So often, I get emails from people that look like this:


WordPress is the top content management system on the web right now, with 24% of websites using it. That’s huge. But that also makes it a target, which means it’s really important to secure your site. I’m pretty preachy about ways to prevent a hack (ahem, change your password and don’t make it your dog’s name, ahem) but this post is really about what to do after your site has been hacked.

Start here: Hire someone to clean it up.

If you haven’t cleaned up a hacked site before, then there’s a strong possibility you will miss something and after a couple days, your site will be gone again. I’m pretty fond of those guys over at Sucuri, so start there. They can clean it up, clean it up fast, and they won’t miss anything.

Now, after your site is cleaned up, here is what you should do:

Closeup of Password Box in Internet Browser

Change all your passwords.

Let me take a moment here to lecture you on passwords. If you can remember your password, then it’s not secure. Let me repeat that: IF YOU CAN REMEMBER YOUR PASSWORD, THEN IT’S NOT SECURE. You should not be able to remember the password. I recommend it be 20 characters long, with numbers, symbols, caps, and lowercase letters, and no words. Don’t use your kid’s name. Don’t use your dog’s name. Don’t use your birthdate. Seriously, this is very serious. The most common way for hackers to get into your site is through an easy password.

“But Amy, if I can’t remember it, how will I login?”

This is not a good enough excuse. Use a password manager like LastPass (which is super inexpensive and worth every penny) or I have an even simpler solution that will cost you $0 – write it down, take it to your desk or under your keyboard. That doesn’t sound very secure, but in truth, someone would have to break into your house in order to get that password, and then they would have to know what the password was for to do anything with it.

Want to take it a step further? Set up Two-factor authentication.

Also, I shouldn’t have to mention it, but this password should be unique. Don’t use it on any other site. (Also, don’t use the same password twice ever.)

Secure your site.

There are some great security plugins out there that will work to prevent future hackings. Here are three I like:

One of the main things you want your security plugin to do is disable the ability to upload PHP under the uploads directory. This is the backdoor many hackers use. The uploads directory has permissions that allow us to upload to it because that’s where we upload our media files. If someone hacks in, then they can upload their PHP scripts and take over your site. If you disable the ability to upload PHP to that directory, then they can’t get into that backdoor.

For the future, update everything.

A friend once was complaining to me about the spam on her site, so I said, “Hey, send me a login, I’ll take care of it for you.” She did, and when I logged in, I was absolutely shocked at what version of WordPress she had running. It was so old, I almost didn’t recognize the Dashboard. I immediately emailed her about that and she said, “Our designer told us we didn’t need to do that.”

And that’s when my head exploded.

I couldn’t believe she had never had that site hacked, and I couldn’t believe someone told her to ignore the site updates. That’s naive and irresponsible. Have no worries, I updated it for her and lectured her on maintaining those updates. Whether she heeded my advice, I can’t say.

There’s a reason updates come out. Often times, it’s because a vulnerability in the software has been discovered and needs to be patched. Ignoring those updates is an invitation to get hacked. You will eliminate 80% of potential hackings by simply clicking the “update” button. It only takes a minute, and keeps your site secure. Seriously – DO IT.

One final note – if you’ve been hacked and are worried about being hacked again, I can’t praise the services of Sucuri enough. If you get an account, they can scan your site every three hours of every day, looking for malware. They’ll catch it long before you do.

Need help with your hacked site? We can help clean it up and get you secure in the process.


Amy Masson

Amy is the co-owner, developer, and website strategist for Sumy Designs. She's been making websites with WordPress since 2006 and is passionate about making sure websites are as functional as they are beautiful.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Posted in

Join our list!

Our blog, delivered to your inbox. Never miss a post!