How To Prevent WordPress Hacks and How to Fix Them

by Corey Philip
December 20, 2019

At the same rate that technology becomes more advanced, hackers become more capable of attacks and viruses get more sophisticated. We’re more susceptible to security attacks now because not enough people are well-versed in protecting themselves from these threats.

Most of us are not knowledgeable enough, nor are we giving it more attention and priority. The more space we take up on the Internet, the more are we exposed to the dangers of online security attacks. A website is one of the ways we can be targeted. If you’re on WordPress, you’ve come to the right article. I’ve written up ways that you could prevent hacks to your WordPress site and the steps to take if you’re past the point of no return.

11 Ways to Prevent WordPress Hacks

The importance of preventing hacks to your WordPress site should hopefully be self-explanatory. No one likes to get their website hacked. However, not everyone sees this at the highest level of importance when owning a website.

Prevention is better than having to hassle yourself with fixes. Refer to this list of prevention practices to ensure the safety of your WordPress website. It’s easy, don’t put it on the backburner.


Create a strong password

One of the first things you set up for your account is your password. Some people never consider that this is a major step in ensuring their website’s security, they just want to create their account right away.

To be extremely safe, don’t make it a coherent string of actual words related to your life or any information that other people know. Make it a long, random set of letters and characters that don’t make sense.

Tip: Use a password protector to generate and store all your passwords. Bonus if it also syncs on all your devices. I personally use LastPass.


Constantly update your theme and plugins

Don’t wait long until you update your theme and plugin to the latest version. Some hacks are done almost as soon as new updates are rolled out and outdated websites are prone to being exploited.

Tip: Before you use a plugin or theme, check the last time it was updated and if it offers support. This indicates that they’re maintained to keep up with WordPress updates as well and continue to work seamlessly.


Use a WordPress security plugin

Some themes and hosting servers include security in their services and support. However, that may not encompass your entire WordPress site. Even hosting servers can miss out on some important aspects. Using a security plugin will make sure you have a tool that solely focuses on keeping your entire website clean and safe. There are also security plugins that are dedicated to preventing hacks.


Use a firewall to protect your home network

We’ve never been more connected to each other than now. With that comes the risk of being hacked. You never know how clever and resourceful hackers can be nowadays. They may only need to hack into your home network to access every account you’re logged into, including your WordPress website. Use a firewall so that you can browse websites without catching a virus on your computer.

Tip: As much as possible, don’t use unsecure public networks.


Scan your computer for viruses regularly

I know these tips may sound like they’re not related to protecting your WordPress account at all, but trust me, they may make a difference. You have to prevent all possible entry points for hackers, and protecting your computer is one of them. Use a good and reliable anti-virus.


Update your browser and and OS regularly

Update your browser and OS to make sure your software and browsing tool are both secure with the latest security updates. This would make you less susceptible to viruses and hackers that may be trying to get access to your information and system.


Use a Secure Web Hosting Server

Many websites use shared hosting servers, which open a lot of chances to be hacked. Since a lot of websites share the same server, they might be accessed even without the owners’ permission or knowledge.

As much as possible, managed hosting is recommended. It provides premium support for every aspect of running a WordPress website, which includes security. For beginners, this may not be so necessary. If you’re opting for regular WordPress hosting, make sure to check the security support and maintenance.


Update WordPress as soon as the updates are available

Along with the release of WordPress updates are the list of vulnerabilities with the previous update. That’s why hackers are almost always on the edge of their seat during new updates because they can know for sure where websites’ weaknesses are. Websites that aren’t updated immediately are subject of their work.

Tip: Don’t keep old versions of WordPress on the server. These can still be manipulated even when it’s not currently in use.

Tip: As much as possible, don’t use unsecure public networks.


Keep your database secure

It’s best to keep a separate database for each of your websites if you own more than one. This keeps them isolated so one hacked WordPress website won’t affect the others, and also keep the users with access to a minimum. Restrict database access to just a few people and restrict their access even more to data read and write only if they don’t have to make drastic changes to the database.

Tip: Rename your database so it will not have the default “wp” prefix. This will make it more difficult for attackers to access your database.


Install SSL to your site

SSL provides encryption abilities for your website for when sensitive personal information has to be input. This is familiar for e-commerce websites where customers submit their credit card details and other personal information like home address.

For better security on your WordPress site, please note my tip below. HTTPS is HTTP that is secured with SSL encryption. When you force it upon the login and admin pages, you ensure encryption for any sensitive data from those pages. In the wp-config.php file, define the two by placing these codes…

For login page:

define('FORCE_SSL_LOGIN', true);

For admin page:

>define('FORCE_SSL_ADMIN', true);

Tip: Enable HTTPS on login and admin pages.


Always backup your site

My last tip is to always backup your site. Don’t take this out of your priority. In general, I’ve seen way too many people having to learn this the hard way. In terms of running your WordPress website, a backup will allow you to access that last version of your website that runs properly without any hacks. It will also help you determine what area or aspect of your website has been infiltrated by hackers or viruses.

How to Fix WordPress Hacks

In the instance that your WordPress site was hacked, don’t panic! Actually some of you may be calmer than you should be because you don’t know for sure if you’ve been hacked. From identifying the problem to solving it, this is how you resolve and recover from a WordPress hack.

Identify the hack.

Some really good hackers have a way of getting into your site without being detected. If you’re not so knowledgeable or wary of signs of a hack, it may take you a while to figure out that you’ve been hacked.

For starters, notice if these things have been happening. For safe measure, even if you’re sure you were hacked, take note of these things so you can be armed with better knowledge about what you need to do about your website to fix it.

  • Can you access the admin panel? (Alternative question: Can you login?)
  • Are you redirected to another website when you go to your site address?
  • Does your website contain illegal links?
  • Does Google recognize some malicious content on your site?

Change your password

As a safety precaution, change your password immediately to prevent any other future hacks. We’re going to change passwords again at the end of this process, but it’s important that you do this immediately before doing anything. Also, make it a point to do this regularly after you’ve resolved the hack.

Ask support from your host

Hosting companies are available and prepared for this kind of situation. That’s why it’s important that you choose one with the most efficient support. Sometimes getting hacked is not your own doing or lack of security.

Sometimes you get hacked because you’re on a shared server, which may mean that other websites may be hacked to. Consulting with your hosting company will alert them and also allow them to help you out.

Scan and clean your website

Access your FTP and search for the hack. The easiest way is to check for modifications done within the last few days. If some activity isn’t your own doing or of any user with permitted access, that must be a hacking attempt. Start from there and try to spot other modifications that weren’t your own activity.

Delete old data and files from plugins and themes

Outdated files of plugins and themes that you don’t use anymore but haven’t deleted are places where hackers upload their backdoor. A backdoor allows hackers to access your site more easily the next time by allowing them to skip the normal authentication process. They usually upload this as soon as they gain access.

Look for codes that seem malicious. There are some signature codes that are used when hacking, so spot those and delete them. Though a warning, some codes are used in actual plugins, so beware of deleting codes that could be essential for a plugin to work.

Remove malware with a security software

If you don’t want to mess with the codes, plugins, or search for the hack yourself, consider getting help and support from the professionals. Use a security software. Sucuri is a popular one. They provide “complete website security, protection and monitoring.”

Download WordPress again and compare

Download a new WordPress install from It should be the same version as what is currently installed on your WordPress site. Anything that seems different that you’re not familiar with is probably a hacker’s fault. That’s where you should start cleaning your site.

Restore your latest backup

If all else fails and nothing major will be lost, just restore from your previous backup. This will return the settings to the old one before the hack. From here on out, double up on your security and make sure you stay consistent with the prevention practices I’ve enumerated above.


This list of WordPress hacks prevention and fixes is a perfect illustration of the phrase, “better to be safe than sorry.” If you think those prevention practices are too much, you’re lucky because you’ve probably never been a victim of hacks. You’ve never experienced the hassle of trying to fix it. Yet. No one’s too safe against hackers and viruses.

Hopefully the steps to take to fix hacked WordPress sites are enough to either cover the problem you’re experiencing with your site and help you resolve it, or drive you to take prevention more seriously.

About the author

Corey Philip

Corey Philip is a small business owner / investor with a focus on home service businesses.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}