Has your WordPress site been hacked? While there is no way to guarantee security, there are several steps you can take to reduce hacking attempts and make it easier to roll back to safe versions.
- Remove permissions for the default admin user or remove it entirely, instead granting admin permissions to particular individual users.
- Require strong passwords.
- Require two-factor authentication (2FA) with tools like Wordfence. (This is not an endorsement.)
- No shared logins. Each user should have their own account with appropriate permissions.
- Use a firewall plugin such as Wordfence Security or AIOS. (This is not an endorsement.)
- Schedule regular, frequent full backups with plugins like Backup Guard or BackWPup. Make sure some backups are made to entirely different servers or to unrelated file storage such as DropBox.
- Move your login page away from wp-login to something unusual. Plugins such as WPS Hide Login make this simple.
- Update WordPress, plugins, and themes frequently. Updates usually include security patches that may be exploited if updates aren’t applied.
- Disable or remove unused plugins.
- Remove unused themes.