How to fix a hacked WordPress website

  1. Rename the directory of the current hacked wordpress website so it so it is not active.
    • Eg: I would rename public_html to old_public_html
  2. Install a fresh copy of WordPress as you would with a brand new site.
  3. Copy from old_public_html to your new site the folowing:
    • /wp-content/uploads (check if any files look out of the ordinary)
    • wp-config.php (check the file that it does not have additional information compared to the brand new site version)
  4. Install fresh copies of the plugins & themes used in the old_public_html. There is a good chance that your website got hacked from an outdated plugin or theme.
  5. Change your passwords, try to not use your the following usernames:
    • admin
    • administrator
    • your business name
  6. If any plugin or theme can’t be updated then I would look at replacing it with a new one. Otherwise it may be a matter of time before your website gets hacked again.

What are the causes of a hacked WordPress website?

  1. Insecure web hosting. Most reputable webhosts have good security. I would avoid the cheap webhosts.
  2. Weak Passwords
  3. Outdated WordPress 
  4. Outdated plugins
  5. Outdated themes
  6. Incorrect file permisions

Additional steps to secure WordPress

1. Protect the .htaccess file

Usually most reputable hosts automatically protect this by default. However if you want to be extra safe you can add this code into your .htaccess file. 

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

2. Secure the wp-config.php file

To protect your wp-config.php file from unathorized access, add this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

3. Block author scans in WordPress

Another way your WordPress website gets hacked is by looking at the author of your posts. Then doing a brute force attack basked on the Author’s name.

Add this code to your .htaccess file to prevent scanning for Author usernames:

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

4. Disable Access to XML-RPC

For most WordPress websites xmlrpc.php is not used. It lets you access your website from custom admin software and mobile applications, rather than through a browser.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all