I’ll be in contact.

  • Jaialeac Savedrae

    Just wondering what file permissions are best for the wp-content folder?