This document provides information and steps to take if your WordPress site has been hacked. It discusses discovering if your site has been hacked through strange site behavior or messages from your host. It then outlines recovery steps like restoring from backup, running scans, changing passwords, and starting over with a fresh install if needed. Finally, it offers prevention tips such as using strong unique passwords, keeping software updated, using security plugins, and hardening WordPress configuration. The overall goal is to recover your site, remove any lingering issues, and strengthen it against future attacks.
12. Backup Now
• Some hosts will disable/take down your site
when they find out you’ve been hacked
• Peace of mind during the restore process
• Useful even if (especially if) you already have
an existing backup
18. Run local scans
• Some server infections start with your local
environment, make sure that’s clean first
19. Start from scratch
• Difficult to identify everything, even the smallest
backdoor could let attacker back in
• Fresh (separate) install, bring all content over
via WP Export
20. Post-mortem Site Scan
• Sucuri Site Scan
• WordFence Site Scan
• Command-line diff-ing (on files that aren’t
supposed to change)
21. Change everything
• wp-admin password
• DB password
• FTP/SSH password (maybe use public keys
instead?)
• Hosting admin panel
• SECRET KEYS (to kick out logged in users)
28. Specific Tips
• Don’t give the WP user root access to MySQL
• Change the default table prefix
• Hide the WP version
• Change the default login URL (/wp-admin)
• Don’t use admin as your username
• Block login attempts