My WordPress website was hacked: how to secure it and stop it happening again
My WordPress website was hacked: how to secure it and stop it happening again
Discovering that your WordPress website has been hacked can be stressful — especially if your site is critical to your business.
You might notice strange pop-ups, spam links, a sudden drop in Google rankings, or even find your site completely locked out. Unfortunately, WordPress hacks are common, but the good news is that most attacks are preventable with the right steps.
In this guide, we’ll explain:
- Why WordPress websites get hacked
- How to clean up a hacked site properly
- The best security plugins to install
- Hosting improvements that reduce risk
- Long-term changes to stop it happening again
Why my wordpress website was hacked?
WordPress itself is not insecure — it powers over 40% of websites worldwide — but its popularity makes it a major target.
Hackers don’t usually attack your website personally. Instead, they use automated bots scanning thousands of sites for weaknesses.
Here are the most common reasons WordPress sites get hacked:
Outdated plugins and themes
The number one cause of WordPress hacks is outdated software.
Plugins and themes often contain vulnerabilities that hackers exploit. If updates aren’t installed quickly, your site becomes an easy target.
Weak passwords or stolen logins
If your admin password is something simple like:
- password123
- admin2024
- companyname
…it can be cracked quickly through brute-force attacks.
Hackers can also steal passwords through phishing emails or insecure Wi-Fi networks.
Poor quality or abandoned plugins
Some plugins are poorly coded or no longer maintained. These can create security holes even if WordPress itself is up to date.
A good rule: if a plugin hasn’t been updated in over 6–12 months, avoid it.
Cheap or insecure hosting
Low-cost shared hosting environments can be vulnerable if servers are poorly configured or overloaded.
Good hosting plays a huge role in WordPress security.
No firewall or malware protection
Many hacked websites had no active protection in place, meaning bots can access login pages, upload files, or inject malicious code unnoticed.
Step-by-step: how to clean a hacked WordPress website
If your WordPress site has been hacked, follow these steps carefully.
1. Put the site into maintenance mode
If possible, take the site offline temporarily to prevent further damage or visitors being exposed to malware.
A security plugin or your hosting provider can help with this.
2. Change all passwords immediately
Reset passwords for:
- WordPress admin accounts
- Hosting control panel
- FTP/SFTP access
- Database login
- Email accounts linked to the site
Use strong passwords and a password manager.
3. Scan the site for malware
Install a trusted security scanner such as:
- Wordfence Security
- Sucuri Security
- MalCare
These tools can detect malicious files and suspicious activity.
4. Remove malicious plugins or unknown admin users
Hackers often create hidden admin accounts or install backdoor plugins.
Check:
- Users → All Users
- Plugins list
- Recently modified files
Delete anything unfamiliar.
5. Restore from a clean backup (if available)
If you have a backup from before the hack, restoring it can be the quickest fix.
However, make sure the backup is clean — restoring an infected backup will repeat the problem.
6. Reinstall WordPress core files
WordPress core files can be replaced safely without affecting your content.
This helps remove altered system files.
7. Check your database for injected spam links
Some hacks insert spam links or scripts into posts, pages, or the wp_options table.
A professional clean-up may be needed if malware is deeply embedded.
8. Request a Google review if blacklisted
If your site shows warnings in search results, check Google Search Console for malware notices and request a review once cleaned.
Best plugins to prevent WordPress hacks
Once your site is cleaned, security plugins are essential.
Here are some of the most trusted options:
Wordfence Security (best all-round protection)
Includes:
- Firewall
- Malware scanning
- Login protection
- Alerts for suspicious activity
Ideal for most small business sites.
Sucuri Security (excellent monitoring)
Good for:
- Security hardening
- File integrity monitoring
- Audit logs
Sucuri also offers professional clean-up services.
iThemes Security
Strong for:
- Blocking brute-force attacks
- Enforcing strong passwords
- Hiding login pages
Great for improving basic security quickly.
UpdraftPlus (backup protection)
Not a security plugin, but backups are essential.
UpdraftPlus allows automatic backups to:
- Google Drive
- Dropbox
- Remote storage
A must-have for recovery.
Hosting improvements that stop hacks happening again
Security isn’t just about plugins — hosting matters hugely.
Here’s what to look for:
Choose managed WordPress hosting
Managed hosts provide:
- Server-level firewalls
- Automatic updates
- Malware monitoring
- Daily backups
Examples include:
- WP Engine
- Kinsta
- SiteGround
Enable SSL and HTTPS
SSL encrypts data and improves trust.
Most hosts provide free SSL via Let’s Encrypt.
Use server-side malware protection
Some hosts include built-in malware scanning, which is stronger than relying only on plugins.
Other essential WordPress security measures
To properly secure your site long-term, consider these additional improvements:
Enable two-factor authentication (2FA)
2FA makes it far harder for hackers to access admin accounts.
Wordfence and iThemes support this.
Limit login attempts
This blocks brute-force password guessing.
Disable file editing in WordPress
Hackers often inject code via the theme editor.
Add this to wp-config.php:
Keep everything updated weekly
Updates should include:
- WordPress core
- Plugins
- Themes
Set a schedule or use managed updates.
Remove unused plugins and themes
Even inactive plugins can be exploited.
Delete anything you don’t use.
Install a Web Application Firewall (WAF)
A WAF blocks malicious traffic before it reaches your site.
Wordfence and Sucuri both provide firewall features.
When to get professional help
If your site has been hacked more than once, or malware keeps returning, the issue may be deeper — such as:
- Hidden backdoors
- Compromised hosting
- Database-level injections
A professional clean-up ensures everything is removed properly and hardened for the future.
At Webphoria, we help businesses:
- Clean hacked WordPress websites
- Secure hosting environments
- Install proper firewall protection
- Set up backups and monitoring
- Prevent repeat attacks
If your WordPress website has been hacked and you want peace of mind, get in touch with our team at:
Final thoughts
A hacked WordPress website is frustrating, but it’s also fixable.
The key is not just cleaning the site — but putting the right protections in place so it doesn’t happen again.
With strong passwords, trusted plugins, secure hosting, and regular updates, WordPress can be extremely safe.