Over the holidays, Mark received a series of alarming emails from Google Search Console: hacked content detected on his websites. Not one site, not two — seventeen WordPress sites on a single server had been completely compromised. In this episode, Mark walks through exactly what happened, how he recovered, and the straightforward security steps every WordPress site owner should implement immediately to prevent this from happening to them.
What You'll Learn in This Episode
- What a WordPress hack looks like and how Mark discovered 17 compromised sites
- How server backups saved his sites and why your backup strategy matters
- Nine specific, low-tech steps to harden your WordPress site against hackers
- Why 90 percent of WordPress hacks come from outdated software or hosting vulnerabilities
- Which security plugins to consider and what they actually do
Episode Summary
Mark describes receiving Google Search Console notifications during his holiday break alerting him that multiple sites had been hacked. Hackers had compromised his server and injected a massive amount of content, using his sites as bots and driving the CPU and disk usage through the roof. His wife's blog was also affected, showing “This site has been hacked” warnings in Google search results.
Because the sites were hosted on SiteGround, Mark was able to submit a support ticket and have the entire server restored from a backup taken before the hack occurred. SiteGround handled this quickly, even in the middle of the night. Mark notes this approach does not always work — sophisticated hackers sometimes plant dormant code and wait for weeks so that all available backups are already compromised.
After restoring the server, Mark needed to harden all 17 sites to prevent re-infection. He presents a checklist of nine straightforward security measures that require no advanced technical knowledge.
First, ensure you have reliable recurring backups. Server-level backups from your hosting provider are the most reliable and easiest to restore. Second, keep WordPress core updated to the latest version, as every release patches known security vulnerabilities. Third, keep all themes and plugins updated and consider enabling automatic updates. Fourth, delete unused themes and plugins — inactive code that is not being updated provides attack vectors. Fifth, minimize plugin usage overall, because every line of third-party code is a potential point of entry.
Sixth, never use “admin” as a username. This is the default WordPress username and gives hackers half the login puzzle. Create a new admin account with a unique name and demote the original admin to subscriber. Seventh, use strong passwords and consider two-factor authentication. Eighth, choose reputable WordPress-managed hosting where the provider actively monitors for security threats. Ninth, register your site with Google Search Console so Google can alert you to hacks and malware. As a bonus, Mark recommends installing a security plugin like Wordfence, which provides firewall protection, malware scanning, and alerts when software is out of date.
Key Takeaways
- Over 90 percent of WordPress hacks come through hosting vulnerabilities or outdated WordPress, themes, and plugins
- Server-level backups from your hosting provider are your most reliable recovery option
- Update WordPress core, themes, and plugins immediately and enable automatic updates where possible
- Delete all unused themes and plugins — inactive code is a security risk
- Never use “admin” as your WordPress username and always use strong, unique passwords
- Register every site with Google Search Console for hack detection alerts
- Install a security plugin like Wordfence for firewall protection and malware scanning
What's Changed Since This Episode
Mark recorded this episode in January 2017, and WordPress security has evolved significantly in the years since.
WordPress auto-updates are now built in. Since WordPress 5.6 (December 2020), WordPress core includes the option to enable automatic updates for plugins and themes directly from the dashboard. This addresses one of Mark's key recommendations without requiring any additional configuration or plugins.
Managed WordPress hosting has become the standard. In 2017, managed WordPress hosting was a premium option. Today, providers like SiteGround, Cloudways, WP Engine, and Kinsta offer WordPress-specific security hardening, automatic backups, staging environments, and server-level firewalls as standard features. The hosting landscape has shifted heavily toward managed solutions that handle much of the security Mark describes manually.
Two-factor authentication is now widely available. In 2017, 2FA required a separate plugin. Today, many hosting dashboards and WordPress security plugins include 2FA as a built-in feature. Passwordless login options using hardware keys or authenticator apps have also become more common.
Application-level firewalls from services like Cloudflare (which offers a free tier) can now block many common attacks before they reach your server. Cloudflare's Web Application Firewall and bot management tools provide a layer of protection that did not exist as a free option in 2017.
The threat landscape has intensified. Automated attacks on WordPress sites have increased dramatically. Bot networks now scan the entire internet for vulnerable WordPress installations within hours of a vulnerability being disclosed. This makes the urgency of Mark's advice even greater — the window between a vulnerability being discovered and being exploited has shrunk from weeks to hours.
Resources Mentioned
- Wordfence Security Plugin — firewall and malware scanning for WordPress
- iThemes Security Plugin (formerly Better WP Security)
- Sucuri Security Plugin
- Google Search Console — site health and hack detection
Related Episodes
If you found this episode helpful, you might also enjoy:
- LNIM121 Show Notes — WordPress Website Hacked: Prevention and Cure
- LNIM109 — 14 Critical SEO Tips for Bloggers
Listen and Subscribe
Listen to Late Night Internet Marketing on Apple Podcasts or subscribe at latenightim.com/internet-marketing-podcast/. Have a question for Mark? Call the digital recorder at 214-444-8655 or drop a comment below.
