2 Easy Ways To Set Up A WordPress Firewall

by John Hoff on March 25, 2009

Image by jasoneppink

Question: Is your blog’s security a top priority for you?

I bet the majority of you will say, “Yes John, it is.” However, I bet 90% of you have taken very little steps to actually secure your blog against intruders.

About 8 years ago I hurt my back (relation to blog security coming up quick) to the point where I have a bulging disk. I went to a chiropractor and he asked me, “How concerned are you of this problem?” I told him I was pretty concerned and wanted it fixed, but since the pain wasn’t unbearable it wasn’t top on my priority list.

He brought me into a room and showed me how over time an injury which starts out with only ‘some pain’ can easily turn into a huge problem for me down the road. He showed how without treatment my problem could get worse up to a point where I might have troubles doing simple things, like walking. If that were to happen, I bet my future self would say, “Why didn’t I listen to that chiropractor?”

He then asked me again, “How concerned are you of this problem?” My answered changed.

Now let me ask you again, how concerned are you for your blog’s security?

Do you think it’s possible one day that your future self might say, “If I only took steps to protect my blog earlier none of this would have happened.”

Realize too, you might not even know your site has been cracked until some time down the road. Sometimes a hacker’s only interest is to create backlinks to their websites (to help their Google PageRank) while other times it might be to simply steal your bandwidth.

See this article as an example. Also, Nik Cubrilovic over at TechCrunch mentions this in his article, WordPress Security Issues Lead To Mass Hacking. Is Your Blog Next?

It is unknown just how many WordPress blogs are infected (I have seen instances of double infection, where a previously hacked host had been hacked again), but as an indicator, across the ten or more WordPress blogs that TechCrunch and I have access to, we can see over 100 requests daily for these various security holes.

So how do you secure your WordPress blog?

There are many ways to harden your WordPress installation and I’ll talk about more of them down the road, so be sure to subscribe to my feed if you’re interested (link opens in a new window so you won’t lose your place).

Here are two quick and easy ways help guard your blog against attacks using SQL Injection.

1. Install a WordPress Firewall Plugin

There are a few really good firewall plugins out there for WordPress, but here’s one that’s easy to use. If you’re unfamiliar with what a firewall is, look up to the picture at the top of this article. Imagine the girl is your blog and the guy is an intruder. The firewall is the shield protecting you from his attack.

SEO Egghead offers the WordPress Firewall Plugin.

Simply install this plugin and then configure it to whitelist your IP address (so you yourself don’t trigger a block and alert). To do that, once the plugin is activated look over to your Settings area on the left sidebar of your WordPress Dashboard and click Firewall.

From there you can enter in your email address to send possible intrusion alerts to and also whitelist your IP address. To find out what your IP address is, you can head over to WhatIsMyIPAddress.com.

2. Upgrade Your WordPress Installation

This is the easiest thing you can do to help guard against SQL Injection and other blog security vulnerabilities. If you clicked over to read the article mentioned above, the author shows how he was using a recent, but not current, version of WordPress and his blog was still cracked.

Luckily, simply upgrading his WordPress installation fixed his problem.

If you don’t know how to upgrade your WordPress installation, we have a video tutorial on how to do it.

Finally, I’d like to note that BTC Hosting provides various blog services. If you’d like us to upgrade your blog and/or provide these and many more security upgrades to your blog, let us know. For a one time fee of $65 we can harden your WordPress install, help fortify your blog against SQL Injection, database cracking, and brute force attacks. Just send us a note in the comment section below or on our Questions page.

So, let me ask you. How concerned are you about your blog’s security?

{ 30 comments… read them below or add one }

Cath Lawson March 26, 2009 at 6:27 am

Hi John – I have injured my back and this post has scared me enough to go see the doctor.

You also have me worried about security. I checked some of my blog users that you mentioned. And I hadn’t added any of them, so I don’t know if they were spammers or what. Anyway, I’ve deleted them all.

Since you took over my hosting, I barely get any spam. There used to be loads in Askimet but now most of it just doesn’t seem to get through. Thank you.


RaiulBaztepo March 28, 2009 at 2:29 pm

Very Interesting post! Thank you for such interesting resource!
PS: Sorry for my bad english, I’v just started to learn this language ;)
See you!
Your, Raiul Baztepo


John Hoff March 28, 2009 at 10:28 pm

I’m glad you’re headed to see a doctor about it. Trust me, I know that when it comes to our back, we need to take care of it. Is that Silva Life System helping with pain management. It seems very intriguing.

Glad to hear you deleted the extra users on your blog. A lot of hackers simply want into our blogs just to create backlinks but have no intention of breaking anything. Tsk Tsk!

hmmm … you’re welcome. :)


Jim Gaudet June 17, 2009 at 6:55 am

Just installed the plugin, no errors so far… Do you have any config recommendations for the plugin, or is the default fine?
.-= Jim Gaudet´s last blog ..New Google Webmaster Tools | What’s Up? =-.


John Hoff June 17, 2009 at 1:49 pm

Just make sure to go over to the plugin’s settings area and put in your computer’s IP address. Otherwise you might not be able to edit your blog.

If one day you find you are unable to edit anything on your blog, check if your IP address has changed, if so, update that in your settings.

Also, for additional security, you might want to check out this article.


Jim Gaudet June 17, 2009 at 2:14 pm

Thanks, I was wondering about that G4. It’s a big file and I didn’t have the time the read through it. Where would I put my redirects and the wordpress code in that file?
.-= Jim Gaudet´s last blog ..New Google Webmaster Tools | What’s Up? =-.


Jim Gaudet June 17, 2009 at 2:15 pm

Sorry, I think I really need to read the whole page. You don’t have to answer, I need to stop being lazy :)
.-= Jim Gaudet´s last blog ..New Google Webmaster Tools | What’s Up? =-.


John Hoff June 17, 2009 at 7:15 pm

LOL Jim. You know what, it’s all good. I’m not one of those bloggers who encourage people to read my blog and if you have a question go do research first, understand it, and then ask your question.

Brian Clark from Copyblogger kind of made me feel that way one day when he wrote a post basically on that topic. It outlined how too many people were asking stupid questions (in his opinion) in his comment section and I guess his frustration with them.

I come from a training background (I was a banquet trainer and a kindergarten teaching assistant at points in my life) so the teaching aspect is instilled in me.

All you need to do is copy and paste all that code into your root .htaccess file. You can paste it at the top or bottom. I’d say put it at the bottom just so anything else you have in your .htaccess file is easy to get to at the top. Either way, it doesn’t really matter.

Of course then check your site. Make sure everything is working ok. One person recently noted on that article that one of the lines of code affects WP 2.8, but that’s not confirmed. A lot of people are having issues with 2.8, but that’s related to their themes and plugins not being compatible.


Jim Gaudet June 17, 2009 at 9:09 pm

That’s cool. I am the same way. I have a handful of people that just always ask me questions, just because it is fast and easy.

Thanks for the info and the heads up. I am using WP 2.8, but my own theme and some custom plugins. I will let you know how it goes..
.-= Jim Gaudet´s last blog ..New Google Webmaster Tools | What’s Up? =-.


Keith Davis November 5, 2009 at 10:42 am

Hi John
I came across the “SEO Egghead WordPress Firewall Plugin” via another article and then found this post.

Any chance of a post on setting up the options for the plugin?

And please don’t say….”The options are pretty self explanatory” because they are to you, but not to the technically challenged such as me.

I’d make a small donation for a post on setting it up… anybody else willing to chip in?
.-= Keith Davis´s last blog ..easy peasy! =-.


John Hoff November 5, 2009 at 9:07 pm

Hi Keith. No problem. In fact, maybe I’ll do a video on it. Give me until Sunday or Monday, though – I’m so busy this week I don’t even have time to work on a blog article.

Thanks and I’ll get that post out in a few days.


Keith Davis November 6, 2009 at 10:32 am

Short reply… brilliant!
.-= Keith Davis´s last blog ..easy peasy! =-.


John Hoff November 21, 2009 at 11:25 am

Hi Keith, sorry for the delay in getting that video made, but here it is:

SEO Egghead WordPress Firewall Plugin Video Overview


Keith Davis November 21, 2009 at 12:07 pm

Hi John
Just watched it.
Great job, many thanks.
.-= Keith Davis´s last blog ..easy peasy! =-.


Keith Davis February 17, 2010 at 2:19 pm

Hi John
I installed the “SEO Egghead WordPress Firewall Plugin” some time ago and just had an alert from the plugin. Alert reads…

WordPress Firewall has detected and blocked a potential attack!

It goes on to give IP etc.

Do you have to do anything when you get an alert or just be thankful that the potential attack has been blocked?
.-= Keith Davis´s last blog ..Practice, practice, practice… =-.


John Hoff February 17, 2010 at 2:27 pm

Make sure it is not your IP and something you did.

Can you email me what exactly it says or send me a screen shot? I can tell you if it was a legit attempt or not.

If it is, maybe ban their IP address from your site for awhile. Here’s my YouTube video on how to do that: Ban IP (it’s an older video).
.-= John Hoff´s last blog ..The Super Beginners for Dummies Tutorial on RSS Feeds =-.


Keith Davis February 17, 2010 at 2:43 pm

Thanks John, I’ll do that.

Perhaps I’ll take you up on your “Wordpress Security Upgrade” got to be worth it for all the time we put into our blogs.
.-= Keith Davis´s last blog ..Practice, practice, practice… =-.


Sire February 20, 2011 at 3:55 pm

Hi John, what happens in the situation where you’re accessing the admin from another computer, will it block you because the IP is different?


John Hoff February 21, 2011 at 8:08 am

Hi Sire and thanks for stopping by. Sorry for the delayed response and comment approval, I’ve been having computer issues lately and my main computer is still in the shop.

No the WordPress Firewall plugin does not have the function to redirect you away from your login and admin page via IP address. Actually, I suggest only doing that through .htaccess.

What it will do is stop the majority of SQL Injection attempts against your blog. If you’re not sure what that is, let me know.

Where the IP address comes in is this…

You tell the plugin your computer’s IP address so that way if you wanted to SQL your own website, it will let you. Sounds kind of silly, I know, but why not. Also, I think maybe without your IP whitelisted then you might not be able to edit any of your WordPress, Theme, or Plugin files through the WordPress Editor.

But that’s a good thing, right?

It makes it so others can’t edit the code in those files.

The work around if you’re on someone else’s computer is easy. Either:

1. Whitelist that computer’s IP address
2. Login, disable the plugin, edit your files, reactivate the plugin.

But realize that if you use another computer to simply log in, manage comments, and write/publish a post, this plugin will have no effect on what you’re doing.

Personally, I wouldn’t run a WordPress blog without it.

Okay, I’m headed over to your blog now. I see you have an article written on this subject. Glad you’re helping to spread the word of this problem.

Oh one last thing…

I’ve noticed there’s a WordPress Firewall 2 plugin out there. I contacted the original creator of the plugin and he said that was an unauthorized copy of his plugin. So personally, I would stay away from WordPress Firewall 2. I mean, who knows who that person is and what kind of person they are.


Keith Davis February 21, 2011 at 11:19 am

Hi John

“…without your IP whitelisted then you might not be able to edit any of your WordPress, Theme, or Plugin files through the WordPress Editor.”

That’s true John.

First few times I tried to edit files… I got thrown out.
If I want to edit files via admin, I deactivate the plugin.

Good to see you back John.


Sire February 21, 2011 at 3:04 pm

Thanks for your reply John, and don’t worry about the tardiness, I understand all about computer problems ;)

It was actually Keith Davis that directed me to this post, so thanks Keith.

It was a good thing that you added that last bit because I installed that plugin first seeing as how it was updated more recently. I’ve removed it and installed the right one on your recommendation.

I’ve heard of SQL injection and knew it was a bad thing but followed your link to learn a little more of it. So that’s how those swine inject into your scripts?

Thanks for helping out by answering questions on my post. I’m heading over to add the plugin to my other blogs.


Keith Davis February 21, 2011 at 3:14 pm

Hi Sire
Looks as though you’ve got another plugin for your next post – “SEO Egghead WordPress Firewall Plugin”.

BTW – if you understand the SQL injection, you can explain it to me. LOL


James Moralde February 22, 2011 at 6:03 am

I got here through Sire’s latest post and also because I wanted to get clear about a few things. My IP at home seems to change everytime I check it, so I was concerned about firewalling myself out of my admin page. Of course, the Q&A section here (the comment interaction :) ) answered this clearly. And of course I learned to stick to the original plugin version instead of the 2nd one. Thanks a lot guys. With the ‘limit login attempts’ and ‘wp firewall’ plugins, it feels good to know my blog is safer now.


Sire February 22, 2011 at 5:49 pm

Hey Keith, I don’t have to understand it to know it’s bad for me ;)


John Hoff February 25, 2011 at 6:50 pm

Hi Keith and Sire,

Can you believe I’m still dealing with computer issues? As you know, I do a lot of video tutorials and the new membership site I’m creating will rely a lot on videos I make.

Problem is, to make videos and produce them in a timely manner, you need a fast computer. Fast computers create lots of heat and thus need proper cooling.

My old computer was fast, but loud… so I decided to upgrade some of its parts. Problem is, the new parts were even louder. So I ordered more parts only to find then my RAM chips didn’t fit the new motherboard.

Now more waiting for UPS…

Then I got the new motherboard and it was inoperable (took Geeksquad a couple days to get to it).

Then sent it back and am waiting for a replacement.

So now I’ve hijacked my wife’s computer, loaded up my email, and am sort of back in the digital world until about the end of this week when I get my new parts in. What a ride… especially when you do business online.

Anyway, glad to have you here Sire, Keith is an awesome guy. And to both of you, yeah SQL injection isn’t the easiest thing to understand right at first, in fact I don’t even understand all of it, but I do know some tools out there to help prevent it.

The thing about computer and Internet security is that it’s always a developing story.

And Sire, it’s my pleasure to stop by your blog and help out. It’s a topic I like talking about (almost as much as Internet Marketing).


Keith Davis February 26, 2011 at 1:55 am

Nightmare John, nightmare.

Nothing worse than a noisy computer.
Fortunately, at the speed I type, I have no need of speed.

Any thoughts on Wordpress 3.1 John?
I hear that it doesn’t contain security fixes and I hear that it does contain security fixes!
Anyway I usually wait until the initial bugs have been ironed out before I upgrade.

I guesed that if 3.1 had major security uprades I would have had one of your newsletters but now I know about your computer problems…

Hi Sire… another post for you… John’s Wordpress Defender ebook.
I bought it and refer to it regularly – well written and even contains a little humour.
And you don’t have to be a techie.
All you have to be able to do is click a link and cut and paste.

Good look with your computer probs John.


Sire February 26, 2011 at 6:03 am

I hope you get your noisy computer problem resolved John. Mine’s a little noisy when the fan kicks in but I learned to live with it.

As to WordPress 3.1 I think there is a flaw in it. When I was writing a post it kept coming up with an error message saying I don’t have permission to do that and it would remove all the scripts in the post. At first I thought it was the Firewall and upon checking it I noticed the IP was different from when I installed it so I updated the IP on the white list and it still happened.

I then deactivated firewall and it was still happening. It was really starting to piss me off. A post that should have taken 30 minutes took nearly 3 hours. Turns out it’s a bug in the latest version. I wish I’d known that earlier :(


John Hoff February 26, 2011 at 8:48 am

@Keith – Thanks for the recommendation. You know I put my heart and soul into that book. By the way, check out my interview over at BlogcastFM on WordPress security.

As far as new WordPress security fixes, Matt hasn’t mentioned anything in the upgrade email he sent out and also in the 3.1 info page. To be honest though, like you said I’ve been a little out of the loop these couple of weeks because I’ve been working online mostly through my phone.

@Sire – Yes, I’ve had that happen to me before as well. That really really sucks. The best place to start is to figure out what the last thing which changed on your site.

Was it the plugin or was it the upgrade?

And sometimes it’s just a botched upgrade. It’s happened to me before. I once upgraded and my Visual editor stopped working. It wasn’t a bug in the WP version, but rather just the upgrade process had a hiccup.

Other times, it’s just that some plugin or theme is not compatible with the latest release of WordPress.

But I guess you got it working now, yeah?

@James – Glad to hear it. There’s more free info I have (in video format) if you like. Just go here and sign up for my mini course.


Keith Davis February 26, 2011 at 9:07 am

Great interview John.
You both sounded very relaxed and it came across.
Even had time for a little humour.
I’ve left you a nice comment over there.

If you do get a minute… pay me a visit at easyP and tell everyone about speaking to a video recorder or speaking to a microphone.
Or if you’re struggling for a Public Speaking topic, do what I do… make something up. LOL


Sire February 26, 2011 at 3:51 pm

No, still happening. I still think it’s the upgrade as it’s also happening on one of my other blogs, although the error messages isn’t showing.


Leave a Comment

{ 2 trackbacks }

  • An Oldie, But A Goodie | Blogging Without A Blog
  • Put A Firewall Up To Protect Your Blog From Attacks | WassupBlog

Previous post:

Next post: