WordPress hacked

There may be a lot of content management systems around, but none of them can hold a candle to WordPress. Hey, 16.2 million sites as of November 5, 2015 should give you an idea just how vastly superior and beloved this system is. WordPress security and actionable tips to prevent WordPress hacking though - still has a way to go. However, we want to help you secure your website from the get-go - prevention is better than cure, so make sure you action the tips, in this, one of our many WordPress tutorials - TODAY.



Those millions of sites, however, also face serious attacks from annoying little sods who apparently, have nothing better to do with their time but spread misery far and wide: Hackers. It’s not uncommon to wake up one morning to find your beautifully assembled website waxing poetic about herbal enlargement pills or some cause in middle-east. Empathy is short lived when it’s your personal space they’re defacing with stupid quotes. Screaming incoherently is the first course of action you will take when your site is hosting full-page ads and redirects to shadier aspects of ‘pharma’ companies.

If you’re terrified, you’re justified. Everybody wants to prevent WordPress hacking. Recovering can take some intense time and effort. So harden your website with these WordPress security best practices, lest that horrible fate befalls you. And yes, it’ll take some time and continuous effort to avoid hacking attacks.

Don't like to get your hands dirty with code? Try iThemes security and let it do the dirty work. Click this link to get 25% OFF until .

If you don't want to go through a lot of messing of files, enabling of different plugins, and lots of other things you don't really go - we also have the easy way out for you. iThemes Security is the best WP security plugin to secure and protect your website.

Not interested in WP plugins just yet? Read on!

Send me WordPress Security checklist

We’ll work up to some code work, but first, let’s take care of the basics of website security issues. Starting with:

1. Preventing WordPress hacking starts with your workstation

This is the first and most easily overlooked: your computer. You should always keep your system free of malware and viruses, especially if you’re accessing the internet with it (which you are, of course). Workstation protection is even more essential when you are conducting transactions and have a website because all it takes is a keylogger to knock out the most hardened of websites. A keylogger will read all your usernames and passwords and send them to hackers - which of course is going to create a whole host of issues and problems for your website.

Stay safe and regularly update your OS, software, and browsers on your computer. Use a good anti-virus service. Keep your eyes peeled for any vulnerability on your system and remove it before it becomes a massive pain.

2. Stay protected from the latest threats with WP Updates

Secure WordPress through it's updates

Every time a software package gets updated, it does so in the midst of a wave of excitement. You are excited because, hey, new features! Hackers are excited because Security and Maintenance Release notes. This is because, unfortunately, each WP update brings along with it a number of WordPress security vulnerabilities.

WP releases are no different. With every new update, we get additional features and upgrades, along with a page listing the security flaws in the previous version and their fixes. That page is practically a cheat-sheet for hackers everywhere. Should you fail to update in time, those flaws will be the bane of your existence. And if your site gets hacked, it will be no-one’s fault but your own. 

So don’t give lazier hackers a chance to wriggle in. Install the latest version of WP as soon as it’s released. If you’re afraid it will mess up your carefully crafted website (it’s been known to happen), create a backup before you update. This will resolve any security issues which existed in the previous version - and goes a very very long way to prevent WordPress hacks.

Want your website to get updated automatically? Check out InMotion VPS for your hosting - they have excellent WordPress specific features so you can update your site automatically as soon as they are out. We're on an InMotion VPS, and we love it!

3. Make sure that your Hosting Server is secure


Did you know that by 2013, an approximate 41% of websites were hacked through server vulnerabilities?

This rather alarming fact is true because a majority of websites/blogs are hosted on shared servers. Basically, if one site on a shared server gets infected, every other site is at risk, regardless of how secure the site/blog is otherwise. You’ll get hacked through no fault of your own.

Thought exercise: Have you ever been inside a soup kitchen? Can you picture one and imagine what happens in there? If you’re one of those lucky enough to have escaped that travesty, I’ll give you a taster (pun intended). Think of everything that has ever happened since the kitchen came into existence, spills and breaks, leaks and splashes. In a soup kitchen server, those things are never gone. They become a part of the kitchen.

Now imagine the same happening to your site. A server which scoffs at maintenance has devolved into a soup kitchen already. Unused files, data, sites, and more pile up until they become a threat to current sites.

So choose a reliable and secure host. VPS and managed hosting minimizes chances of breaches and are excellent for e-commerce sites. If shared hosting is enough for you, check out their security before subscribing for space on them. Make sure to check their maintenance schedule. This is another step which should be on your priority list if you want to prevent WordPress hacking.

4. Use Network Security to prevent password and data interception

Over an unsecured connection, data can be intercepted and you can be hacked before being able to say “unencrypted”.

This is why you should focus on secure network connections and encryptions: server side, client side, and all the sides. Find a host that allows SFTP/SSH encryption to protect your data and information from malicious intercepts.

5. Prevent hacking through complex passwords

Complex Passwords for improved security

Essential tip: create a secure password and don't reuse passwords


Our next step on how to protect WP from hackers talks about a much-cliched topic - passwords.

A startling number of people think long, complicated passwords are overrated and will prefer something shorter and easier to remember; a fact hackers know and take advantage of.

There is no other way to put this: a good strong password comprised of letters, numbers, and any other valid characters will actually go a long way to protect your blog. Brute force algorithm works endlessly, yes. But the more characters there are in your password, the longer it takes to crack it. And I mean exponentially longer.

Any personal details, or a password based on them, will be easy to crack. Don’t use single words (regardless of length), letters-only, or numbers-only passwords either. What you’re trying to do is break the known patterns to make hacking difficult, if not impossible.

Create a password which is easy to remember but hard to guess to prevent WordPress hacking - if your blog is about security, make it something like pressmyWORDSand5ecurit!$


Send me WordPress Security checklist


6. Secure through isolation: Keep your Databases Secure and isolated

Your database knows everything that has ever happened on your site. It’s a veritable well of information and that makes it damn near irresistible to hackers.

Automated codes for SQL injections can be run to hack into your website database with relative ease. If you are running multiple sites/blogs from a single server (and database), all your sites are at risk.

As the code resource puts it, it’s best to use individual databases for each blog/site and give them to be managed by separate users. You can also revoke all database privileges except data read and data write from users who will only work with posting/ uploading data and installing plugins. It is not recommended, though, due to schema change privileges required in major updates.

You should also rename your database (by changing its prefix) to misdirect the hackers aiming their attacks on it. Although this does not prevent WordPress hacking per se, it makes sure that if any databases are compromised, the hackers can't hop to the next WP installation.

7. Hide your website's login and admin name

Next on how to secure WordPress from hackers concerns the WP Administration.

Leaving WP defaults untouched is practically asking for trouble.

It is laughably simple to find your site’s admin name if you don’t actively hide it. All a hacker needs, is to add ?author=1 after your URL and the person/member who shows up is most likely the admin. Imagine how easy it would be for the hackers to use brute force once they find the admin’s username. How can you prevent hacking if you are leaving so much information available, make exploitation easier?

Solution to deter WP hacks: Hide all usernames with this code in functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);

function bwp_template_redirect()


  if (is_author())


    wp_redirect( home_url() ); exit;



Your login page is also easy to access, and not just for you. I can simply add wp-admin or wp-login.php after your homepage URL, fill the username I learned from ?author=1 and sip mint juleps while the algorithm cracks your password.

Use the age-old technique of ‘smoke-and-mirrors’ and change your login page URL to make the hackers’ job that much difficult. Security plugins like Stealth Login will even do it for you - and once again, doing this simple step will go a very long way in preventing WordPress hacking.

Not sure whether you can deal with all this?

Need some help? Have a look at iThemes Security Pro - one plugin and your website is safe. Guaranteed.

8. Prevent hacking through security plugins and tricks to protect wp-admin


Your wp-admin is a seat of authority. The login page and admin directory are available to all: including those with malicious intent. To protect it and stop hacking attacks, you’ll need to work just a bit harder.

A strong password, a different administrator account (with a username that’s anything but ‘admin’), and using Stealth Login plugin to rename your login links will make definitely help to prevent hacking.

You can also strengthen the guard around admin with website security plugins like:

This 5-star rated service is one we have discovered fairly recently. Malcare is developed by the team behind Blogvault, which we've already used and found to be amazingwhich we've already used and found to be amazing. Their latest offering offers a full-blown security and website management service. It offers such staff as file scanning for core changes (to detect hacks), emergency cleaning, a built-in firewall to stop malicious traffic, update of themes and plugins directly from their dashboard and one-click backups. The best about this is you can manage ALL your sites from one single dashboard, without having to log in to each and every one of them individualy.

With a bit of code coupled with unlimited login attempts, any hacker will eventually break in. You can restrict the amount of liberty anyone is allowed to take with admin login page using Limit Login Attempts. It will limit the number of login attempts for each IP address, including your own (with auth cookies).

  • SSL - this encrypts your communications

Use the power of Private SSL to secure admin login, area, posts, and more. This enables encryption on your login sessions, meaning the password is difficult to intercept. You'll need to get an SSL Certificate and get it installed on your hosting server. InMotion offer SSL certificates for free on their hosting plans - so if you still haven't maybe it's time to switch to InMotion to get your SSL too.

Once you have confirmed with your hosting provider that you have Shared SSL and then paste this code in wp-config.php:

define(’FORCE_SSL_ADMIN’, true);

This plugin is a superb security solution in general, but some key features make it even better. First of all, it runs a website security scan. It also pays close attention to preventive measures so you actually stop WordPress hacking from happening in the first place. To protect admin area, it will remove error information from the login page.

That may not sound like much, but the error message actually helps hackers find out if they had gotten anything right. Removing the message (hint) takes away that advantage. If you want to avoid hacking, get at least some of these plugins set up.

Top Tip: The rest of the article features Advanced Website Security tips

The rest of the tips requiring tinkering with your WP installations, which brings along some risk. If you'd rather not tinker around with your installation, you might want to hire a WordPress developer to help you out.

9. How to secure WP through wp-includes

Let’s get this straight: wp-includes is the core. It should be left alone, even by you. And by no means should it be left accessible to potential hackers.

So prevent any malicious persons/ bots from sending unwanted scripts straight to the heart of your website to prevent hacking attacks. Add this before #BEGIN WordPress in your .htaccess file:

# Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]


# BEGIN WordPress


Note that you’ll have to omit the third RewriteRule if you want the code to work on Multisite.

10. Protect your wp-config for improved website security

This is one of the issues that is a bit controversial. Not everybody agrees with doing this.

Whether or not you actually move wp-config.php outside the root folder, there’s no denying that a bit of tweaking the code in this file can help harden your website and make it harder to perform WordPress hacks.

Not sure whether you can handle all of this techy stuff? There's one security plugin to rule them all

  • Start with disabling editing PHP files from dashboard, which is where the attacker will concentrate after hacking through an access point. Add this to wp-config.php

define('DISALLOW_FILE_EDIT', true);

  • $table_prefix is placed before all your database tables. You can prevent SQL injection based attacks by changing its value from the default wp_.

$table_prefix = 'r235_';

  • Move wp-content directory from its default position with this

define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );

define( 'WP_CONTENT_URL', 'https://example/blog/wp-content');

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins');

define( 'WP_PLUGIN_URL', 'https://example/blog/wp-content/plugins');

Now if you’re not a developer, you don’t have much use of error logs. You can keep them from being accessible with this:

error_reporting = 4339

display_errors = Off

display_startup_errors = Off

log_errors = On

error_log = /home/example.com/logs/php_error.log

log_errors_max_len = 1024

ignore_repeated_errors = On

ignore_repeated_source = Off

html_errors = Off

You can find more details on configuring error logging (and how to hide logs from public), but you don’t really need to delve that deep.


11. Backup your website (just in case)

Wordpress Backup

This is the safety net. A backup is one of the first things you’ll need to restore your site if you do get hacked.

Backup your site at least as frequently as you run maintenance or update it. There’s no excuse to be lax in this department, not when there are some quite thorough services and plugins that will run automated backups for you. There is VaultPress, UpdraftPlus, WP-DB-Backup, BackupBuddy, etc.

Recommended Reading: Native vs plugin - WordPress backup using different methods

Create a schedule and let the plugin do the rest. Some of these plugins come with easy restore options. Check to ensure that the plugin is backing up the entire site, including all databases and directories. All though this does not prevent WordPress hacks, it gives you peace of mind of restoring your site if the unthinkable happens.

Send me WordPress Security checklist

12. Use trusted sources only for downloads


If you are running on a tight budget (and even if you aren’t), you might be tempted by the option of getting all the features and functionalities of premium plugins/themes for free.

In short: pirated goods.

You can't outsmart a hacker if you are downloading premium stuff from ill-reputed or unauthorized sources - they will come back to punch you in the heart. They are ill-reputed because they will fill those legit ‘premium’ plugins/themes with malware and let the stupid folks do the rest.

A hidden backdoor will be all they need to convert your brand’s online appearance into a giant poster for enlargement pills - or even worse, malware. Your site will quickly get blacklisted, even from search engines and browsers if it contains malware. 

This is a known and very popular tactic of hackers. Pirated themes and plugins are riddled with backdoors and malware. This is one of the easiest WordPress security issues to resolve really. It's best to go for a trusted theme from a trusted source, such as the one we have reviewed here: Avada theme

Remember: Pirated stuff? Don’t bother.

You’re good with official Themes and Plugin directories, so try sticking to those. You can also trust sources like Theme Forest, Code Canyon, ElegantThemes, etc.

13. Secure your website by looking like a Pro

A rookie is easier to hack. At least, that’s what most hackers think (not incorrectly). Even the Bible says: Abstain from all appearances of being an amateur; even, and especially if you are one.

Change all defaults: posts, comments, usernames, directory names, etc.

It’s easier when you’re setting up. If you already have your WP up and running, go to Settings > Miscellaneous (in your Admin controls) to change directory names. This will be another step in your drive to stop WordPress security issues and make hacking your site much more difficult.

To hide which version of WP you’re on, remember to delete /wp-admin/install.php and wp-admin/upgrade.php. Take it a step further and remove meta generator tag (“”) from wp-content/your_theme_name/header.php. You should also remove version detail from RSS feed.

To do this, open wp-includes/general-template.php. Around line 1860 you’ll find this:

function the_generator ( $args) {

echo apply_filters('the_generator', get_ the_generator($args), $ args). "\n";


Add a hash before ‘echo’ command and you’re golden.

function the_generator ( $args ) {

#echo apply_filters('the_generator', get_ the_generator ($args), $type). "\n";


14. Good WordPress Security requires Good File permissions

The rule of thumb is 755 for directories and 644 for files.

Although, this varies depending on the server and the type of file in question - in most cases, you should work very well with these permissions.

It would be best to ask your host to check, or if you've got direct access, you can do this yourself.

For directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

15. Website Security sins: Never ever set file permissions to 777 (not even temporarily)

If you are serious about wanting to stop WordPress hackers - NEVER set file/directory permission to 777 unless you want to give complete control over it to everyone, including hackers.

There is a very dangerous tendency amongst beginners to set file permissions to 777, "because it's easy", or "because we'll fix it later", or "because I'll change it later".

This is extremely dangerous - 777 means anybody who wants can change the contents of that file.

With those permissions set, your website is an open house. Once they have access to one file, rest assured it is very easy to jump to other files or install backdoors and other nasty stuff to your site.

The WP codex gives you a complete guide to file permissions: how to change them and the recommended permissions for some files. You need to balance securing your website with functionality, so start low and gradually increase permissions till you get it right. The right file permissions will surely help avoid website hacking. Again, this is one of the easier WordPress security issues to prevent, you just need to be aware of it.

16. Allow access to WP admin and login to your IP only through IP filtering

A very simple, elegant way to restrict access to the login page and admin area is through IP filtering. All you need to do is add this code to .htaccess. This suggestion comes with thanks to Sucuri, who provide an excellent WordPress security service

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]

Now that works only for static IPs, but you can do the same for dynamic IPs with this:

<Files wp-login.php>
Order Deny, Allow
Deny from All
Allow from [Add your domain name here]

To restrict access to wp-admin directory, add this to .htaccess:

<FilesMatch ".*">
Order Deny, Allow
Deny from All
Allow from [Add your IP address (es) here]

By domain name:

<FilesMatch ".*">
Order Deny, Allow
Deny from All
Allow from [Add your domain name here]

Source: blog.Sucuri.net

17. Security Plugins to Block WP hacks

Although we don't tend to advocate the use of many plugins, when it comes to WordPress security plugins, there are some which you really might want to install to increase the resilience of your site.

Wordress Security Plugins

  • iThemes Security Pro - Listen, many of the above actions are a bit technical no doubt about that. We get that. If you are not technically inclined, we have the solution for you. iThemes Security is the best WordPress security plugin to secure and protect your website.

  • Install WP  Security Audit Log plugin - this is the most comprehensive WordPress activity log plugin. The plugin keeps a record of everything that happens on your WordPress website in an audit log (aka WordPress activity log) so you keep hackers at bay. This is because you can identify their attack attempts before they actually hack into your WordPress website, thus having the time to thwart their malicious actions. Audit Log Viewer 

Google Authenticator and Duo Two-Factor Authentication are great choices for adding an extra layer of protection on your login page. An authorization code will be sent to your email/ mobile, without which the user/hacker will not be able to log in.

Is there anything better than a nice BBQ? This plugin will block URI strings containing eval( base 64 and other suspiciously long request strings.

Check your theme for malware and hidden backdoors with this plugin before someone exploits those weaknesses in an otherwise secure site/blog.

  • Antivirus Plugins

This one is a no-brainer. Conduct frequent site scans and eradicate them before they take hold. Plugins/ services like SucuriWordfence, etc. Previously mentioned Acunetix Secure WordPress is another good one. Exploit Scanner will check your site inside out for malicious code too.

If you're interested, we've written a great comparison about Sucuri vs Wordfence which compares these two big boys head-to-head.

Send me WordPress Security checklist

The Essential Checklist to full website Security - YouTube version

Thanks to Webucator, a provider of WordPress training, we've got this checklist created as a video.


Our next part of this article deals with fixing a WordPress security hack, once it's happened.

Website hacked? - 7 essential steps to fully restore your website

Sucuri releases a website hacked trend report for each quarter. In their latest report, they have revealed that various WP releases powered 78% of the sites hacked in the second quarter of 2016.

Hacked WordPress sites remain a real problem.

(Read More: the Sucuri Website hacked report here)

That is not surprising since WP is by far the largest platform to create new websites. This leads to the fact that hackers always find it more profitable to look for vulnerabilities in WP sites. It doesn’t matter what preventive measures you take; it is impossible to guarantee the perfect security for any website.

Being the most popular platform for creating websites, the risk is significantly higher for WP sites.

Because of the increased risk and fewer guidelines about website security, we have decided to take things in our hand. The result is this in-depth tutorial. In this tutorial, we are going to introduce you to 7 essential steps you should take to fix your WordPress hacked site.

Before we begin the procedure, let’s find out what causes the problem in the first place. In general, there are two types of vulnerabilities –

  1. Common Vulnerabilities and
  2. Security Vulnerabilities.

Let’s take a closer look at each type. Both types can be exploited by hackers.

Before you begin - restoring a hacked website is not something which can be undertaken by people without sufficient knowledge. It is highly advisable to ask for help from WordPress developers who are highly skilled before attempting to do this if you're not comfortable tinkering around.

Common Vulnerabilities which result in hacked WordPress sites

The common vulnerabilities can come from either your local machine or from the hosting provider. Most of us are probably familiar with this type of problems. These problems can happen if your PC or local network is compromised. When hackers gain access to your PC or the network, they can easily target a website you own - with the result being a compromised or hacked WordPress site.

You can avoid these situations by using reliable anti-virus and anti-malware scanning tools. You need to apply common sense when using the internet. Comodo and Malwarebytes have provided some handy tips to keep your PC safe from hackers. If you are using a router, it is also important to keep the device updated with the latest firmware.

use anti virus

Secondly, the problem can arise from your hosting provider, especially if you are using a shared hosting package. As you probably know, a shared hosting package shares the server among numerous users. If any of these users don't follow the best practices, the whole server is under serious threat.

In some cases, one site in a shared hosting package gets compromised, and it allows the hacker to infiltrate other sites on the same server. In that case, you need to consult with your hosting provider, and they will take the necessary steps. This means, even if your site is fully updated and protected, you may still end up with a WordPress hacked site.

Incidentally, if you’re looking for a very secure hosting provider, you should seriously consider reading our InMotion hosting review - we feel very well protected on this service.

Now that we have identified the common vulnerabilities, let’s take a look at the security aspects.

Hacked through Vulnerabilities

There are several types of security vulnerabilities for WordPress. We will talk about the ones which are most common –

  • Weak username/password combinations: We don’t think we have to tell you the importance of using a secure password. Since the 3.8 version, WP itself has started to put more focus on forcing the users to use a strong password. There is a built-in password strength detection feature in the admin dashboard. The rule of thumb is never to use any predictable username (such as admin), and always use strong passwords. These will make it more difficult for the hackers to access your WP site.
  • Theme/plugin bugs: While it is a best practice to use familiar themes and plugins, sometimes the most popular ones can have a hidden security flaw too. If that happens, you will find the news on blogs. However, you will probably be safe if you make sure that you are using only trusted themes or plugins. Check out the reviews, rating, number of downloads, etc. to analyze the reliability. And never ever use pirated themes or plugins. It is a known fact that most of these contain harmful code, which can lead to a backdoor in your site. You’ll surely end up with a hacked WP site in no time if you use pirated versions of themes and plugin. What you think is free will cost you much more than you expect if fixing your hacked website.
  • Not updating WP core, themes, or plugins: Using an outdated version of WP, themes, or plugins is another major reason for breaches resulting in hacked websites. Most updates include something to improve the security and performance of your website. Therefore, it is necessary that you update your website, themes, and plugins as soon as they are available. Make sure to perform a full site backup before updating.

What to Do When Your WordPress is Hacked?

It doesn’t matter what measures you take; some evil jerk will always find newer ways to access your site. If you have fallen victim to WordPress hacking, don’t panic and follow the steps described below.

1. Identify the Type of Hack

The solution to getting your site back depends on the type of WordPress hack. That means the first step is to define the type.

detect hacking type

Here are the questions you should ask to do that :

  • Can you access the admin section?
  • Is your site being redirected to another site?
  • Are there any unknown link(s) on your site?
  • Is Google warning the visitors about your site?
  • Has your hosting provider informed you that your site is looking suspicious?
  • Is your site showing unknown adverts in the header, footer, or other sections?
  • Are there any unwanted popups displayed?
  • Is there an unexpected spike in the bandwidth usage?

Go through the questions one by one and try to find out the answers for each of them. This will help you find the best course of options to regain control of your hacked WordPress site.

2. Try Restoring from Backup

If you follow the best practices, you should have daily, weekly, or monthly backups of your site. The backup frequency depends on how frequently you post or make changes to your website.

When you are taking regular backups, regaining your hacked WordPress site is as easy as restoring the latest backup. If you have set up an automatic backup schedule, find out the last backup before your site was hacked and restore that version.

restore from backups

You then need to make sure that you update any plugins, themes or anything which had not been updated.

What if you didn’t take backups of your site? Does that mean you have lost your site forever?

No actually.

There are other options too. Most reputed hosting services keep regular backups of their client sites. Ask your hosting provider if they keep a backup. If they have, you can ask them to restore your site from the last stable backup.

If there is no backup, you’ll have to go through a procedure of cleaning your hacked WordPress site which we show below.

3. Seek Help from Your Hosting Provider

More than 40% of the hacked websites had some security vulnerability on the hosting platform. Therefore, when you get your WP hacked, asking your hosting provider to help you get back your site could be a good idea.

seek help from host

Any reliable web hosting company should be willing to help you in these cases. They employ professionals who deal with these situations every day. They are very familiar with the hosting environment and have access to advanced website scanning tools.

Therefore, they will be able to help you fight back most of the common website hacking attacks. If the hack originated from the server, your hosting company would be able to help you get back the site.

4. Scan for Malware

In many cases, hackers gain access to your website by using backdoors. Backdoors create unauthorized entry points to your website. When using backdoors, hackers can access your website without requiring any login information and remain virtually undetected.

malware danger

Here are some common locations of the backdoors which you need to check if your website was hacked –

  • Themes: Most hackers prefer to put the backdoor in one of your inactive themes. By doing this, they will still have access to your website even if you keep it regularly updated. This is why it is crucial to delete all of your inactive themes.
  • Plugins: The plugins folder is another potential place for hiding the malicious code. There are several reasons for that. First of all, most people never think about checking the plugin files. They also prefer not to update the plugins as long as they are working. What’s more, there are some poorly coded plugins which could be exploited to gain unauthorized access to any WP site.
  • The Uploads Folder: In a standard scenario, you will never think about checking the uploads folder. There is no reason to do that. That folder only contains the files you uploaded, right? Well, not that simple. Some hackers prefer this folder because they can easily hide the malicious file among hundreds or thousands of files spread in different folders. As the folder is writeable, it also serves their purpose.
  • The Includes Folder: This is another folder often ignored by most users. As a result, hackers put the backdoor in this folder and get complete access to your site.
  • The wp-config.php File: This is a very common place for finding the malicious code. However, as the file is very well-known, sophisticated hackers avoid using this file. But it is still a good place to get started.

Don't like to get your hands dirty with malicious scripts? Try iThemes security and let it do the dirty work.

The only way to get rid of the backdoor is to remove the malicious code from the website. There are several plugins which allow you to scan your website for malicious code. Among them,  iThemes SecurityWPMUDev DefenderSucuri Security, Exploit Scanner, Theme Authenticity Checker, etc. are the most common names.

You can use these free plugins to detect any unwanted change in the themes, plugins, and core files of your website.

sucur security plugin

If the plugins find any suspicious file, take a full backup and delete the file. And if a theme or plugin is compromised, remove that from your site. Download the latest copy and upload it to your website.

In case the change is detected in any of the core files, you can replace the affected file(s) with original files from another reliable WP installation.

Alternatively, you can download WP manually and use the necessary files.

5. Check User Permissions

It is likely that you have several users on your website. As you already know, they have different capabilities based on their user role. Sometimes, WordPress hackers create a new user with the necessary permission so that they can log into your site even if they lose the backdoor.

Or they may actually use a username which has a weak password to hack your website.

To prevent this from happening, go to Settings > Users from the dashboard. Review all the users and their roles. Most importantly, make sure that no unauthorized account has the admin role assigned. In the case of doubtful accounts, delete them instantly. If they are valid users, you can always recreate the accounts later.

  • Here are some more best practices to follow –
  • Never use the ‘admin’ username on your site. If you already have that username, change this as soon as possible. Also, avoid using any common username that hackers can guess.
  • Use two-factor authentication to prevent unauthorized access to your website. Here’s how to do this by using Google Authenticator.
  • Integrate CAPTCHA in your login forms. This is an effective way to prevent bots or automated scripts from accessing your website.

6. Change the Secret Keys

Secret Keys is a handy security feature of WP. These keys contain randomly generated text which help in encrypting the information saved in cookies. If you don’t have the numbers added already, you should do it now. And if you have them, this is high time you have changed them.

First of all, generate your secret keys from this link. The random code generator will create a new set of unique codes every time you refresh the page.

Now, get back to your website and open the wp-config.php file. Head towards line 49 and you will see something like the following. The line number may vary on your file, but you need to find out the following section –

wordpress security keys

Replace the values with the ones you generated a while ago. Save the file. If you were logged in to the admin, you would be asked to log in again.

7. Change ALL Your Passwords to prevent your website getting hacked again

This is a common but critical step in restoring a hacked WordPress website – reset all of your passwords. The common passwords include WP admin, cPanel, MySQL, FTP, etc. Reset all these passwords along with any other service you use on the website.

When doing that, make sure you are using a strong password. If possible, you should force your existing users to perform a password reset for their accounts as well.

wordpress password strength checker

Here’s how to change the passwords –

  • For changing the password, go to Users > Your Profile from the dashboard. You will find the new password field in the ‘Account Management’ section.
  • For changing the cPanel, MySQL, FTP passwords, log into the control panel of your hosting account and follow the available options. If you are confused, contact the hosting support to get help.

Future Steps to Avoid Getting Hacked

While the steps mentioned above will help you restore your website, you should consider this as a warning sign. Here are some important steps you should take to make sure your site remains protected in the future from any other WordPress hack attempts –

  • Create A Backup Schedule: As you realize now, having regular backups of your website is critical. Fortunately, you don’t have to do this manually. There are lots of free and premium plugins to help you keep regular backups of your site. UpdraftPlus is a popular free backup plugin, while VaultPress and BackupBuddy are some highly recommended premium backup solutions.
  • Update Everything: We guess we don’t have to stress the importance of keeping your site updated. You should update the WP core, active themes, plugins. At the same time, make sure you delete the unused themes and plugins too.
  • Set up a Security Plugin: If you want to enhance the security of your website, you should use a hardening plugin like
  • Consider a Managed Hosting: When you choose a managed hosting, they will handle the security, maintenance, performance, and other issues for your website. That means you won’t have to worry about all these steps. Some reliable managed hosting providers include InMotionWPEngine, Kinsta and Pagely.
  • Limit Login Attempts: By default, WP allows anyone to try unlimited passwords for any account. This leads to brute force attacks and possible site vulnerabilities. Fortunately, there are some free plugins like Login LockDown and Loginizer Security to help you limit the login attempts.
  • Disable PHP Execution: In most cases, hackers create backdoors by creating PHP files which look like core files. You can prevent these threats by disabling PHP execution in the relevant directories, like the uploads and includes folder. Here’s a step-by-step tutorial to do that.
  • Add Extra Password for Admin: Another handy trick to keep your site safe is to use an additional password for accessing the admin section. This is very easy to do in cPanel. Follow this tutorial to add the password in your WP admin.
  • Install a local antivirus: it is actually quite common to have websites hacked or compromised via virus or worms which have infected your home or work machine. Make sure you've got an antivirus installed on all the machines from which you access your website

Prefer video? Watch this video from Sucuri

If you have some time to go through the following video which can help to identify WordPress hacked sites and how to fix them. We’ve mentioned Sucuri a few times in this article, this video from Sucuri is quite a complete view of hacked sites.


Final Words: how to fix your hacked website

Being a victim of WordPress hacked site is a horrible experience, especially if this is the first time. However, now that you have read this article, you should have a clear idea about the necessary steps to get your hacked website back.

Feel free to bookmark and share this article so that others can know about the steps too.

Have you ever had any of your sites hacked? If yes, please share your experience and let us know how you got the site back in the comments below.

Bottom Line

If you’re confused, just go for a managed hosting solution and let someone else handle it for you.

This is just the beginning. As the web continues to evolve, so will the hackers and their attempts to infiltrate your site and chuck you out. Stay one step ahead by learning more about your friendly CMS and keeping up with updates and your stay on top of WordPress security - this will for sure ensure you prevent website hacking.

Stay secure.


Need help getting your website cleaned? Try these top-rated affordable gigs on Fiverr!

fiverr logo

Click here to find experts on WordPress security.

Click here to create a full WordPress website.


About the Author
David Attard
Author: David AttardWebsite: https://www.linkedin.com/in/dattard/
David has been working in or around the online / digital industry for the last 18 years. He has vast experience in the software and web design industries using WordPress, Joomla and niches surrounding them. As a digital consultant, his focus is on helping businesses get a competitive advantage using a combination of their website and digital platforms available today.

One more thing... Did you know that people who share useful stuff like this post look AWESOME too? ;-)
Please leave a useful comment with your thoughts, then share this on your Facebook group(s) who would find this useful and let's reap the benefits together. Thank you for sharing and being nice!

Disclosure: This page may contain links to external sites for products which we love and wholeheartedly recommend. If you buy products we suggest, we may earn a referral fee. Such fees do not influence our recommendations and we do not accept payments for positive reviews.