{"id":5122,"date":"2026-04-15T12:14:47","date_gmt":"2026-04-15T12:14:47","guid":{"rendered":"https:\/\/www.codecaste.com\/blog\/?p=5122"},"modified":"2026-04-23T08:25:44","modified_gmt":"2026-04-23T08:25:44","slug":"wordpress-hacked-how-hackers-got-in","status":"publish","type":"post","link":"https:\/\/www.codecaste.com\/blog\/wordpress-hacked-how-hackers-got-in\/","title":{"rendered":"WordPress Hacked? Fix It Fast + How Hackers Got In (2026 Guide)"},"content":{"rendered":"\n<p>You log in to your wordpress site one morning, and something feels off. Your website homepage is showing a pharmaceutical ad. Or a visitor texted you saying your site redirected them to a casino site. <\/p>\n\n\n\n<p>If any of that sounds familiar, you have already lived through a <strong>wordpress hacked<\/strong> situation, and it is not a fun place to be. A WordPress-hacked site can lead to data loss and SEO damage.<\/p>\n\n\n\n<p>The frustrating part is that most site owners had no idea the attack was coming, or that their site was even vulnerable. And that is by design. Attackers do not announce themselves. They move quietly, plant code, and either cause immediate visible damage or sit dormant for weeks, waiting. Many wordpress hacked cases happen due to outdated plugins.<\/p>\n\n\n\n<p>Here is a stat worth sitting with: WordPress powers roughly <strong>43% <\/strong>of all websites on the internet. That scale makes it an extraordinarily attractive target. <\/p>\n\n\n\n<p>Automated bots scan millions of WordPress sites every day, looking for specific <strong>wordpress vulnerabilities<\/strong> to exploit. Most attacks are not personal. They are industrial.<\/p>\n\n\n\n<p>In this article, we break down the actual <strong><a href=\"https:\/\/www.codecaste.com\/blog\/wordpress-hacked-fix-guide-2026\/\">wordpress hacking methods<\/a><\/strong> attackers use, the warning signs you should not ignore, and the concrete steps you can take to lock your site down.<\/p>\n\n\n\n<p>Whether you run a blog or a business-critical eCommerce store, this is worth reading before something goes wrong.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-1024x683.png\" alt=\"wordpress-hacked-attack-vectors-\" class=\"wp-image-5136\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-1024x683.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-300x200.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-768x512.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-600x400.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram-900x600.png 900w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-attack-vectors-diagram.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How Your WordPress Sites Actually Get Compromised<\/strong><\/h2>\n\n\n\n<p>Before we get into the specifics, it helps to understand why <strong>wordpress security<\/strong> is such a challenge in the first place.<\/p>\n\n\n\n<p>WordPress itself, when kept updated and properly configured, is reasonably secure. The problem is the ecosystem around it. <\/p>\n\n\n\n<p>The average WordPress site runs <strong>20+ plugins<\/strong>, a premium theme, and a hosting environment that may or may not be hardened. Each one of those layers is a potential door.<\/p>\n\n\n\n<p>Attackers also do not manually probe your site while sipping coffee. They run automated tools that scan thousands of sites per hour, testing known exploits against known software versions. <\/p>\n\n\n\n<p>If your site is running a vulnerable plugin from three months ago, a bot will find it before you remember to update it.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>QUICK CHECK<\/strong>: Head over to your WordPress admin dashboard right now. If you see update notifications for plugins or themes that you have been ignoring, those are open invitations. Go update them.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>WordPress Vulnerabilities: The Main Entry Points<\/strong><\/h2>\n\n\n\n<p>Not all attack vectors are created equal. Here are the main ways attackers find their way in:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>1. Outdated or Poorly Coded Plugins<\/strong><\/h3>\n\n\n\n<p>Plugins are responsible for the majority of <strong>wordpress vulnerabilities<\/strong> found in the wild. The WordPress plugin repository alone has over 60,000 plugins. Some are brilliantly maintained. Others were last updated in 2019 and have known security holes documented publicly on sites like <a href=\"https:\/\/wpscan.com\/\" target=\"_blank\" rel=\"noopener\">WPScan.org<\/a>.<\/p>\n\n\n\n<p>A vulnerable plugin does not need to be popular to be exploited. Bots specifically look for installations of plugins with known CVEs (Common Vulnerabilities and Exposures). If you have it installed and not updated, you are exposed.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Examples of plugin vulnerabilities:<\/strong> unauthenticated SQL injection, stored cross-site scripting (XSS), arbitrary file upload, and privilege escalation.<\/li>\n\n\n\n<li>A single plugin with a critical severity rating can give an attacker full admin access to your site.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>2. Vulnerable or Nulled Themes<\/strong><\/h3>\n\n\n\n<p>Premium themes obtained from unofficial sources (commonly called &#8220;nulled&#8221; themes) are a major <strong>wordpress security<\/strong> risk. These pirated copies frequently come pre-loaded with malicious code. You think you are getting a $60 theme for free. You are actually giving a free backdoor entry to the hackers. <\/p>\n\n\n\n<p>Even legitimate themes that are not kept updated can contain vulnerabilities, though this is less common than with plugins.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>3. Weak or Reused Passwords<\/strong><\/h3>\n\n\n\n<p>Brute force attacks are exactly what they sound like. Attackers hammer your login page with username and password combinations until something works. Default usernames like &#8220;admin&#8221; combined with weak passwords make this trivially easy.<\/p>\n\n\n\n<p>Credential stuffing is a related attack where attackers use username\/password combos leaked from other data breaches. If you reused your email password on your WordPress admin account, and that email was in a data breach, attackers already have your credentials.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>4. Insecure Hosting Environments<\/strong><\/h3>\n\n\n\n<p>Shared hosting comes with a trade-off. If a neighbouring site on the same server gets compromised and the hosting environment is not properly isolated, attackers can sometimes pivot across accounts. <\/p>\n\n\n\n<p>This is less common on quality-managed WordPress hosting providers, but it happens on budget shared hosts.<\/p>\n\n\n\n<p>Outdated PHP versions on the server side, misconfigured file permissions (files set to 777, for example), and exposed wp-config.php files all fall under hosting-level <strong>wordpress vulnerabilities<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>5. Exposed wp-admin and xmlrpc.php<\/strong><\/h3>\n\n\n\n<p>By default, your WordPress login page lives at yoursite.com\/wp-admin and yoursite.com\/wp-login.php. Every attacker knows this. Leaving these publicly accessible without any additional protection means they are a constant target for brute force attempts.<\/p>\n\n\n\n<p>The xmlrpc.php file is a legacy API endpoint that is frequently exploited for brute force attacks and DDoS amplification. Unless you specifically need it, it should be disabled.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>6. Third-Party Scripts and Supply Chain Attacks<\/strong><\/h3>\n\n\n\n<p>Modern websites pull in a lot of external code: analytics scripts, chat widgets, ad networks, and social media embeds. If any of those third-party services gets compromised, their script can deliver malware directly to your visitors without anything on your own server being touched.<\/p>\n\n\n\n<p>This is called a supply chain attack, and it is increasingly common. You can have a perfectly hardened WordPress site and still be serving malware through a compromised third-party tag.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1-1024x516.png\" alt=\"\" class=\"wp-image-5158\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1-1024x516.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1-300x151.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1-768x387.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1-600x303.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-wpscan-database-1.png 1190w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Common <strong>WordPress Hacking<\/strong> Methods Explained<\/strong><\/h2>\n\n\n\n<p>Understanding <a href=\"https:\/\/www.codecaste.com\/blog\/wordpress-hacked-fix-guide-2026\/\"><strong>wordpress hacking methods<\/strong> <\/a>is not about becoming a hacker yourself. It is about knowing where to look and what to harden. Here are the attack types you are most likely to encounter:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>SQL Injection (SQLi)<\/strong><\/h3>\n\n\n\n<p>SQL injection happens when an attacker inserts malicious database commands into a form field or URL parameter that your site passes to the database without properly sanitising. <\/p>\n\n\n\n<p>If the code does not clean the input first, the attacker can read data, modify records, create admin accounts, or even wipe your database entirely.<\/p>\n\n\n\n<p>This is usually exploited through poorly coded plugins or themes that handle user input carelessly. Well-maintained plugins use WordPress&#8217;s built-in database functions that handle sanitisation automatically.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Cross-Site Scripting (XSS)<\/strong><\/h3>\n\n\n\n<p>XSS attacks inject malicious JavaScript into pages that other visitors then load. There are two main types:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Stored XSS:<\/strong> the malicious script is saved to your database (e.g., in a comment or user profile field) and runs every time someone views that content.<\/li>\n\n\n\n<li><strong>Reflected XSS:<\/strong> the script is embedded in a link and only runs when a victim clicks it.<\/li>\n<\/ul>\n\n\n\n<p>XSS can be used to steal session cookies, redirect users, deface your site, or deliver drive-by malware downloads to your visitors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Brute Force and Credential Stuffing<\/strong><\/h3>\n\n\n\n<p>As mentioned earlier, brute force attacks repeatedly guess passwords. Credential stuffing is more sophisticated: attackers use actual leaked credentials from other breaches. The tools they use can test thousands of combinations per minute against unprotected login pages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>File Upload Exploits<\/strong><\/h3>\n\n\n\n<p>If your site allows file uploads (portfolio submissions, contact form attachments, user avatars), a poorly configured uploader can accept PHP files disguised as images. The attacker uploads a malicious PHP file, then accesses it directly through the browser, giving them code execution on your server.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Remote Code Execution (RCE)<\/strong><\/h3>\n\n\n\n<p>Some plugin or theme vulnerabilities allow attackers to run arbitrary code directly on your server. This is about as bad as it gets. RCE typically gives attackers the ability to install backdoors, modify files, steal data, and use your server to attack other sites.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>DEVELOPER TIP<\/strong><br>If you are a developer reviewing your own code, always use $wpdb-&gt;prepare() for database queries, sanitize_text_field() for input sanitization, and wp_kses() for HTML output. These are your first line of defence.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Signs Your WordPress Site Has Been Hacked: WordPress Malware Signs<\/strong><\/h2>\n\n\n\n<p>Spotting the <strong>wordpress malware signs<\/strong> early can limit the damage significantly. Some are obvious. Others are subtle enough that site owners miss them for weeks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Visible Signs<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Defacement:<\/strong> your homepage or other pages have been replaced with content from attackers (often political messages or hacking group callouts).<\/li>\n\n\n\n<li><strong>Spam content:<\/strong> pages selling pharmaceuticals, counterfeit goods, or gambling services have been injected into your site.<\/li>\n\n\n\n<li><strong>Unexpected redirects:<\/strong> visitors are being sent to completely different websites when they land on your pages.<\/li>\n\n\n\n<li><strong>Google warnings:<\/strong> <a href=\"https:\/\/search.google.com\/search-console\/about\" target=\"_blank\" rel=\"noopener\">Google Search Console<\/a> is flagging your site for malware, and browsers show red warning screens to visitors.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Subtle Signs<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>New admin accounts:<\/strong> accounts you did not create have appeared in your Users list.<\/li>\n\n\n\n<li><strong>Modified core files:<\/strong> WordPress core files like wp-login.php, index.php, or files in wp-includes\/ have been altered.<\/li>\n\n\n\n<li><strong>Strange outbound requests:<\/strong> server logs show your site making requests to unfamiliar external domains.<\/li>\n\n\n\n<li><strong>Performance drops:<\/strong> your site has suddenly become very slow without any changes on your part (often caused by crypto-mining scripts or outbound spam being sent from your server).<\/li>\n\n\n\n<li><strong>Hosting suspension:<\/strong> your host has suspended your account due to sending spam email or malicious traffic.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Backdoors<\/strong><\/h3>\n\n\n\n<p>Backdoors are hidden access points left by attackers after the initial breach. They can look like legitimate PHP files in your uploads folder, obfuscated code added to functions.php, or modified plugin files. Even after cleaning visible infections, backdoors allow attackers to re-enter at will.<\/p>\n\n\n\n<p>Common locations to check: \/wp-content\/uploads\/ (should never contain PHP files), \/wp-content\/plugins\/ (look for files with random names or recent modification timestamps), and your theme&#8217;s functions.php and header.php files.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-1024x683.png\" alt=\"wordpress-hacked-site-defaced-homepage\" class=\"wp-image-5138\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-1024x683.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-300x200.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-768x512.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-600x400.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage-900x600.png 900w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-site-defaced-homepage.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>WordPress Security Audit Checklist: A Step-by-Step Review<\/strong><\/h2>\n\n\n\n<p>Running a <strong>wordpress security audit checklist<\/strong> does not need to be overwhelming. Here is a structured approach you can follow even without deep technical knowledge:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Check your WordPress version.<\/strong> Go to Dashboard &gt; Updates. If you are not on the latest version, update now. WordPress core updates frequently patch critical vulnerabilities.<\/li>\n\n\n\n<li><strong>Audit your plugins.<\/strong> Go to Plugins &gt; Installed Plugins. Deactivate and delete any you are not actively using. Update all remaining plugins. Check each one on WPScan.org for known vulnerabilities.<\/li>\n\n\n\n<li><strong>Audit your themes.<\/strong> Keep only your active theme and its parent theme (if applicable). Delete everything else. Update your active theme.<\/li>\n\n\n\n<li><strong>Review user accounts.<\/strong> Go to Users &gt; All Users. Remove any accounts you do not recognise. Change the role of any accounts that have admin access but do not need it.<\/li>\n\n\n\n<li><strong>Check file permissions.<\/strong> Key permission targets: wp-config.php should be 440 or 400. The wp-content directory should be 755. Individual files should be 644.<\/li>\n\n\n\n<li><strong>Look for PHP files in the uploads folder.<\/strong> This folder should only contain media files. Any .php file in \/wp-content\/uploads\/ is a red flag.<\/li>\n\n\n\n<li><strong>Scan with a security plugin.<\/strong> Run a full malware scan using <a href=\"https:\/\/www.wordfence.com\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a>, <a href=\"https:\/\/www.malcare.com\/\" target=\"_blank\" rel=\"noopener\">MalCare<\/a>, or <a href=\"https:\/\/sitecheck.sucuri.net\/\" target=\"_blank\" rel=\"noopener\">Sucuri<\/a>. Review every flagged file carefully.<\/li>\n\n\n\n<li><strong>Check your .htaccess file.<\/strong> Open this file (in your site root) and look for code that was not there before, particularly redirect rules pointing to external domains.<\/li>\n\n\n\n<li><strong>Review wp-config.php.<\/strong> This file contains your database credentials. Make sure it has not been modified and is not publicly accessible.<\/li>\n\n\n\n<li><strong>Check<a href=\"https:\/\/search.google.com\/search-console\/about\" target=\"_blank\" rel=\"noopener\"> Google Search Console<\/a>.<\/strong> If you have not set this up, do it now. Google will notify you of manual actions, malware detection, and crawl issues.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Essential WordPress Security Tools<\/strong><\/h2>\n\n\n\n<p>Good <strong>wordpress security tools<\/strong> do not replace sound practices, but they make implementing and monitoring those practices a lot more manageable. Here are the ones worth knowing:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/wordpress.org\/\" target=\"_blank\" rel=\"noopener\">Wordfence Security<\/a><\/strong><\/h3>\n\n\n\n<p>Wordfence is one of the most popular <strong>wordpress security tools<\/strong> available. It includes a web application firewall (WAF), malware scanner, login security features, and real-time threat intelligence. The free version is solid. The premium version adds real-time rule updates and country blocking.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/sucuri.net\/\" target=\"_blank\" rel=\"noopener\">Sucuri Security<\/a><\/strong><\/h3>\n\n\n\n<p>Sucuri offers both a free plugin for monitoring and a paid platform that includes a cloud-based WAF and CDN. Their malware removal service is particularly well-regarded for post-hack cleanup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/wordpress.org\/plugins\/malcare-security\/\" target=\"_blank\" rel=\"noopener\">MalCare Security<\/a><\/strong><\/h3>\n\n\n\n<p>MalCare is known for its one-click malware removal feature and its focus on scanning without impacting server performance. It runs scans on its own servers rather than yours.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/wpscan.com\/\" target=\"_blank\" rel=\"noopener\">WPScan<\/a><\/strong><\/h3>\n\n\n\n<p>WPScan is a command-line vulnerability scanner built specifically for WordPress. It is commonly used by developers and security professionals to test their own sites. There is also a free API and a web-based version available at wpscan.com.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/instawp.com\/plugin\/better-wp-security\/\" target=\"_blank\" rel=\"noopener\">iThemes Security (now Solid Security)<\/a><\/strong><\/h3>\n\n\n\n<p>Formerly iThemes Security, Solid Security focuses on hardening common WordPress attack surfaces: brute force protection, file change detection, two-factor authentication, and database backups.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong><a href=\"https:\/\/wordpress.org\/plugins\/updraftplus\/\" target=\"_blank\" rel=\"noopener\">UpdraftPlus (Backups)<\/a><\/strong><\/h3>\n\n\n\n<p>Not a security scanner, but arguably the most important tool on this list. UpdraftPlus automates backups to remote storage (Google Drive, Dropbox, Amazon S3, etc.). A clean, recent backup is the fastest path out of a major compromise.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>IMPORTANT<\/strong><br>Do not store your backups on the same server as your website. If an attacker gains access to your server, they can delete your backups. Always send backups to an off-site location.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>How to Prevent WordPress Website Hacking: Core Hardening Steps<\/strong><\/h2>\n\n\n\n<p>Knowing <strong>how to prevent WordPress website hacking<\/strong> comes down to layered defences. No single measure makes you bulletproof, but combining several significantly raises the cost of attacking your site to the point where automated bots move on.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Keep Everything Updated<\/strong><\/h3>\n\n\n\n<p>WordPress core, plugins, and themes should be updated as soon as updates are available. Enable automatic background updates for minor WordPress core releases. For major releases, test on a staging environment first. <a href=\"https:\/\/www.codecaste.com\/blog\/are-wordpress-maintenance-services-worth-it\/\">Check our WordPress Maintenance Service<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Use Strong, Unique Passwords and Two-Factor Authentication<\/strong><\/h3>\n\n\n\n<p>Every admin account should have a strong, unique password (not reused from any other service). Add two-factor authentication using a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/wp-2fa\/\" target=\"_blank\" rel=\"noopener\">WP 2FA<\/a> or<a href=\"https:\/\/wordpress.org\/plugins\/tags\/google-authenticator\/\" target=\"_blank\" rel=\"noopener\"> Google Authenticator<\/a>. This alone stops the vast majority of credential-based attacks.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Limit Login Attempts<\/strong><\/h3>\n\n\n\n<p>Plugins like<a href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts-reloaded\/\" target=\"_blank\" rel=\"noopener\"> Limit Login Attempts Reloaded<\/a> or <a href=\"https:\/\/wpcerber.com\/features\/\" target=\"_blank\" rel=\"noopener\">WP Cerber<\/a> add rate limiting to your login page. After a set number of failed attempts, the IP gets temporarily blocked.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Change the Default Admin Username<\/strong><\/h3>\n\n\n\n<p>If your WordPress username is still &#8220;admin&#8221;, change it. Create a new admin account with a different username, log out, log in with the new account, and delete the old &#8220;admin&#8221; user (assigning its content to the new account).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Disable XML-RPC Unless You Need It<\/strong><\/h3>\n\n\n\n<p>Add the following to your .htaccess file to block access to xmlrpc.php:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;files xmlrpc.php&gt;&nbsp; order deny,allow&nbsp; deny from all&nbsp; &lt;\/files&gt;<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Move wp-config.php Up One Directory<\/strong><\/h3>\n\n\n\n<p>WordPress will look for wp-config.php in the directory above your web root. Moving it there makes it inaccessible directly from the browser, removing one attack surface.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Use a Web Application Firewall (WAF)<\/strong><\/h3>\n\n\n\n<p>A WAF filters malicious traffic before it even reaches your WordPress application. <a href=\"https:\/\/www.wordfence.com\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a> and <a href=\"https:\/\/sucuri.net\/\" target=\"_blank\" rel=\"noopener\">Sucuri <\/a>both offer WAF solutions. <a href=\"https:\/\/www.cloudflare.com\/waf\/\" target=\"_blank\" rel=\"noopener\">Cloudflare also offers WAF<\/a> capabilities at both free and paid tiers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Run Regular Backups<\/strong><\/h3>\n\n\n\n<p>Set up automated daily backups stored off-site. If you are ever compromised, a clean backup from before the infection is the fastest and cleanest recovery path. <a href=\"https:\/\/wordpress.org\/plugins\/updraftplus\/\" target=\"_blank\" rel=\"noopener\">UpdraftPlus<\/a> and <a href=\"https:\/\/blogvault.net\/\" target=\"_blank\" rel=\"noopener\">BlogVault<\/a> are both solid options.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-1024x683.png\" alt=\"wordpress-hacked-security-infographic\" class=\"wp-image-5141\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-1024x683.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-300x200.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-768x512.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-600x400.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic-900x600.png 900w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-infographic.png 1536w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>When to Call in the Experts<\/strong><\/h2>\n\n\n\n<p>There are situations where the DIY approach is not the right call. If your site is actively compromised and you are not comfortable working with PHP files, server logs, and database queries, attempting a manual cleanup can make things worse.<\/p>\n\n\n\n<p>Signs it is time to bring in professional help:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Your security plugin found malware but the removal keeps failing or the infection returns.<\/li>\n\n\n\n<li>Your hosting provider has suspended your account due to malicious activity.<\/li>\n\n\n\n<li>You have cleaned the site but it is still being flagged by Google or antivirus tools.<\/li>\n\n\n\n<li>You found a backdoor but are not confident you have found all of them.<\/li>\n\n\n\n<li>Your site handles sensitive customer data and the stakes are too high to experiment.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Need Professional Help With a Hacked Site?<\/strong><br>The team at <strong><a href=\"https:\/\/www.codecaste.com\/home\">CodeCaste<\/a><\/strong> handles WordPress security cleanups, hardening, and ongoing maintenance. If your site has been compromised or you want to make sure it never is, we are happy to help.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>Get in touch: <a href=\"https:\/\/www.codecaste.com\/contact-us\">https:\/\/www.codecaste.com\/contact-us<\/a><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-1024x768.png\" alt=\"wordpress-hacked-security-scan-dashboard\" class=\"wp-image-5142\" srcset=\"https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-1024x768.png 1024w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-300x225.png 300w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-768x576.png 768w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-600x450.png 600w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard-800x600.png 800w, https:\/\/www.codecaste.com\/blog\/wp-content\/uploads\/2026\/04\/wordpress-hacked-security-scan-dashboard.png 1200w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Think your WordPress site is safe? Learn the real attack vectors behind wordpress hacked incidents and how to stop them cold.<\/p>\n","protected":false},"author":2,"featured_media":5160,"comment_status":"closed","ping_status":"closed","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47],"tags":[],"class_list":["post-5122","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/5122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/comments?post=5122"}],"version-history":[{"count":34,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/5122\/revisions"}],"predecessor-version":[{"id":5169,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/posts\/5122\/revisions\/5169"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/media\/5160"}],"wp:attachment":[{"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/media?parent=5122"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/categories?post=5122"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.codecaste.com\/blog\/wp-json\/wp\/v2\/tags?post=5122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}