My WordPress site was hacked, what now?

This still happens all too frequently and I am bombarded with notifications of failed login attempts, as hackers try to access any number of any of the WordPress sites I maintain, daily … this is the story of that one time - that one website that they managed to hack and the chaos that ensued as I wrestled with the consequences.

Side note: any reference to "the website" hereafter, will refer to the site that was hacked.


Let's start with why people hack websites. PHISHING … the answer is most often: for the purposes of phishing. The website in question was hacked to place false landing pages, resembling those of an American bank, in order for the hackers to collect unsuspecting email scam victims' login credentials for their online banking. These pages showed up in the core WordPress folders and re-appeared as soon as you delete them; some in hidden folders that couldn't be viewed in a regular FTP client. So unfolded a long-winded game of whack-a-mole … delete one folder, only for it to pop up elsewhere, sometime days later. Cleanse all your files, change user credentials; yet they keep coming back. The hackers open a session into your file system that is near impossible to terminate - I'll address this issue in the next section.

Harden Security

Delete the admin user and strengthen user passwords

No, the hackers don't suddenly have access to your database - and, even if they did, passwords are hashed, so they cannot decipher them; but they do know the username, so they can (re)start the process of guessing the password for any of your usernames - get rid of admin.

Getting rid of admin is a bit of a pain - you can't change WordPress usernames and you can only use any given email address once:

  1. Create a new user with a role of admin.
  2. Use a different/secondary email address that you can use to verify yourself with.
  3. Use a strong password with a mix of upper & lower case letters, some digits and punctuation marks OR use a service to generate a secure password for you.
  4. Verify and log in as the new user with admin privileges.
  5. Now you can safely delete admin (and assign posts & pages to the new user).
  6. Once deleted, you can safely update your email address to the one you used for admin.

Plug the holes with (security) plugins

There is no shortage of (free) security plugins at your disposal. I opted for Sucuri and use it for all my WordPress sites since the dreadful event. Out of the box, it comes with tools to clean up your WordPress core files, harden your security settings and monitor your website. The plugin also offers (pro) features such as a Web Application Firewall. You'll want to navigate to the settings and reach for the post-hack tab where you can reset user passwords (which logs out all active users and terminates the session referred to above) and active plugins.

The plugin also tracks login attempts and changes to posts, pages and plugins. Tracking the login attempts means that you can block IP addresses that frequently attempt to authenticate.

Keep the hackers at bay - prevent them from sniffing for usernames

The way the hackers gained access in the first place, was to guess your password correctly - but every user has their own password; so how do they know your username? Usernames are fairly easy to expose by way of enumerating through the possible list of options for usernames - each author has a numeric ID and, when you query the ID, the author/username is exposed. I use a plugin called Stop User Enumeration that logs this kind of activity and bans the IP address of the source of the sniffing (typically scripted).

Lock down access with 2-factor authentication

This step might not be for everyone. It requires a smart phone, installing the Google Authenticator app on your phone and then installing the Google Authenticator WordPress plugin. You will now need to provide your username, password AND the authentication code from the app when you want to log in. The 6-digit code changes every 30 seconds. Now if hackers are able to determine your username and guess your password, they only have a 30 second window within which they must guess the 6-digit code … unlikely.

Perform regular site maintenance

It is very important that you keep your WordPress version up to date and update your plugins regularly. Hackers find new and creative ways to exploit weaknesses before software developers plug the holes - keeping everything up to date is just one more way to prevent breaches that are a royal pain in the ass to fix.

Get rid of comment spam

This isn't necessarily a security issue, but a nuisance nonetheless. Not moderating comments can also lead to your readers clicking on bad links and the link-back backlash can see your site SEO suffer a little. You can, of course, delete comment spam manually (for days) or throw a spam comment plugin into the works. I prefer WP-Spamshield.

… and that should be it - your website is now safe from hacking attempts and free from comment spam.

If you think I missed something or have suggestions or questions, please leave a comment below.