Knowledge base article
How did my WordPress website get hacked? What do I do?
Related articles
A beginners guide to email spoofing
Basic WordPress security and site management
Optimising Wordfence firewall and security settings
Other cpanel articles
A beginners guide to email spoofing
Accessing your site before changing DNS
An introduction to email authentication
Basic WordPress security and site management
Can I test out your services for free?
Check MySQL database table disk usage
Configure object cache with memcached and Litespeed Cache plugin
Configure spam filtering in cPanel
Connect via SFTP using SSH key authentication with FileZilla
Connecting to Serversaurus shared hosting via SFTP
Create a clone of your website
Create a SSH key pair and configure your SSH key in cPanel
Create a WordPress administrator via MySQL CLI
Create a WordPress administrator via phpMyAdmin
Create a WordPress cron task in cPanel
Create and manage email accounts in cPanel
Create Autoresponders in cPanel
Disable automatic WordPress updates via wp-config.php
Domain options for shared hosting
Download or restore individual files, directories or database backups with JetBackup
Emptying Trash, Junk and Spam files
Enabling PHP extensions, Changing PHP Version and Setting PHP Options
Export or Import a MySQL database via CLI
Force HTTPS via .htaccess (cPanel)
Go live with your WordPress staging website
Help! I need a backup of my cPanel-hosted website
Hide .html extension using .htaccess
How to ensure website generated emails are delivered successfully
How to issue a Let’s Encrypt certificate
How to remove Site Software management
I can receive email but can’t send!
Introduction to LiteSpeed Cache
Login to cPanel via the Client Portal
Manage DNS zones with the cPanel Zone Editor
Manual WordPress migrations in a nutshell
Migrate remote staging website to local hosting server
Migrate remote transactional website to local server
Migrating email from one POP/IMAP email account to another
My site and/or email service is down
Network Firewall (I can’t access my services on a non-standard port)
Pointing your domain to Serversaurus
Pointing your domain to Squarespace with cPanel
Prevent website generated spam with CAPTCHA
Push updates from a staging to production website
Reconfigure production website to subdomain
Recover your hacked WordPress website
Remove Wordfence firewall block via MySQL CLI
Secure your WordPress installation
Setting up email on your iPhone
Subdomains for test sites & more
The SLA – Best effort versus 99.9% versus 100%
Unable to renew certificate: The Let’s Encrypt HTTP challenge failed
Understanding CloudLinux resource limits
Update a WordPress website to use a new domain name
Update your WordPress username via phpMyAdmin
Using the Serversaurus Cloud CDN with your WordPress website
What exactly is shared hosting?
Why don’t you have unlimited plans?
WordPress install still shows Serversaurus “new customer” landing page
This article will teach you how to recover your hacked WordPress website and provide recommendations to secure your website
WordPress is a great Content Management System with a rich ecosystem of plugins, themes and extensions that makes managing your website a breeze. But you need to be aware that you need to take steps to defend your website against hackers. Our experience shows that from the moment a new website is live on the internet, it takes less than a minute before hackers are trying to break in. They run hacking bots that never rest, constantly probing websites across the internet for a large and ever-increasing catalog of vulnerabilities. The good news is that you can take sensible steps to defend against this onslaught, and even if a hacker still gets in, you can recover from the breach.
The most common ways hackers & bots break into WordPress Websites are:
- Known vulnerabilities in WordPress itself
These happen infrequently, but are always added to the hacker's arsenal of attacks. - Insecure themes
Third-party themes are a common point of attack if they are not written to security best-practice principles. - Vulnerable plugins
The most common method of attack. Some plugins become abandoned by their developers, others aren't patched quickly enough. - Weak passwords
We see this way too often - choosing an easy to remember password based on dictionary words will eventually lead to tears.
How to defend your website against attacks
Stay up-to-date
This is the most important action you can take to avoid your site getting hacked. Log in regularly to your website and apply any updates to WordPress core, themes and plugins whenever they become available. Don't leave it to your imperfect memory, set yourself a calendar reminder to do this once every week or two.
Install a security plugin like Wordfence, Sucuri or iThemes Security
These plugins scan your WordPress core, known plugins and themes against a database of reference code, alerting you to any differences between the reference code and the code on your site. They also provide other features like malware scanning, automatic firewalling and preventing attacks from known malicious IP addresses.
Use a Password Manager like LastPass or 1Password
Using a Password Manager is not just for WordPress, it will change your life! You'll only ever need to remember one password, the password for your Password Vault. All your other passwords will be secure and virtually un-crackable. Like this: 8!9Gbqe3QC^jmnEm3RC4T##2eFwqN.
Take regular backups
It's always a good idea to keep backups. And even in spite of your best efforts, it's possible that a vulnerability could be discovered and used against your website before a security update is available. All of Serversaurus' shared hosting accounts are backed up every 4 hours using JetBackup and around 3 weeks of backups are retained. There is a simple and quick interface to restore your hosting account within minutes from a prior backup. We also recommend keeping your own backups, just to complete your peace-of-mind. WordPress can automatically email you a copy of your database periodically using the WordPress Database Backup plugin.
Other advice, and not just for security
- Remove any plugins or themes you don't use. Even though you're not using it, it is still installed in your website, potentially consumes resources, and may contain vulnerabilities that can be exploited even though it's listed as Inactive in your Dashboard.
- Prefer well-known themes and plugins if they suit your needs completely; don't download plugins or themes from other sources than the WordPress plugin/theme directory.
- Ensure you follow all these suggestions - for example, a strong password does not protect you from vulnerabilities and a fully updated WordPress with a strong password but without backups still leaves you vulnerable.
If you need to restore your website from a compromised state, please following our guide on recovering a hacked WordPress installation.
Last updated November 30, 2023