![WordPress Website Hacked: Prevention and Cure [LNIM121]](https://www.latenightim.com/wp-content/uploads/2017/01/wordpress-site-hacked.ed4d80f3ca4b4d669bedaab291e89351-1024x675.jpeg)
Ever had your WordPress website hacked? Mark spent his holiday break recovering 17 compromised WordPress sites on a single server. In this episode, he shares the full story of what happened, how he used server backups to recover, and a practical checklist of security measures every WordPress site owner should implement to prevent a hack from happening in the first place.
What You'll Learn in This Episode
- How Mark discovered 17 of his WordPress sites had been hacked during the holidays
- How server-level backups from SiteGround enabled a fast recovery
- Seven actionable security hardening steps you can take today with no technical expertise
- Why most WordPress hacks come from outdated plugins, themes, or hosting vulnerabilities
- Which security plugins to install for ongoing protection
Episode Summary
Mark received email alerts from Google Search Console during his holiday break indicating hacked content on multiple websites. Hackers had compromised his server and injected massive amounts of content, using his sites as bots. The CPU load spiked, the disk filled up, and Google began displaying “This site has been hacked” warnings in search results for his wife's blog and several affiliate sites.
Because the sites were hosted on SiteGround, Mark submitted a support ticket and had the server restored from a backup taken before the hack. SiteGround handled the restoration quickly, but the restored sites still had the same vulnerabilities that allowed the hack. Mark then went through a systematic hardening process across all 17 sites.
Data from WP White Security shows that 41 percent of WordPress hacks come through hosting vulnerabilities and over 50 percent come through outdated WordPress core or plugins. Based on this, Mark's hardening checklist focuses on practical steps: maintain reliable backups, keep WordPress and all plugins updated, delete unused themes and plugins, never use “admin” as a username, use strong passwords with two-factor authentication, choose reputable managed WordPress hosting, register with Google Search Console for monitoring, and install a security plugin like Wordfence for firewall protection and malware scanning.
Key Takeaways
- Server-level backups from your hosting provider are the fastest and most reliable recovery method
- Over 90 percent of WordPress hacks exploit outdated software or hosting vulnerabilities
- Update everything — WordPress core, themes, and plugins — and enable automatic updates
- Delete unused themes and plugins to reduce your attack surface
- Never use “admin” as your username and enforce strong passwords with two-factor authentication
- Register every site with Google Search Console for early hack detection
- Install Wordfence or a similar security plugin for ongoing monitoring
What's Changed Since This Episode
Mark recorded this episode in January 2017, and WordPress security practices have advanced considerably.
WordPress now supports automatic updates natively. Since WordPress 5.6, you can enable auto-updates for plugins and themes directly from the dashboard without any additional plugins. This eliminates the most common attack vector Mark describes.
Managed WordPress hosting is now mainstream. Providers like SiteGround, WP Engine, Kinsta, and Cloudways offer built-in security hardening, automatic daily backups, server-level firewalls, and malware scanning as standard features. The security gap between budget hosting and premium hosting has narrowed significantly.
Cloudflare's free tier now provides a Web Application Firewall and DDoS protection that blocks many common WordPress attacks before they reach your server. This layer of protection was not widely available as a free option in 2017.
Passwordless authentication and passkeys are emerging as alternatives to traditional passwords. Hardware security keys and biometric authentication are becoming supported by WordPress plugins, making the password-hardening advice less relevant as the industry moves toward eliminating passwords entirely.
Resources Mentioned
- Wordfence Security Plugin
- iThemes Security Plugin
- Sucuri Security Plugin
- Jetpack Plugin
- Google Search Console
Related Episodes
If you found this episode helpful, you might also enjoy:
- LNIM121 Transcript — Full Hacked WordPress Recovery Walkthrough
- LNIM109 — 14 Critical SEO Tips for Bloggers
Listen and Subscribe
Listen to Late Night Internet Marketing on Apple Podcasts or subscribe at latenightim.com/internet-marketing-podcast/. Have a question for Mark? Call the digital recorder at 214-444-8655 or drop a comment below.
