How My WordPress Websites Were Hacked & What I Did About It

How My WordPress Websites Were Hacked & What I Did About It

Sep 09

By David Sunfellow
NHNE Pulse
First Published September 9, 2010
Updated September 10, 2010

Last month was a good month for hackers — and a bad month for me and many other WordPress users.

I currently manage 15 WordPress websites — 5 for myself and 10 for family members, friends, and like-minded associates.

The trouble began when I received an ominous message from MediaTemple, the company that hosts all my WordPress websites. The message read:

“As a courtesy, and in an effort to help you overcome these recent application attacks, (mt) Engineers have identified and removed malicious code from your WordPress database tables. Please continue with your efforts to update your applications to the latest version. Simply having an outdated application on your service might render this malicious code purge ineffective.”

The notice went on to indicate that every site I managed had been infected — and cleaned.

I called in, had the MediaTemple tech support people (who are some of the best on the planet) send me a list of concrete things I could do to prevent future attacks. Then I did the basics: changed and hardened passwords, updated plugins and templates, and checked to be sure all my sites were using the current version of WordPress.

Once I completed these tasks, life returned to normal.

Two weeks later, I visited one of my main websites and instead of the website loading as it usually does, a Google generated page loaded. Painted on a bright red background, the ominous page shouted: “WARNING: VISITING THIS WEBSITE MAY HARM YOUR COMPUTER!”

I had been hit again. But this time MediaTemple didn’t catch and purge the malicious code before Google found it. And Google, taking net security very seriously, began warning the entire planet to stay away.

OK, that’s an exaggeration. The entire planet didn’t actually see Google’s warning — but people who use Google Search, Google Chrome, Firefox, Safari, and other web applications could have, if they had visited. What would have happened if the entire planet had visited my infected website (or the infected websites of thousands upon thousands of other websites who probably don’t even know they are infected)?

Bad things. Here’s where you can go to find out more.

But I digress.

Whereas the first time I got hacked I didn’t pay much attention; this time, thanks mostly to Google warning others that one of my websites was an instrument of evil doers, I got serious. My first step was to contact ace WordPress programmer Shawn Hesketh of LeftLane Designs. After emailing Shawn about what had happened, and asking for suggestions about what I could do to protect the sites I administer, Shawn responded with a list of very helpful suggestions. Shawn’s suggestions, in turn, led to other steps and resources — and a desire to save other fledgling WordPress webmasters from the trials and tribulations I was experiencing.

So for all you WordPress webmasters out there who have enough technical skills to set up WordPress websites, but aren’t sure how to effectively protect them, this post is for you.



I set up an account on Google Webmasters for all the websites I manage. Along with providing bare bone diagnostics, this service also provides a direct way to reach Google in the event another site is blacklisted like Pulse was due to malware or other security issues.

Google Webmasters

The Malware Warning Review Process

Practical Guide To Dealing With Google’s Malware Warnings


I changed and hardened passwords. Since I’m a Mac guy, I used 1Password (which I love) to generate super-strong passwords. Here’s a quick list of password-related resources:

1Password (for Mac users)

Password Management Software (for PC users)

Secure Password Generator

Strong Password Generator

Free Password Generator


I subscribed to Sucuri and had all my WordPress websites scanned. Those that were infected, were cleaned. I have Sucuri configured to scan all these sites at 2 or 4 hour intervals and I will be notified immediately if any additional security issues are detected. Significantly, Sucuri located and removed malicious code from all my WordPress websites that my website provider not only missed but failed to identify when they ran their own scans.


Sucuri Security Scanner (free scan to detect malware, spam, security issues)


I subscribed NHNE Pulse, which is my largest, most content rich WordPress site, to VaultPress. They are making complete backups of the site every hour. Along with backing up the site, VaultPress also allows me to push a button and revert the entire site to a previous version. While you have to get on a waiting list to use VaultPress (because they are still in beta), they plan to offer a wide variety of security features down the road — and give their early adopters special treatment. VaultPress is also the brainchild of WordPress insiders.



I set up an account with Amazon S3 and created special areas to backup all the content from my WordPress websites. I also installed the Automatic WordPress Backup plugin. The plugin automatically backs up everything to Amazon and also provides a one-button restore function. Along with being exceedingly inexpensive, Amazon S3 can also be used to store all kinds of other data. While many host sites have systems that create backups of the websites they host, it is still a good idea to have an offsite backup of your website(s) — just in case the unthinkable happens and your primary host experiences a catastrophic failure.

Amazon S3

Amazon S3 FAQ

Automatic WordPress Backup


I installed and ran three security plugins:

A. Automatic WordPress Backup (to automate the Amazon S3 backup/restore process)

B. Secure WordPress (to run a series of security tweaks on the sites)

C. WP-Optimize (to delete the tons of archived modified pages and other content that was accumulating on my websites so they would be easier to backup. This plugin also allows provides an easy way to change the “admin” username if you made the mistake of not changing this when you first logged in to your WordPress site.)


Until all my WordPress websites were hacked, I had dreams of setting up a small WordPress empire. The idea was to setup WordPress based websites for family, friends, and associates who were doing work that I wanted to support. I would set up their sites, teach them how to use them, and then host them at competitive rates. After being hacked, twice, I realize that “securely” managing a bunch of sites requires more time, expertise, and money than I had to spend. So I’ve changed course. Now I plan to continue helping like-mined folks get set up with their own WordPress sites, but instead of hosting them myself (and watching my life get eaten up dealing with security issues), I will set them up with a company that specializes in hosting and securing WordPress websites:


Finally, I’ve created a page on NHNE Pulse to keep track of the best WordPress security resources I come across. It includes links to all resources listed above, and more:

If you have any additional resources and suggestions, please email them to me — or add a comment to the Pulse WordPress Resource Page. I want to be sure this list is as comprehensive — and practical — as possible. I also want to be sure it is something average WordPress webmasters can use.

If you find this article helpful, I encourage you to share it with your WordPress friends. The more communication and cross pollination there is among people trying to run clean, healthy websites, the less opportunity there is for bad guys to cause mayhem and destruction!


Here are a few additional suggestions for protecting your WordPress website/blog…


September 10, 2010 Update

9. BOGUS ADMINISTRATORS (This should actually be Number 1. on the list)

Check to see if there are any unknown Users listed as administrators. If there are, delete them, and reset your WordPress username and password.


(Thanks to Gil Taylor for these plugin suggestions. While neither of these plugins claim to work with WordPress 3, both plugins are working fine for me on 3.0.1. The developer of Login LockDown also told me his plugin is compatible with WordPress 3 and that he plans to upgrade the public notes on the plugin shortly.)

A. Login LockDown

Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Administrators can release locked out IP ranges manually from the panel.

B. WordPress Firewall

Detect, intercept, and log suspicious-looking parameters — and prevent them compromising WordPress. Also protect most WordPress plugins from the same attacks. Optionally configure as the first plugin to load for maximum security. Respond with an innocuous-looking 404, or a home page redirect. Optionally send an email to you with a useful dump of information upon blocking a potential attack. Turn on or off directory traversal attack detection. Turn on or off SQL injection attack detection. Turn on or off WordPress-specific SQL injection attack detection. Turn on or off blocking executable file uploads. Turn on or off remote arbitrary code injection detection. Add whitelisted IPs. Add additional whitelisted pages and/or fields within such pages to allow above to get through when desirable.



  1. Ok. Why didn’t I see that?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.