WordPress hacked? It used to happen only to the top sites. Today, if you have a website that has any visibility, people ARE trying to hack in. Chances are VERY likely that that have already gotten in!

In this short article, I’ll share with you how to clean your WordPress site if you are hacked and how to keep your site hacker-free.

I used to be proud to say that I had many sites and none had been hacked. That changed about 4 years ago when brute-force attacks were happening to just about EVERY WordPress-based site on the internet. One of my older sites got hacked because I hadn’t updated it.

So, let’s discuss what the hackers look for and how to remove it from your site:

  1. The lowest hanging fruit that the hackers go after is trying to guess your “admin” login password. If you are still using an “admin” login then you are vulnerable. You can see here, in this screenshot of recent activity on this site, it is VERY common. To remove yours go to http://your-wordpress-url-here/wp-admin/users.php and mouse over the admin user and delete it. You’ll need to be logged in as a different administrator user to do this.
  2. Make sure to use a password that is impossible to guess. Tools like Lastpass are a must have for generating and managing those impossible to guess passwords.
  3. Backup your website often. This way, should the hackers manage to get it, you can go back to an un-hacked version of the site. I use Backupbuddy. It is super easy to use and can also help you migrate a site to a different server, which used to be a huge pain.
  4. Limit login attempts. With the brute force attacks, the hackers find a working username (usually “admin”) and try over and over to guess your password. They use software to automate this so it is often just a matter of time. I use Wordfence to keep them out. It is pretty amazing. It also scans for suspect files and can help you remove or repair them. I recommend the paid version if your business relies on your website. The free version is very good too.
  5. If you want to go the full ninja route (the hard way) check out this post.
  6. If you want to do just about all this with that big rid easy button, check out WPEngine. WPEngine offers a hosting environment that only hosts WordPress sites. Among other features, their system is HIGHLY secure and managed. I don’t know of anyone who uses their hosting who has been hacked in any significant way. Pretty danged awesome. Like migrating with Backupbuddy, they make website migration pretty danged easy.

There you go. So, if you don’t want to fool with things and just have them work, move your site to WPEngine. If you have the time or desire to be more hands-on and don’t mind having to respond to an alert in the middle of the night from Wordfence, then go through steps 1-5.

Good luck! Feel free to post a comment with questions or other suggestions.