How to Secure WordPress After You’ve Been Hacked (or Before!)

Login with 2-factor authentication
Do you have 2-factor authentication?

Getting hacked is a nightmare. After a hacker attacks your site, you can spend days, weeks, or even months worrying about when it’s going to happen again, how it happened in the first place, and what you can do about it to prevent future hacks.

Secure WordPress Starts with You

The first thing you should do after you discover your site was hacked is to take a deep breath. You are not the first person to get hacked and you won’t be the last. In many ways the fight against hackers is a constant battle with the hackers tools getting better and the security tools getting better to fight them. Security companies like McAfee and Symantec have been hacked! Don’t feel too bad if your website gets hacked. Just learn from what happened and do your best to fix things.

Once you’re a bit calmer, look over your basic security measures. Things like:

  • What is your admin password?
    • A secure password is long—more than 10-15 characters.
    • It has upper and lowercase letters, numbers, and special characters (! # $ % etc.).
    • You should never use the same password for your WordPress admin account as on any other site. If that other site gets hacked, your WordPress installation is then compromised too.
    • It should not be a word—even changing the letters to numbers like “p@5sW0rd” won’t work, as most hackers have those in their files as well. If you can read the word, then so can the hackers!

    If you don’t think you can remember a password like “brg3@4u{o8pet#NHL?r2HuiFf,” and believe me most people can’t, then you should consider getting a password safe. This is an application that stores your passwords in an encrypted safe that you can use to look them up when you need them. Some options include: LastPass, KeePass, 1Password, or even the built-in managers in your web browsers and operating system. A password safe or password manager will help keep your passwords secure while not forcing you to remember hundreds of crazy, random passwords.

  • What is your administrator user name?If you’re like most WordPress users, it’s “admin.” I’m not a hacker, but I know that this is a common username. And if I know it, then the hackers know it. And that’s just one less thing they have to figure out before they can hack into your site.The challenge is, once you’ve got a WordPress admin password, and WordPress makes it very difficult to change it. While changing your username on is just a matter of adjusting your personal settings, changing a self-hosted WordPress blog is a lot more difficult. The easiest way is like this:
    1. Create a new user in WordPress by clicking Add New in the Users menu
    2. Give that new user admin access
    3. Login with the new username
    4. Change the access of the old admin account to the lowest access role available (usually “Subscriber”)
    5. If the old admin account has no posts associated with it, you can delete it rather than changing the role. But if you delete an account with posts, you may end up deleting the posts as well.
  • What security plugins do you have on WordPress?In order to keep WordPress secure, it’s a good idea to use a couple of security plugins. Some of the ones I use include:
    • Acunetix WP Securityblock-security-holes-acunetixThis is a comprehensive tool that attempts to make it harder for hackers to know a lot about your site. It removes information like the WordPress version, when WordPress needs updates, and so on. Plus, it gives you a list of items you should look at to know where your site is vulnerable.
    • Bad Behavioruse-bad-behaviorBad Behavior attempts to block automated bots from using your site. It is primarily for preventing spam. I find that it helps keep the spam manageable. However, this can sometimes block things you want to get through.
    • Google Authenticator for WordPressThis allows you to enable (and require if you wish) 2-factor authentication on your WordPress site. This requires that people logging into your site have both a username/password and a code that your phone generates. If they’ve stolen your phone as well, you probably have more problems than just whether they are breaking into your WordPress site.
    • Limit Login AttemptsI find this tool invaluable. Today alone it blocked over 50 hack attempts on one site. Because you need access to the site, this tool doesn’t block IPs until they’ve reached a threshold number of attempts. You can set both the number of tries and how long the lock out is for. On one site I manage, we set the lockout to 5 days because of the number of hacking attempts we were getting.
    • LionScripts: IP Blocker LiteI use this to block the IPs that come back again and again to try to hack my sites. Limit Login Attempts blocks IPs for a period of time, but if a hacker is really determined they will just come back later and try again. So I use this IP blocker to block them completely.
    • WordPress Database BackupWhile some people might not see this as a security plugin, I feel that regular backups are critical to any security system. That way if your site gets hacked, you can reinstall and not lose too much. I like this plugin because it’s automatic. I have it email me backups of all my sites.

Be Ruthless When Trying to Secure WordPress

Many people are reluctant to block IPs and limit access to customers because of just that—they are customers! But the reality is that anyone that you didn’t authorize who would try to login to your site using an admin account is not a customer. They are a hacker. They aren’t going to read your articles, they aren’t going to comment on your site, and they certainly aren’t going to buy anything from you. You don’t need them. Be ruthless. If a hacker gets access, he won’t be gentle.

Start with your own access. One thing that can really help your security, besides a strong password, is two-factor authentication. I use the Google Authenticator with my mobile devices to prove that I’m me and I should have access to my site. This means that I have to provide both something I know—my username and password—and something I have—my phone. If I can’t provide both those things then I can’t get into my account. Two-factor authentication can seem tedious at first, but it does improve your security, and most people keep their phones with them all the time.

check your usersThen be ruthless with your subscribers. You should periodically check out your WordPress users (in the Users tab) to make sure there aren’t any surprises. Look for any accounts that have higher access than you gave them. In general, “Subscriber” is the lowest level of access, and anyone who has more access than that should have been given those permissions by you. If you find any strange ones, delete them.

What to Do After You’ve Been Hacked

All of the above security measures are good, but what about after a hacking? If you discover your WordPress site has been hacked, you need to secure it as well as you can, but there are also a few things you need to do to help make sure that you get rid of the hackers.

The problem is, once you’ve been hacked, the hackers could have put in back doors in many places on your site without you realizing it. So you have to do more than add security—closing the barn door after the horse is gone, so to speak.

Here are the steps I recommend you follow after you discover a hack.

  1. Find or make a clean backup of your site data. I recommend getting a backup of your database, and all files in your wp-content directory. It’s best to choose backups dated before you know the hack occurred, which is why regular backups are critical. If you’re not sure when it happened, get a backup that’s at least one month old. Yes, your site will be out-of-date, but the hacker will be gone! Here’s information on the WordPress Codex about backing up your site.
  2. Then delete everything on the site except the database. Yes, this means your site will be down. People will get a 404 or other error. If you can leave it down for at least 24-48 hours, that would be best as this encourages the hackers to go somewhere else. If there’s nothing to hack, they will hack someone else.
  3. After your down time, re-download WordPress from the site. This is critical. You must not use any old files from when you were hacked. You need to make sure that you have a clean install, and that means starting over from scratch. Don’t forget to download your plugins and themes as well.
  4. Turn on all the security plugins you’ve installed immediately. And if they recommend taking action, do this before you do anything else.
  5. If you haven’t already, change your administrator username to something other than “admin.”
  6. Take a deep breath—you’ve survived a hacking!

As I mentioned above, maintaining a secure WordPress site is difficult. And no security is foolproof. But if you’re careful and ruthless you can keep your site as secure as possible. No one likes being hacked, but it doesn’t have to be the end of your site. I have personally survived being hacked (including one major site I was running) as well as other disasters (including completely deleting my entire web directory without any backups). It’s not fun, but it’s not the end of the world.

2 thoughts on “How to Secure WordPress After You’ve Been Hacked (or Before!)

  1. Great piece, Jen! Thanks so much for your well thought out advice, I appreciate it. I think I will look into one of those password lockers, too.

Leave a Reply

Your email address will not be published.