Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked

Posted on February 6, 2014 by in Tips & Tricks | 106 comments

Oh Sh*#! What to Do When Your WordPress Website Has Been Hacked

I was away from my computer when I received this text: “FYI: Your website’s been hacked. Might want to fix that.” Which, obviously, is the precise moment my stomach decided to hit the floor and my body broke into a cold sweat.

I’d just published an article on another popular WordPress blog about “How to Customize WordPress like a Web Design Pro” and I knew my site was getting a lot more traffic than usual. Hence, the text. But to make matters worse, I’d also just had a big client meeting for a new consulting gig and the guy in charge of hiring me was planning to look at my website that night.

With new visitors pouring in and an important potential client investigating my professionalism, I had no website. I had worse than no website! My domain was a plain black background with atrocious, bright red, block letters declaring, “ThIs SiTE iS thee B^tch uff Syrian Hackkkk3rsS!!!!!!!! Wee [email protected]!”

As you can probably imagine, my first thoughts were, “FFFuu-aaantastic.”

I mean really, what a horrible thing. To realize something you’ve put so much time, effort, money and emotion into has been replaced by some 13 year old’s idea of a good joke; and at the worst possible time. Or porn. Or a get rich quick scheme. Or anything other than the site you built to represent your brand to the world.

If that’s why you’re reading this post, go ahead and skip down to the “What to do if you’ve been hacked” section and get yourself sorted out. The rest of us are going to look at how most WordPress installs become compromised in the first place, what to do if you’ve been hacked, and how to prevent it from happening again in the future.

Even if you’ve never had WordPress security issues before, I can assure you–you don’t want to startSo let’s begin by looking at both general security vulnerabilities and then specifically at those unique to WordPress.

General Vulnerabilities


For the “average” WordPress user, there are two main security vulnerabilities that I’d classify as “general” which really have nothing to do with WordPress itself.

  1. Your local network/machine
  2. Your shared hosting provider

Local Network/Machine: When it comes to your local network/machine, you simply need to keep things clean and up-to-date. It’s a good idea (especially on a Windows machine) to regularly run a full malware and anti-virus scan. And keep that software up to date! Including your router’s settings/firmware. If you’re not keen on investing in anti-virus software, you can use this article to help you locate and delete infected files.

Shared Hosting Provider: Next, you need to check with your shared hosting provider. The hack may have affected multiple sites and not even originated with your install. That’s not extremely important if you still ended up getting hacked, but in those instances it can be a small comfort to know you haven’t been specifically targeted. And on a practical note, you should be aware of whether or not your host is responsible or a shoddy theme/plugin, etc.

In the instance I described above of my own experience, it was my shared host that had been initially compromised. A script was then used to quickly check all WordPress installs on my shared server, replace the wp-config.php files and place that lovely message on the home page of each site.

Thankfully, as far as WordPress hacks go, it ended up being pretty mild in the end. That didn’t change the fact that I nearly had a heart attack when it happened, but at least it was fixable. All I had to do was dig into one of my backups, restore my wp-config.php file via FTP and delete a few files in my themes/plugins folders that looked out of place. Though just to be safe I did end up doing a completely new install. And I began looking for a new host.

Security Vulnerabilities in WordPress


While there are numerous ways in which a WordPress site can be vulnerable to attack, the following four weak spots are most commonly at fault when a WordPress site is hacked:

  1. Weak usernames/passwords
  2. Theme or plugin bugs
  3. Not updating WordPress core and themes/plugins in a timely manner
  4. Jerks who hack WordPress sites

On Weak Usernames/Passwords: You may or may not have noticed but as of WordPress 3.8, the standard “password strength detector” forces you to create something extremely strong. This is undoubtedly part of the WordPress Foundation’s efforts to help reverse this particular statistic. The takeaway being: ditch the “admin” username and go as difficult as possible with your password (mixing letters, numbers and letter-case throughout). It’s not worth keeping it simple if that also gets you hacked. Just write it down (if you have to) and above all, keep it private. To learn more about how weak usernames/passwords can lead to a hacked site, just check out this article on WordPress “brute force attacks”.

On Theme or Plugin Bugs: Occasionally, even extremely popular premium themes/plugins will have an unexpected security flaw. In which case, it’ll most likely be big news in the WordPress blogosphere in short order. However, a lot of headaches can be avoided by simply reading up on the plugins you’re installing, before you install them. Stay away from free themes/plugins when they are not from the official WordPress Directories. Also, try to stick to themes/plugins with four and five star ratings. And to be on the safe side, just Google this: “[insert plugin name] security” and make sure nothing alarming shows up.

On Not Updating WordPress Core and Themes/Plugins: It’s understandable that if your site is highly dependent on the functionality of a few plugins, that you’re going to want to wait until they’re compatible with the newest version of WordPress before you update your core. However, when it comes to high quality and reliable plugins, they will almost always have an update within hours or days of the WordPress core release–if it’s needed at all. As a rule of thumb: if you see that an update is available, backup your site and run it.

On Jerks Who Hack WordPress Sites: One might think pointing this out is redundant, but I wanted to list it anyways. It’s important to remember that there are jerks out there (as well as misguided wannabe’s with malicious scripts) just waiting for you to slip up. So stay vigilant, follow the best practices below, and you should be ok.

What To Do If You’ve Been Hacked


In the event that you have been hacked or think you’ve been hacked, follow the steps below:

  1. Regardless of how it happened, you’ve been hacked. Take a deep breath. Stay calm. Don’t do anything rash.
  2. First things first, clean up your local machine (run anti-virus) and update everything.
  3. Next, log into your hosting account and check with them to see what’s going on. Make sure that you’ve actually been hacked. It may simply be that they’re experiencing a service outage for your site. If you are definitely hacked, as I was, then send them a support message asking if they can trace what happened and what caused it.
  4. While you’re in there, change all of your backend passwords (FTP/SFTP/MySQL) and the passwords for everyone who has access to your site.
  5. Ideally, you’ve recently backed up your site and can walk through a simple restoration tutorial, like this one. If that is not the case, then now would be the time to begin backing everything up. Check out Kevin Muldoon’s recent post on VaultPress for this particular how-to.
  6. Close any backdoors the hacker may have left and secure your wp-config.php file.
  7. Update everything.
  8. Change your passwords again, just to be safe.
  9. Consider a premium security solution such as managed WordPress hosting and/or Sucuri. ManageWP is another good option for those who would like to keep their shared hosting, but want some added security and support.
  10. Finally, be sure to follow all applicable WordPress security best practices in the future (listed below).

Wrapping Up & Moving Forward: WordPress Security Best Practices


So that was unpleasant. What can you do to make sure you never have to go through that again? Follow these WordPress security best practices:

  1. Always update WordPress core, themes, and plugins right away.
  2. Back your site up daily; either via your host or one of the many trusted WordPress backup plugins such as VaultPress, BackupBuddy, BackWPup, BlogVault, etc.
  3. Never use the default “admin” username.
  4. Create a unique and difficult password that contains upper-case and lower-case letters, numbers and symbols. Avoid any permutations of your name or the name of your site.  The more random the better.
  5. Secure your wp-config.php file.
  6. Hide your username.
  7. Hide your version of WordPress.
  8. Limit login attempts.
  9. Disable file editing in the dashboard by adding the following to your wp-config.php file: define( ‘DISALLOW_FILE_EDIT’, true);
  10. Install WordPress File Monitor Plus to receive notifications every time your files are edited.
  11. Always use SFTP when logging in to your site via an FTP client or your hosting panel.
  12. And once again, consider a premium options such as managed hosting, Sucuri or ManageWP. Peace of mind is surprisingly valuable!
  13. Or, if you’re up for some advanced DIY security, check out this definitive guide to WordPress security.

My Personal Recommendation

Personally, I would much rather spend my time creating content than messing around with the database side of WordPress. Which is why my personal recommendation is to hire professionals! I use premium, managed WordPress hosting via WPEngine and they take care of everything. I don’t even have to bother with any of the plugins I’ve linked above. They automatically back up my site, manage security, and in the event that I am still somehow hacked, they will fix it for free.

Sure, I pay a premium for their service, but if that means I never have to deal with being hacked again–I’m ok with that. Plus, having a blazing fast (and secure) site allows me to do more business with greater peace of mind.

Premade Layouts

Check Out These Related Posts

Splice Video Editor: An Overview and Review

Splice Video Editor: An Overview and Review

Posted on May 7, 2019 by in Tips & Tricks

Video is a valuable form of content for social media. Unfortunately, creating quality videos is usually a long process that involves moving mobile footage to a desktop app for editing. However, mobile editing is on the rise. Apps such as Splice Video Editor make it possible to efficiently create...

View Full Post


  1. Great post!! Nice to see some attention for wp security.

  2. great article. you can never be too careful when it comes to online security.

    • So true. It’s not worth it to be cavalier in this area. Lock it down!

  3. Excellent and timely article on WordPress security and how to prevent hackers. This also happened to my own VPS Hosting service last week with an dumb Iranian song blasting at my customers and message about being the Spawn of Satan!! Plus a nasty Phishing site was uploaded to a client’s site! After several mild heart-attacks we stopped the Malware and cleaned it all up, and added several new layers of security, one being Better WP Security plugin and also Wordfence has some great options for security too.
    This article needs to be posted everywhere! Great job.

    • Thanks! Feel free to spread the link my friend 🙂

  4. Nathan you’ve got it in one about using WP Emgine they guarantree to restore your site… should you ever get hacked.

    Only problem is the cost of managed hosting for the average blogger.

    I’ve taken a middle course.
    I use a good web host and I use the premium Sucuri plugin on all my sites.

    • I can understand where you are coming from on the cost. However, I think even the average blogger can justify the expense. When you buy hosting, the price is usually displayed in a relatively low per month pricing bracket. But of course, you actually pay one lump sum. When it comes down to it, paying that big lump sum, even for shared hosting, is never “convenient”. And getting hacked because of that crappy hosting is REALLY not convenient. If you’re hacked because of a shared host, it can host you hundreds if not thousands in hours of your time to fix it. So in the end, you might pay a lump sum of $200 as compared to $120 for a base managed hosting package versus a regular shared hosting package. Still seems worth it to me.

  5. One thing I always tell my clients is they should always have a copy of their most recent backups. Very helpful in disasters such as what you experienced.

    I remember I had one client who needed a backup restored and his web host wanted to charge him $150 for it. The next day he got hacked and his host agreed to do the restore for free.. so yeah, I guess sometimes getting hacked has its perks? Lmao

    • I wouldn’t go that far….but I can agree that backing up is ALWAYS a good idea 🙂

  6. My site was hacked TWICE in three days while I was moving back in September/October. What a nightmare to log on the minute I got internet hooked up to see that my website had been hacked, and then to have it happen again not 3 days later. It is a nightmare to say the least. Mine was through a bad theme, which was finally figured out and deleted. I now use Wordfence Security plugin (http://wordpress.org/plugins/wordfence/) and my site is finally safe and sound. At least I can sleep better having it on the job. Thanks for a great article!

    • Wordfence is a great plugin indeed. I use it on a couple of projects and it does its job well. 🙂

  7. Great timing! I just opened the doors to my brand new Divi themed website yesterday and this morning, not even 24 hours after I opened the doors, I got a notice from my security plugin that a user with an IP address in Russia was blocked after too many login attempts. It does not take long for the bots to find fresh meat.

    • Hi Shawn,

      I visited your site yesterday. This morning my McAfee scan shows your site as a harmful site.

    • Sounds like you might want to run through the steps in the post. I hope you’re able to sort that out.

  8. I could write a book on this topic after our server was compromised by a similar group of hackers. I dug through pages and pages of info to learn how they did it. It’s amazing what tools are available to the scum of the world that allows them to perform these destructive acts. What’s really sickening is they don’t have any other reason to do it except that… it’s fun. Our server has about 80 WordPress sites hosted. They compromised about 35 of them before we stopped the activity.

    • Please write a book on it and I will be the first to buy!

    • I second bb. Write the book! Posts like this are good resources, but things change fast and new info is needed all time. So maybe an e-book or e-course? So you can push updates…

  9. Great post, very easy to understand. I’d wpuld like a post with info about personalized fileds that appears in many themes.

    • Can you give me a bit more context? I’m open to taking requests but I’m not sure what you mean.

  10. I so GET this Nathan – a great resource you’ve created here. I look after all the sites for my clients after development (labour of reluctant love) and last year had a horrendous time – refer here – http://loudcow.com.au/wp-engine-review-true-love-baby/ (Full disclosure – affiliate links).

    I followed all best practice as you mention above – but still – screwed over again and again. It almost killed me and my business. Hosts were useless and continued to blame WordPress.

    WPEngine were my saviours. Sucuri were awesome too.

    Sucuri + WPEngine = sleep at night.

    I know WPEngine use sucuri to scan as well but I like to have those content modifications emails coming through just so I can check things over.

    Brilliant, thorough post. I’ll keep it as a resource. Thank you – Catie

    • Interesting. I looked up Sucuri, and it tried to tell me that one of my pages had MALWARE on it, but when I looked into the problem, it was simply just too much text and formatting. When I reduced it, the page was fine. I don’t know if I would trust software that thought a fatal exception due to formatting was malware… especially when it’s in their interest to want people to pay for their software to be “protected”

      • I think the Sucuri scan is a great tool, but it isn’t perfect. Better to have a false positive then to miss possible malware 🙂

    • Thanks for the kind words! And I’m right there with you: peace of mind is SO worth it.

  11. Thanks for the tips, Nathan! My best recommendation is to always backup, backup, and BACKUP your sites. I always do my best to protect my sites but, at the end of the day, even the biggest players can be (and often are) hacked.

    So how do I backup my virtual life? I do fully automated daily backups with my VPS, set up backup cron jobs (3 types of backup are created: daily, weekly, monthly), next the files are encrypted with strong (+20 characters) password and send to my S3 account. I also use automated SFTP process to download the backups on my local machine and send the backups further to another cloud service. And I use scheduled batch file to copy to backups to my local SD card (always plugged in).

    So, I don’t really use any backup plugins, but I recommend the Login Security Solution (http://wordpress.org/extend/plugins/login-security-solution/) plugin. This amazing plugin + Sucuri subscription (and their WP plugin) are very effective combo. I used to use Wordfence, but found out that Sucuri is enough.

    And the last advice, if you run an online business, please do yourself a favor and NEVER use sharing hosting. High quality VPS hosting solutions are fairly priced these days, and there are no excuses not to use it. After all, you don’t share your bedroom with half of town (OK, some do;), so why you should do the same with your own business.

    Thanks for the article!

    • Also, check with your host, as most of them will provide automatic regular backups of your blogs. No intervention or plugins required.

  12. Last week, one of my clients website was hacked. Of course my client use Foxy Theme for his website.

    First file changed (that I saw in logs)? 404.php page from theme. Next? Few other files and everything was messed up.

    So, yes, Occasionally, even extremely popular premium themes/plugins will have an unexpected security flaw.

    good job.

    • Not to step in with a shield for ET, but ANY theme can be hacked if the site is not properly secured in all other aspects, and it will be the theme installed and in use that will be decimated by the hackers.

      If they find a backdoor, then they have FTP access to every single file in the installation, including the current theme, which is not the theme’s vulnerability, but the fact that any n00b [email protected] who finds that backdoor can edit whatever the heck they want in any file or directory once they get in.

      • We take security in our themes seriously, and even have them audited by third party security specialists such as Sucuri. There are many ways that a website can be compromised, themes and plugins being just a few items on a very long list.

  13. I’ve consolidated the best of what I’ve read about WordPress security and put it on secure-your-website.com . There’s nothing for sale there, and no links to anything for sale. All the suggested plug-ins are free, and there are three levels of security suggestions. The first taking less than 15 minutes, and the most secure, taking less than an hour and requiring a bit more skill. I hope it helps.


    • Your website has been hacked !!!

      ok I’m joking lol
      I’ve booked marked this post and your site for further reference.. just in case

  14. It happened to me on january 2013. First, they hacked my main website. With help, I could restore it. I thought that was already solved. A week later, they hacked all my websites, all of them, and deleted all my files. Everything was destroyed. The server had no previous backups to first hack (I did not want to use the last backup for possible backdoors left by the hackers the first time). I’m still redoing sites today… Fortunately, my clients have been very understanding. But I had to pass last year working back, with almost no new projects. I changed server, but… I do not feel quiet on this topic anymore

    • Oh man, I’m so sorry that happened Laura. What a ^&*(^&%&%(^&*! Well, you know what I mean. I’m not sure about the cuss word policy on this blog yet but I’m dropping a few in person for you. If it’s your business and you have paying clients, I would definitely use a managed host in the future. You can charge more and be more confident in your sales tactics that it will never be a problem again.

  15. Thank you so much for this post!! A client website just got hacked last week, and google / web broswers flagged it as a malware site. Spent way too much time trying to figure it out.

    Thanks for posting all this exceptional content for free!

    • No problem Kyle! Hope you get that sorted out.

  16. I think the Wordfence Premium plugin does a very good job at keeping hackers and spammers at bay, but you need to take some time to set it up correctly.

    • I’ve actually never used that plugin, but if you have found it to be helpful and done your research then good on ya!

  17. I highly recommend installing the following plugins (and configuring them) – All from within your wordpress dashboard plugins section:


    That is all, and yes, keep updating your themes and plugins, and run as lean as you can on plugins.

    • Hi Peter,

      When you say “That is all”, are you recommending that these are the only 3 plugins needed to secure your WordPress site based on your experience?

      Interested to hear your thoughts. Thanks.

  18. Lots of great advice all around. The one thing for those who do lots of WordPress sites like we do is time. (We’ve got hundreds) To go back and change everything will take time and we’ll eventually do some of the things mentioned here.

    One of the least expensive solutions we have found is to use Cloudflare.com. We are currently using it over 100 sites for more than a year and nothing has been hacked. It is free so the only investment you’ll have is your time which is worth money too! Once Cloudflare account will handle as many websites as you’d like.

    In our case we are serving pages only to U.S. visitors so we have blocked most other countries access except Canada and Great Britain.

    We have used many security plugins like Wordfence, Better WP Security etc. We were also told that some of these can lead to false positives and server load. The one we do like is Limit Login Attempts. It is lightweight and works well. Between that and Cloudflare we have had no more successful hacks.

    PS I’d be happy to be the executioner of hackers if they ever pass a law allowing the death penalty for these malcontents. They are on par with terrorists and I’m retired Spec Ops so I’m not speaking figuratively. Until then all the best to all honest developers. Elegant Themes is one of the best sites we’ve found.

    • Well Mike, I hope you can keep your special ops powers at bay, depending solely on technology for this kind of fighting. But yeah, I totally understand the frustration. I’ve never used Cloudflare myself but will check it out. Thanks for the suggestion!

  19. I am about to decide on signing up for Elegant themes membership – and this question is exactly what I need to ask – “are Elegant themes secured?”

    • As Nick stated above, Elegant Themes takes security very seriously. They are as secure as they can be made. However, the responsibility for keeping a site secure falls on the end user. No matter where you get a theme, you need to follow the best practices in this post. Good luck with WordPress! Hope you find success!

  20. Thanks for your all tips. Haven’t been victim of such hacking situation. but if I get, I will look up this article.

    • Prevention is so much better than learning by experience in this instance.

  21. Excellent reading, thanks.
    I think some plugins like Better WP Security and Wordfence Security should also be mentioned here. I use the first one and I think it does part of the job you describe above. Quite straight forward to set up with very clear instructions.

    • Yeah, there are of course other plugins available than what I explicitly listed. The important thing is to do a bit of due-diligence and make sure WordPress security experts stand behind whatever method(s) you choose to go with.

  22. Excellent article. I have to stress from my experience to never ever login to your host with admin level rights using FTP. Especially from a public space. Anyone with a sniffer on your particular network segment can see your ID, your password, and all your data when you login to your host account with FTP because they all pass to the host as clear text with zero encryption. I got pwnd like that once and lost 80 sites to a sql injection that used cross container scripting. If your host does not support SFTP or any other encrypted connectivity, move as fast as you can to a better host.

  23. I recently switched to WPENGINE for website speed issues. First of all my sites (on WPENGINE) are now blazing fast compared to previous hosting. But what surprised me was that right after installation I got a mail stating that I used a plugin that was on their blacklist and asking me to remove it. If needed they would advise me what replacement plugin It could use.
    Yes you pay premium hosting but these guys really know what they are doing and I can concentrate on the fun part… building great WordPress sites using Elegant Themes of course

    • My thoughts exactly. And just to be clear, their “blacklist” is not meant to suggest that those plugins are categorically bad plugins, but rather that in many cases those plugins are redundant because they provide an integrated solution on their end.

  24. Brilliant article. I miss this nice little plugin, Lockdown-WP, that replaces wp-admin in the url in a unique phrase. Another obstacle that has to be taken for a WP hacker. Not?

    • I never used that particular plugin, but it sounds like a useful way to keep people away from your login page.

  25. Nathan, Thanks for the article!
    How did you manage to figure out that the problem originated in your shared host? It has been our experience that the host rarely admits to anything being wrong on their end.
    …3 of my client’s sites were hacked (repeatedly) a few years ago all within a day of each other and all sites were with a particular host and the host was of absolutely no help…we implemented all kinds of changes including hardening sites with Better WP Security and Worfence…and we’ve since changed hosting for most of our clients; but the one site that is still with that host was recently hacked…

    And it is thanks to Wordfence that I caught the hack just as it was starting…I had some very tense moments as I realized what was happening – and it is only because I was in my email and saw the Wordfence login warning immediately that I was able to intervene right away. I still had a couple of hours of analyzing and cleaning up files that had been affected in the few minutes before I blocked the hacker’s ip though. What do you think of blocking countries?

    • Rosy, I think in some cases blocking some countries is good idea.
      May I ask you whether you use Better WP Security & Wordfence in the same site? Can both plugins work side by side?

    • In my case it was pretty easy to figure out. My host, while not a pillar of business ethics, was sort of forced to acknowledge there was a big problem. Almost ALL of the WordPress sites they hosted in various region of the country had been hacked. After what I’m sure was thousands of people like me flooded their support channels they published an announcement that said they had been hacked and were taking steps to resolve the issue. Of course that didn’t actually help anyone, but at least we all knew what was up and I’m sure I wasn’t the only one to jump ship.

      As for blocking particular countries, I agree with John here. For instance, if you’re in google analytics and you notice you’re getting slammed with traffic from a country half-way around the world that has a very small english literacy rate, they’re not in love with your blog content; someone’s probably trying to hack you. In that instance, yeah, block those peeps.

  26. I don’t appreciate the tasteless and crass language used in this post.

    One time I said the ‘F’ word when I was 19 or 20 yrs and Mother grounded me for three weeks! She made me sleep on a wet, cold mattress in our basement the whole time. Never making that mistake again!

    Mother says acceptable words to use in cases of extreme frustration are “Shucks!”, “Awww Dang!” and “Son of a Monkey’s Uncle” (though, you’re not supposed to exclaim it, for fear of offending monkeys and their uncles).

    Please revise this post with the provided alternate language.

    Thank you,


    • Did you try the Parental Control *bad words filtering* option?

    • Thanks Kraymer, now I want to cuss some more! Juuuuust kidding. Honestly though, not sure what the beef is. No curse words were actually used in the post and I can assure you I offended ZERO monkeys or their uncles. Hope you’re just having a bit of fun with me 😉

    • Much security.

      so framework.

      many WordPress!

      (But seriously, frameworks are not necessarily more secure than a regular ol’ theme. You still have to take the precautions listed in the post. Have a good one!)

  27. Thanks. I enjoyed every bit of it and applied every bit of it! Thanks, really!

    • No problem! I’m glad you found it helpful, that’s what we’re here for!

  28. I was a WP newbie when my site got hacked in 2009. When I checked online, I learned that it was the web host that got hacked because many of their clients were experiencing the same problem as mine. The hosting provider wouldn’t admit it’s their fault and to make the long story short, I transferred to a new host right then and there. Never had the same problem for almost five years already.

    Great tips, quite an informative article and I love your writing style! I was entertained and yet I learned a lot.

    • Thank you for the kind words! I’ve never understood why informative and serious posts can’t be fun and entertaining too. I’m glad you enjoyed it! And more than that, I’m glad you got your security sorted out. Peace of mind is AWESOME!

  29. Merci pour les conseils sous cette forme très rédactionnel.

    • Man, I wish I spoke French. Those high school classes taught me NOTHING!

  30. Another informative post. Learn several new tricks to make my WordPress blog more secure. Limit login attempts is one of the best security plugin which I have been using for last one year.

  31. Thank you for doing this blogpost – now we can sleep safe(er) at night 🙂

  32. Hi Nathan B. Weller,
    I really love this post. Love the way you write your posts. The information in this article is really unique and useful for me. After reading this article, I think I have some ideas for myself. I do follow your articles recently. Thanks for sharing this post. Hope to read more interesting information from you. Have a nice day.

  33. Hi Nathan,

    thanks for tips about security. However, I have one comment to make: WordPress File Monitor Plus was note updated since 2012-6-11, this is unfortunate because it is not very safe.
    Do you know another one ?
    Thanks again.

  34. wow.. Thank you so much.My site is just got a malicious attack.so this post helped me to restore my site and secure it in for future also.Thanks Pal..

  35. thanks for tips about security of wordpress. but can anyone attempt a bruteforce of dictionary attack on wordpress? because every one knows wordpress admin panel link

  36. For what is worth:

    One of my sites (not with a ET theme) has been hacked and the hacker page was displaying at all pages (overlapping original content). All user names have been changed to “adm” but their corresponding email addresses remained the same.

    I simply asked for a new password at one of my admin addresses, logged in, recreated new admin users, deleted the old ones and searched for the hack code by FTP. The only file that have been changed was header.php and this file contained the code that was displaying at all pages. I simply restored the original one and everything was back to normal.

  37. Hi.. My website that is http://www.samtaa.com in wordpress, and it hacked by some one people that is showing “hacked by Dr.web” i cant understand anything, i was worrying about that, now m going to do change the password and ftp, mysql password now let see.. this blog is help me nicely. thanks for post

  38. Really nice tips, Nathan. I figured out that a lot of these attacks also happen through FTP, which I hardly used, so I went ahead and deleted all FTP accounts. Better to not get hacked even after keeping scripts up to date, than hearing webhost threaten.

  39. Just like to add, focus on backups – that’s your best defense against hackers.

    I always say, “never trust your web host when it comes to backups.” Empower yourself, not the hackers.

    Set up a good backup methodology, or hire someone to set backups “offsite” for you, so that “when” these events occur, you’ll not lose hours of life attempting to recover from them. Enjoy!

    Jim Walker
    The Hack Repair Guy

  40. Even if not my website, the sight of my broither’s site being hacked gave me a pulsating heartbeat.

    I pray your guides here will be able to help us fix it back. Thanks.

  41. I would added that you should block most free proxies either via .htaccess file or with a software.

    Install a security plugin which alarms you when something was changed with your files.

    Add captcha to your login page.

    Scan your site from time to time.

  42. Hmm, I set up the “limit login attempts” and the “limit login countries” plugins, and now I can’t log in. I get an internal server error message. That’s not very good. Any idea how to undo whatever I did? Do I need to go in via FTP and delete? Or should the host help out?

    Thanks for the tips, Nathan and everyone. Very helpful to WP newbies like me.

  43. Hi Nathan, did you ever saw a website that faced the latest RansomWeb attack? Is wordpress safe for that?

    As far as recovery is concern, making regular backups is the key to recover from any crisis. And never leave your backups on your site. Put them somewhere else. I use EverLive.net to keep backups to the cloud. Their auto backup service is great.

    Anyway, thanks a lot for the very informative article.

  44. Great stuff! I get lost and emotional if I get minor issues with my Blog! I can’t imagine what I’d do if something major happened! This information is very useful, Hosting company has suspended my account due to some infected files uploaded by hacker or i don’t know my site name is brightverge.com please share some tips to make strong my site security. I thank you for you time & effort, it’s clearly not one of these 5 minutes posts! Quality! Love it, regards

  45. Great article, thanks. My additional advice is to user ifube.com service to get informed right when one of you files got changed. It’s in beta and still free..

  46. Want to make sure if making the theme files readonly could prevent it from gets changed?

  47. Wow…thanks…..my website guruscabal.com got hacked a few weeks ago. i wish i had seen this earlier. Pls drop me tips to tighten the security

  48. Great post. That’s all i need

    • Free wordpress template from official source is ok, but don’t search for premium wordpress for free coz almost all hacked sites have same problem, back door. I made same mistake few times, and from then use only paid themes with last update. You have good themes for just few bucks.

  49. Hi Nathan B. Weller,

    Thanks for the post. It’s really very informative and useful article for me.I really liked the way you write. Thanks for sharing.

    Have a nice day.

  50. Great article Nathan, Nowadays wordpress security has become a headache for all webmasters who are using WordPress CMS. So we need to take this issue seriously to avoid hacking.
    Here you have given a grate explanation about it. thanks

  51. I faced this problem today. I opened my wordpress website and on top header it was mentioned to be hacked by some FETHI BEY.When I checked the persons blog I found that he is using the same theme as mine. Can you please provide me the solution.

  52. I like the post format as you create user engagement in the complete article. It seems round up of all published posts. Thanks for gauging the informative posts.

  53. Excellent article Nathan. My site recently got “defaced” and I’ve been scrambling trying to find a fix for it. I’m not the most tech savvy individual and of all the sites and articles I’ve visited to help me with my problem I felt the most “comfortable” with yours. My question for you is can I go ahead with securi to get my site fixed or is that an option of security to consider only after my site has been “cured”? I have yet to attempt anything myself as I really don’t want to further screw things up ( not tech savvy remember). Your help is greatly appreciated. Thanks.

  54. nothing really quite compares to the stress of having either your own, or a clients site hacked. installing automatic backup software on your sites is a must, save yourself the stress!!!

  55. Great post, recently I have lots of security issues with my WordPress blog. No ideas how to fix them. Many time I spend fixing the issues rather concentrating on my work.

  56. I’m new to wp i check out WordPress File Monitor Plus. I look at stats and it stated this plug-in has not been update in last four year. Would this plug-in be safe to use.

    • No, I would not recommend using a plugin that has not been regularly updated.

Join To Download Today

Pin It on Pinterest