Jean-Louis Vill

Jean-Louis Vill

EN / FR
Illustration of an open book surrounded by shadowy tendrils and glowing fragments, symbolizing a WordPress author site compromised by invisible attacks.
An author website can be quietly hijacked — long before visibility collapses.

WordPress Security for Independent Authors

by

Jean-Louis Vill — Light Novel Author (Isekai & Fantasy)
Saga: ISEKAI: The Otherworlder's Heir
in

How Invisible Attacks Can Destroy Your Visibility Without You Knowing

This article is intended for independent authors who manage their own websites.
It is not written for IT specialists, but for creators who need to understand the real risks and the concrete actions required to protect their work.

Like the sitemap—often seen as a minor technical detail—some invisible aspects of a website actually determine its coherence, how search engines interpret it, and its ability to remain visible over time.

WordPress itself is not the problem.
It is a target precisely because it is widely used.

The goal here is simple: explain how an author’s website can be compromised without any visible symptoms, and how to implement basic protections that are sufficient to move it out of the range of mass, automated attacks.

The Real Risk: What You Don’t See

The most dangerous aspect of this type of attack is not the attack itself.
It is the time during which it remains invisible.

In my own case:

  • the content injection was not detected immediately;
  • even after securing the site,
  • it took several months before Google stopped displaying the injected pages.

During that time, the real consequence was not just a drop in traffic or “lower performance”.

Google gradually stopped showing my site for searches that were directly relevant to my content.

That is the core problem:
the site becomes non-relevant in search results, sometimes to the point of partial or total deindexation.

This is often where authors give up—believing their work has no audience—when in reality, their site has simply become invisible.

How to Detect a Problem Quickly

You do not need special tools to detect the most common warning sign.

Simply search in Google:

site:yourwebsite.com

If pages appear that do not belong to your site, contain unrelated content, or clearly do not match what you publish, your site has been affected.

That signal alone is enough.

Environment Assumptions

The examples below assume a standard hosting environment:

  • LAMP or WAMP stack
    • Linux or Windows
    • Apache
    • MySQL
    • PHP
  • A typical WordPress installation
  • Access to site files via FTP or SFTP

These examples are not intended for exotic or custom server setups.

Accessing Your Website Files

These protections require access to your site’s files, usually via FTP or SFTP, provided by your hosting company.

This access allows you to edit or inspect:

  • the .htaccess file,
  • the wp-config.php file,
  • specific sensitive directories.

There are well-known free tools that allow this kind of access.
Your hosting provider usually documents them, and a simple search will point you to appropriate software if needed.

Concrete, Minimal Protections

Protecting the Login Page

Brute-force attacks overwhelmingly target the WordPress login page.

A simple and effective protection is to restrict access to the login page by IP address.

This is done in the .htaccess file:

<Files "wp-login.php">
  Require all denied
  Require ip YOUR_IPV4_ADDRESS
  Require ip YOUR_IPV6_ADDRESS
</Files>

Only your own IP addresses are allowed to access the login page.
Everything else is blocked.

Disabling XML-RPC

XML-RPC is one of the most frequently exploited entry points.

If you do not explicitly rely on mobile apps or services that require it, disabling it removes a major attack surface.

In .htaccess:

<Files "xmlrpc.php">
  Require all denied
</Files>

If a service later requires XML-RPC, this decision can be revisited.
By default, closing it is the safer position.

Blocking Script Execution in the Uploads Directory

Injected malware often hides in uploaded files.

Preventing script execution in the uploads directory blocks a common injection vector.

Create or edit an .htaccess file inside /wp-content/uploads/:

<FilesMatch "\.(php|phar|phtml)$">
  Require all denied
</FilesMatch>

Uploaded files remain accessible as media—but executable code is blocked.

Disabling Risky Admin Features

Two WordPress features are rarely necessary on an author’s site:

  • XML-RPC (already covered),
  • file editing from the admin dashboard.

In wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This prevents attackers from modifying theme or plugin files even if admin access is compromised.

Logs and Error Files: A Commonly Overlooked Risk

WordPress does not create a debug.log file by default.
However, as soon as debugging or logging is enabled—temporarily or accidentally—a file such as:

/wp-content/debug.log

may be created and become publicly accessible.

These files can expose:

  • internal paths,
  • file names,
  • technical details useful to attackers.

What to Do

If logging is enabled:

  1. Do not leave logs inside the public site directory
  2. Redirect logs to a location outside the web root
  3. Restrict log visibility to your own IP if needed

Example in wp-config.php:

define('WP_DEBUG', true);

$allowed_ip = 'YOUR_IP_ADDRESS';

if ($_SERVER['REMOTE_ADDR'] === $allowed_ip) {
    define('WP_DEBUG_DISPLAY', true);
} else {
    define('WP_DEBUG_DISPLAY', false);
}

@ini_set('log_errors', '1');
@ini_set('error_log', '/path/outside/webroot/site-errors.log');

Errors still exist—but they are no longer exposed.

As an additional safeguard, log files that remain inside the site directory can be explicitly blocked via .htaccess.

Controlling What Google Indexes

Google can index technical pages with no editorial value.

This should be avoided.

Where to Act

In the robots.txt file.

Example

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /feed/
Disallow: /*?*

The effect is simple:
Google focuses on your actual content, not your site’s infrastructure.

Note:
If unwanted pages have already been indexed, additional measures (such as noindex via meta tags or HTTP headers) may be required. These cases go beyond the scope of this article.

Why This Matters for Authors

The danger is not dramatic hacks or visible defacement.

The real danger is silent disappearance.

When a site is polluted, misinterpreted, or diluted:

  • search visibility collapses,
  • relevant pages stop appearing,
  • the author becomes invisible online.

The work is still there.
The readers simply never see it.

Final Note

This article belongs to the same line of thinking as my earlier piece on the sitemap—a tool often misunderstood, yet essential to site coherence and visibility.

These topics are not about aggressive optimization.
They are about invisible foundations that determine whether a site can exist, endure, and be found.