WordPress: How to Protect Your Site When You Think It's Been Hacked by Ammar Naeem


You're running your WordPress site like a real champ, publishing the latest blog posts, or selling lots of products. Everything is going great.

All of a sudden, your site gets hacked. Before, you were a proud sailor sailing the smooth seas. Now, you're faced with a danger you've never witnessed before. Your next steps will dictate the rest of your WordPress journey.

What will you do?

Well, the first mistake webmasters make is to panic. It's tempting, we know, but panicking should be the last thing on your mind. 

The first thing would be to stay calm and identify where the hack has occurred. If you are in this situation, we feel that this article will be of great importance to you. 

Let us look at some of the signs that indicate whether or not your site is hacked.

Six Common Signs Your WordPress Security Has Been Breached

There are some subtle and some tell-tale signs that your site has been breached. However, it is essential to differentiate between what constitutes a hack, and what doesn't.

That said, the following are some symptoms indicating that your site has been hacked: 

  • You're witnessing changes to your site that you haven't made. 
  • Your username and password are fine, but somehow you can't log in.
  • You're being redirected to another site. 
  • You're getting warnings from Google that your site may have been hacked.
  • You've got a notification from your hosting provider saying your site's been hacked. 
  • Your security plugin is giving you a notification about unexpected changes. 

Why Was Your Site Breached in The First Place?

The reasons behind this vary from site to site. But generally, such hacks occur due to the following reasons:

Hackable Passwords:

It's 2020, and there are still people who use "admin" or their site name as their WordPress password. Speaking of which, some users still have "password" as their password. Imagine that.

Not only is this harmful, but it also indicates a lack of awareness with regards to your security initiatives. Having a secure password is a necessity, not only for your WordPress admin account, but also for your users, FTP, and hosting accounts. 

Outdated Software:

Your plugin and theme providers are continually making updates to their respective projects. Once they release an upgrade, you get a notification to update to their newer versions. Failure or disregard towards updating your plugins will ultimately make your site vulnerable to hacks.

Dodgy Codebase: 

The biggest mistake people make is installing themes or plugins from providers that aren't listed in the official directory. You must always install them from a reputed plugin provider (when going for paid add-ons or themes) or the official WordPress directory.

Because while such plugins may promise "superior" features, you are always at the risk of installing a plugin with an insecure codebase. 

How Do Such Breaches Take Place?

To give you some perspective, here are some of the most common ways hackers can gain access to your site:

  • Backdoors: Hackers compromise your site through planting malicious code within script files.
  • Pharma Hacks: Again, malicious code is inserted into outdated WordPress versions.
  • Brute-Force: The practice of using automation software like crawlers to exploit vulnerabilities in WordPress versions.
  • Malware Redirection: Through backdoors, hackers add malware-filled redirects to your site.
  • Cross-Site Scripts (XSS): Enables hackers to send malicious code through your WordPress site into your browser.
  • DoS Attacks: Denial of Service, aka DoS, attacks happen when hackers find vulnerabilities and exploit them to make the site unusable.

While breaches are common, to the general reader concerned about his/her security, they are a cause for worry. But don't panic because what follows will help you overcome all these vulnerabilities, even if you're not as tech-savvy as your digital enemies. 

WordPress Security: The Action Plan Against Vulnerabilities

Now, let's look at the action plan you want to take, step by step, in order to protect your site from vulnerabilities. Since we have already talked about not panicking in such a situation, this section will dive right into the technicalities of the whole situation.

Step 1: Ground Control – Putting Your Site on Maintenance Mode

Putting your site on maintenance mode has its benefits. You can work on fixing the vulnerabilities, while not letting your visitors see your site in the condition that it would be during the process.

The best practice at this point is to use a Maintenance Mode plugin that lets you build a landing page where your visitors will drop, only to come back later when you're done making the fixes.

When looking for such a plugin, you must make sure that it lets you customize the maintenance page with your site's logo and color palette.

Step 2: Remove Malware

The next step you want to take is to install a malware service on your WordPress. The benefit of installing such a plugin is that it automatically sniffs all the malware on your site and makes the malware removal process a lot simpler. There are plenty of plugins you can use for that purpose.

Step 3: Reset Passwords

As we mentioned in the previous section, most breaches occur due to bad passwords. When your site gets hacked, you don't know which password caused the breach.

Therefore, you would want to perform a 360 overhaul of all your passwords. Updating your passw­ords by making them stronger prevents hackers from easily accessing your site again.

From your hosting provider to your SFTP, user passwords, and more, make sure that the password changes are thorough.

Step 4: Update Plugins and Themes

Updating your plugins and themes is an important consideration you need to take to ensure that your site does not get hacked in the future.

Visit your WordPress dashboard and go to Updates. Once there, install updates for everything that's outdated.

Make sure to attempt this fix before anything else since updated plugins might aggravate the vulnerabilities even further. Try to ensure that all the updates are performed before you perform the more in-depth repairs.

Step 5: Remove Users

In your Users list, if you see a user that you don't remember assigning, then feel free to remove it. Before doing this, however, ask your administrators and other users of their credentials to confirm whether or not they have recently changed them.  

Step 6: Remove Unwanted Files

With the help of a plugin like WordFence or Sucuri, you can scan your site for potentially harmful files that may have infected your WordPress installation. Keeping these plugins, in the long run, is also beneficial since they keep you regularly updated with changes made on your files.

Step 7: Clean Out Your Sitemap and Resubmit to Google

Hacks are a nightmare for SEO personnel because search engines start to penalize your site. When a search engine like Google crawls your site, it checks your sitemap.xml file and finds several potentially harmful files, and thus disregards your rankings.

Using a plugin like Yoast, or any SEO plugin of your choice, you can resubmit your sitemap to the Google Search Console again. But be patient since it takes time for the crawler to crawl your site again.

Step 8: Reinstall Plugins and Themes

If you still feel that your site is facing problems, then it's best to reinstall the previously installed plugins or themes.

Speaking of themes, if you purchased it from an external vendor and are still facing vulnerabilities, then it's time to consider switching to a new vendor, or install a theme from the WordPress theme store.

Step 9: Reinstall WordPress Core

If you've performed all of the security measures we've talked about but are still facing security issues, then as a last resort, you should reinstall the WordPress core itself.

With a clean WordPress installation, you can upload secure versions of your theme, as well as plugins. Before you do that, it's best to back your site up with both the wp-config.php, as well as the .htaccess files to prevent data loss in the event they're overwritten.

Step 10: Clean Out Your Database

This step is reserved for users who feel or are certain that their WordPress database has also been hacked.

If you're such a user, then it's best to clean up your database since cleaning it not only helps you make your site run faster, but also enables you to reduce your site's resource usage. 

WordPress security: Preventing a Future Breach

So, you've fixed the issues currently plaguing your site. Now it's time to plan and ensure that such a breach does not occur again.

While the previous section runs in tandem with this one, there are plenty of other steps you can take to prevent your site from being hacked again. Apart from the ones we have already talked about, let's look at some additional steps you can take to avoid future hacks:

1. Don't Install Insecure Plugins or Themes

When you go about purchasing or installing a plugin on your WordPress site, make sure that it is compatible with your version of WordPress. Also, you should try to confirm that the plugin provider is a reputable source by reading reviews of both the plugin and the plugin providers.

2. Install SSL on Your Site

SSL adds an extra layer of security to your site and is an indication to Google that you care about your sites' security. If your hosting provider is providing you with an SSL, that's great. If not, then upon purchase, you can integrate it on your site through an SSL plugin.

3. Avoid Cheap Hosting

Shared servers, while being suitable for beginners, are generally not that beneficial to users who want a secure website.  

Look at it this way. In a shared apartment, you only have a dingy little room and a shared living space. For a bachelor (an allegory for WordPress beginners) that's more or less okay, but for a family man with his privacy concerns, it's not suitable.

If you're looking at your business in the long term, then a managed hosting or an advanced hosting service is the best.

Not only does it give you your own "house" to work on, but it also ensures that you don't run into any complications in the future with regards to security.

WPEngine and Kinsta are great choices if you are looking for a reliable, managed hosting provider that's built to scale.

4. Set up a Firewall

There are plenty of firewall plugins available online that prevent malware from entering your store one way or another. It also helps create an additional barrier protecting your site from heinous DoS attacks.

5. Install a Security Plugin

Similar to the previous step, there are plenty of security plugins that keep you updated regarding the condition of your site. They ensure that you are aware of any unwanted activity, or any unwanted data files on your WordPress site.


We get it, having your site hacked is a bad experience, which you would ideally never want to go through.

Its impact on business performance, user experience, and your bottom line cannot be disregarded. In the world of WordPress, therefore, vigilance with such matters is an important consideration.

The symptoms, steps, and prevention strategies that we've mentioned above can prove rather useful if you want to prevent your site from breaches today, and for the foreseeable future.

Lastly, it pays to stay vigilant. So stay safe, and stay informed.

About the Author:
Ammar Naeem is a security nerd and WP-writer at Codup.co. When he's not busy covering the latest WordPress trends, you will find him reading comics, history books, and TV-shows.

May 8, 2020


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023