My WordPress Website Has Been Hacked

WordPress websites can be some of the most vulnerable to getting hacked because of the platform’s popularity. Most of the time, when people reach out for help, it’s because their site was hacked once; they fixed it–and then it was hacked again.

“Why did my WordPress website get hacked again after I fixed it?”

When your WordPress site gets hacked for a second time, it’s usually due to a backdoor created by the hacker. This backdoor allows hackers to bypass the normal procedures for getting into your site, getting authentication without you realizing it. This article will explain how to find, fix, and fix and fix the back door on your WordPress website.


So, what’s a backdoor?

A “backdoor” refers to bypassing normal authentication to get into your site, thereby accessing your site remotely without you even realizing it. If a hacker is smart, this is the first thing to upload when your site is attacked. This allows the hacker to access again, even after finding and removing the malware. Unfortunately, backdoors usually survive site upgrades, so the site is vulnerable until you clean it completely.


Backdoors may be simple, allowing a user only to create a hidden admin user account. Others are more complex, allowing the hacker to execute codes sent from a browser. Others have an entire user interface (a “UI”) that will enable them to send emails from your server, create SQL queries, etc.

Where is the backdoor located?

For WordPress websites, backdoors are commonly located in the following places:

1. Plugins – Plugins, especially outdated ones, are an excellent place for hackers to hide code. Why? Firstly, people often don’t think to log into their site to check updates. Two, even if they do, people don’t like upgrading plugins because it takes time. It can also sometimes break functionality on a site. Thirdly, because there are tens of thousands of free plugins, some of them are easy to hack into to begin with. So Learn how to secure your WordPress Site from Sujoy Dhar’s Blog.

2. Themes – It’s not so much the active theme you’re using but the other ones stored in your Themes folder that can open your site to vulnerabilities. Hackers can plant a backdoor in one of the themes in your directory.

3. Media Uploads Directories – Most people have their media files set to the default to create directories for image files based on months and years. This makes many different folders for images to be uploaded to–and many opportunities for hackers to plant something within those folders. Because you’d rarely ever check through all of those folders, you wouldn’t find the suspicious malware.

4. wp-config.php File – this is one of the default files installed with WordPress. It’s one of the first places to look when you’ve had an attack because it’s one of the most common files to be hit by hackers.

5. The Includes folder – Yet another common directory because it’s automatically installed with WordPress, but who checks this folder regularly?

Hackers also sometimes plant backups to their backdoors. So while you may clean out one backdoor… Others may live on your server, nested away safely in a directory you never see. Smart hackers also disguise the backdoor to look like a regular WordPress file.

What can you do to clean up a hacked WordPress site?

After reading this, you might guess that WordPress is the most insecure website you can have. The latest version of WordPress has no known vulnerabilities. WordPress constantly updates its software, largely due to fixing vulnerabilities when a hacker finds a way in. So, by keeping your WordPress version up to date, you can help prevent it from being hacked.

Next, you can try these steps:

1. You can install malware scanner WordPress plugins, either free or paid plugins. You can search for “malware scanner WordPress plugin” for several options. Some free ones can scan and generate false positives, so it can be hard to know what’s suspicious unless you’re the plugin developer.

2. Delete inactive themes. Get rid of static pieces you’re not using for the above reasons.

3. Delete all plugins and reinstall them. This can be time-consuming, but it wipes out any vulnerabilities in the plugin’s folders. First, it’s a good idea to create a backup of your site (there are free and paid backup plugins for WordPress) before you start deleting and reinstalling.

4. Create a fresh—htaccess file. Sometimes a hacker will plant redirect codes in the .htaccess File. You can delete the File, and it will recreate itself. If it doesn’t play itself, you can manually do that by going to the WordPress admin panel and clicking Settings >> Permalinks. When you save the permalink settings, it will recreate the .htaccess File.

5. Download a fresh copy of WordPress and compare the wp-config.php file from the new version to the one in your directory. If there’s anything suspicious in your current version, delete it.

6. Lastly, to ensure your site has no hack (outside of using paid monitoring services), you can delete it and restore it to a date that the hack wasn’t there from your hosting control panel. This will delete any updates you’ve made to your site after that date, so it’s not a great option for everyone. But at least it cleans you out and provides peace of mind.

In the future, you can:

1. Update your admin username and password. Create a new user with Administrator capabilities, then delete the old one you used.

2. Install a plugin to limit login attempts. This will keep someone locked out after a certain amount of attempts to get in.

3. Password protect the WP-admin directory. This would be done through your website hosting control panel. If your hosting company uses cPanel, this is easily done with a few clicks. Contact your host to figure out how to password-protect a directory or do a search for it on your hosting company’s website.

4. Create regular backups. By backing up your site regularly, you know you’ll have a copy to restore the area if it gets hacked. Free and paid plugins are available to help with this, or you may be able to create a backup of the entire account from your hosting control panel. Or, though slower is still an option, you can download the whole site via FTP software.

When it comes to security, it helps to take it seriously. Backing up your site is one of the best things because your hosting company may not do this for you. Some may offer backups/restore features if you activate them, and some may create random backups every few weeks. But you don’t want to rely on the host because this is not in their scope of services. To be more certain, you can use paid malware monitoring services and plugins to watch your site, so you don’t have to worry about it.

About author

I work for WideInfo and I love writing on my blog every day with huge new information to help my readers. Fashion is my hobby and eating food is my life. Social Media is my blood to connect my family and friends.
    Related posts

    Templates Tips and Ideas for Your Website Design


    Upgrade WordPress - Should You Click the Button?


    Five of the Best Ways to Promote Your New WordPress Blog


    Essential WordPress Tips for Beginners

    Sign up for our newsletter and stay informed !