How to recover (and prevent) your WordPress site from being hacked

A co-blogger contacted me that his site was hacked. Here are some tips from how to recover and prevent this from happening in the future.


Change default admin account and password
By default WordPress created an admin account with the password you’ve chosen. My advise is to create another administrator account with an alternative name and give that account administrator rights. Second step is to disable or remove the default admin account.

Use the latest versions
Ofcourse always use the latest versions of WordPress, your theme and your plugings. My advise to wait a couple of days when there is a new WordPress version. Sometimes there are security leaks with newly introduced versions.

Don’t use a plug-in? Disable or uninstall them!
Make sure that any unused plug-ins are disabled (when you plan to use them in the future) or removed. This is also better for performance reasons.

Use a firewall!
On-premise or not, always use a good firewall.

Remove the WordPress version
Some hackers check for the WordPress version, so disabling the version of being displayed in the generator tag is advisory.

Disable PHP execution and browsing for the uploads directory
It’s not necessary for WordPress to have PHP execution and browsing enabled. So it’s a good idea to disable this.

Restrict PHP access to any file inside wp-includes directory
It’s not necessary to enable PHP access to the wp-includes directory and security experts advise to disable PHP access to this directory

Delete the default readme.html file
It’s a good idea to remove the default readme.html file. Hackers could use this file to identify the WordPress version.

Disable the Plug-in and theme editor
Occasionally you may wish to disable the plugin or theme editor to prevent overzealous users from being able to edit sensitive files and potentially crash the site. Disabling these also provides an additional layer of security if a hacker gains access to a well-privileged user account.

Check your error logs
PHP uses files named as error_log to log errors found in the code, these files may leak sensitive information of your project allowing an attacker to find vulnerabilities in the code. You must use these files to fix any bug while using a development environment, and remove them in production mode.

Updated : Install a Captcha on login tool

It’s advisory to install a Captcha tool to prevent users from “guessing” passwords.


As mentioned earlier someone I know experienced their WordPress site hacked. I took some time before he noticed that his site was hacked. The problem was that when browsing to his blog from a notebook everything was fine. The problem he had that when using a tablet or PDA/mobile phone the user immediately was forwarded to several XXX-sites.

After some investigation I found out that the .htaccess file was rewritten (last modified date/time) and after viewing the contents of this file I noticed the XXX-url’s. I copied the original .htaccess file to .htcaccessold and edited the .htaccess file with the following content :


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress



Now you have to reset the permalinks. In the WordPress dashboard go to settings and then Permalinks. Most blog owners would have created a special, link structure that reflects the organization of their site. The good news is that whenever you make a change on this page, WordPress rewrites the .htaccess file find and reset it. So just select another option and hit save changes. Once the page refreshes, switch back to your preferred solution and save it again. Here’s the Permalink option on the site of the admin bar:


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.