Here Is What Professional Developers Do When Their WordPress Website Gets Hacked

If you are reading this blog, I assume that you’ve had an “Oh crap” situation. Many of us have tasted the bitterness of getting our website hacked. It doesn’t matter if you are a WordPress amateur or WordPress guru, it’s a very big blow to your pride and it can cause great loss.

I know WordPress security is not a sexy subject at all, but we need to drill into our mind the fact that we need to keep our property safe. Well, let’s not beat around the bush any longer someone broke into your house and stole everything what do you have to do to clean up this mess?

How Did Your WordPress Site Get Hacked?

Welcome to the club You’re not the only one

Is it true that the easier to use WordPress is, the easier it is for a hacker to crack it?

No. Not really. WordPress’s “easy to use” feature doesn’t make your site vulnerable. Sometimes the main reason for being attacked is your carelessness. You should admit it.

So how did your website get hacked? Hackers usually attack your website via your unpatched vulnerabilities like hosting/web server vulnerabilities, a plugin or theme‘s bugs, weak username/password combinations, etc. You get a virus on your PC, or you accidentally approve spam comments with malicious links, or you have password like “abc123”, or your website displays plain HTML/JavaScript pages that you don’t notice all of these leave the door open for hackers to take your website down.

There are numerous reasons for one’s website to be hacked (those hackers just have so much free time to kill, maybe). No matter the reason your site got hacked, pull yourself together and move forward to the important part: fixing your website.

What To Do When Your WordPress Website Has Been Hacked?

Destroy it

(nahjust kidding)

Rule number 1: Stay calm.

I know you’re in a wild rage. You are angry, confused and worried at the same time. But face it, your website is hacked, and you need to take a deep breath to bring back your peace of mind. After taking a look around, you may ask others for help or figure out things to do on your own, but I think a speedy restore will help you minimize the damage that was caused.

Just imagine that your site has very high traffic per day and now it’s down how many people will leave your site with frustration and disappointment? How low your reputation will become? Having a best practice list for an emergency situation like this is not a bad idea.

That is to say, here are the best practices that WordPress developers usually follow to fix their affected websites:

Do a cleanup. Scan your local computer with a reputable antivirus program and then remove all harmful threats detected.

Contact your host provider. Ask them for support describe your problem in detail and if possible, ask them to track what happened to your site with hosting related activities.

Use the backup of your website and your database to restore your website so you won’t lose all your important data. I hope that you backup your website regularly so that the latest backup will be almost the same version as your affected version.

In case you don’t have a backup (oh, shame on you), create a backup now. Make a copy of any uploaded files in your website, such as images, zip files, plugins, or PHP scripts so you won’t have to fix broken images/links in your posts later.

Remove the hacked WordPress installation. This action should be done along with the above one. Remember to use the latest WordPress version. Also, remove and update your theme and plugins to the latest versions.

Change all backend passwords including FTP, MySQL, SFTP and all other admin accounts.

Find and clean all backdoors. Delete all files under your web root folder in your main site and any add-on sites. Hackers like to hide backdoors to regain access to your website if they find the main access point again.

Recheck your website’s content for any damage in the posts and repair them. If you detect any strange links or iframes that were inserted, delete them and restore any lost content.

Prevent Your Site From Being Hacked Again Advice From The Pros

It’s a pain to have to go through the cleaning up process, isn’t it? Your site has been hacked that’s very ugly, but even uglier if you let your website come under attack again.

It’s time to stay vigilant so take these golden nuggets to avoid a potential breach by making your site hard to break:

Choose a reputable hosting service. Choose a host that is stable, well versed in security, and has knowledgeable tech support. Some suggestions for you: GoDaddy and Hostgator (If you’re using another host and think they rock, let me and our readers know by commenting below this article).

Strengthen your WordPress. If you haven’t already read it, go throughthis Hardening WordPress guide.

Protect your website with .htaccess. You have to protect your .htaccess. You can add code to .htaccess so that no one can hack or spam your website. You can also put a .htaccess password on the admin directory.

Set 777 permissions on your content. The most common reason that WordPress install gets hacked is when you put it on shared hosting. If you can’t lock down the permissions correctly, your site is at high risk. So, have wp-content folders set to 777 permissions. Also, you should block unnecessary file types in any upload directory of your website.

Change WordPress admin URL. Change the default admin URLfrom: Here is how.

Change the default WordPress database prefixwp_. This is one of the most common and ridiculous security mistakes. Change the default wp_to something random likec57z2_.

Change the defaultadminusername to a new, strong and unpredictable name.

Most importantly,

Setup a solid backup system. Have a good backup plan.

If you are too busy to care about backup, it’s like being too busy driving a car to put on a seatbelt. A good backup plan is your best line of defense.

One piece of advice that is shared the most among WordPress developers, is to make sure your files and database are being backed up on a daily basis and are stored off-site.You can use the VaultPress service to help you with this.

Plus, remember to test your backups on a regular basis (don’t just create a backup and leave it there). This is highly recommended. You can do this with an auto-clone like BackupBuddy. Testing a clone is an effective way to see if your clone version mirrors the main site.

One more thing to take note is backup frequency. The frequency depends the number of users on your site, how often users work on your site, how busy the site is, and what your site does programmatically.

Lastly, help your client understand the importance of backups. The problem is, many clients refuse to pay for a maintenance plan including backups and regular web scanning (they tend to like using cheap hosting also). So if your client is not prepared to pay for contingency planning, then they are potentially causing their own future problems.

When a client refuses to pay for further backup services, it’s clear that you have no responsibility for loss in that respect but your client might not understand that it’s their fault. Try your best to make things clear for them (or give them this article to read!).


Getting hacked sucks and cleaning the site is no picnic. However, once it happens don’t procrastinate, fix the problem as soon as possible. I hope that with this article, you know more about how to save your site after an attack as well as how to protect it from hackers out there.

And please let me know if you have any questions or want to share an experience of yours in such a situation.

by Vivian Vu

I'm a proud minion in the WooRockets Team. Enjoy life, music, writing blogs and LOVE to read comments for my blogs - So feel free to connect with me by leaving a comment right below or tweet me @vivianjedi

Leave your comment

Ready to Sell Online?

Build Your Online Store with WooCommerce & Nitro Theme

Read more

Touch With Us