WordPress Security Tips

I recently wrote a post about cleaning up your hacked wordpress site and wanted to follow up with a quick post on how to actually prevent your site from getting hacked.

The order I chose for releasing the posts seems a bit silly. Of course you would want to prevent hackers first, however, most people don’t even think about hack-proofing their site until it actually happens.

I am keeping this post short and sweet since no one wants to read too much about this boring and scary subject. I will not go into detail for each of the security tips. Maybe later I will create a post to talk about each of these…

So check out my  WordPress Security Tips below and be safe!

WordPress Security Tips

1. Upgrade WordPress
2. Do not use the admin account
3. Delete the admin account
4. Change default passwords
5. Use “strong” passwords
6. Move your wp-config.php file
7. Use secret keys in your wp-config.php file
8. Change the wordpress table prefix
9. Lockdown your htaccess to allow only certain IPS to access it
10. Use shell access as opposed to FTP
11. Create a blank index.html in your plugins directory (should be there in newer WP versions)
12. Block access to the wp-admin folder using your .htaccess file
13. Remove the WordPress version string from your header.hp file
14. Block your wp folders from search engines
15. Do not allow people to register as administrators by default
16. Keep spam comments out
17. Backup your database and server-side files regularly
18. Use proper file permission settings on all files on your server
19. Use secured connections to access your WP admin pages
20. Scan for vulnerabilities

.htaccess Snippets to Improve WordPress Security

WordPress security is one of the most undermined factors amongst novice bloggers. In an unsupervised WordPress installation, there are quite a few potential vulnerabilities that are left unattended. Most of the WordPress installation tutorials explain a quick and easy way to deploy WordPress in minutes. But they miss out a few important security factors. For example, directory browsing and using the ‘admin’ username are considered serious security loopholes. Today we’re going to take a look at 10 .htaccess code snippets which will help improve your WordPress blog’s security. Before we get started, let’s take a quick look into what is the htaccess file.

What is the .htaccess file?

An htaccess file is an optional configuration file for the Apache web server to interpret, for each directory. You can store various settings in that file such as: password protect a directory, block IPs, block a file or folder from public access, etc. Traditionally, the .htaccess file is present in the base WordPress installation directory. It stores the permalink structure by default.

TIP: Before you start with the tutorial, make sure to backup the current .htaccess file (if present) in a cloud storage service like Dropbox. This is to roll back to the last known working .htaccess file, if a certain code snippet breaks your site. Let’s begin.

1. Block Bad Bots 

One of the best uses of the .htaccess file is its ability to deny multiple IP addresses from accessing your site. This is useful when blocking known spammers and other origins of suspicious or malicious access. The code is:

# Block one or more IP address. Replace IP_ADDRESS_* with the IP you 

want to block

<Limit GET POST>
order allow,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
allow from all
</Limit>

Where IP_ADDRESS_1 is the first IP you want to prevent from accessing your site. You can add as many IPs you want. No matter what user agents (browsers) 0these IP addresses use, they won’t be able to access a single file from your server. The webserver will automatically deny all access.

2. Disable Directory Browsing

This is one of the most undermined security flaws in a WordPress site. By default, the Apache webserver enables directory browsing. This means that all files and folders inside the root directory (sometimes called the home directory) of the webserver is enlist able and accessible by a visitor. You do not want that because you don’t want people browsing through your media uploads or your theme or plugin files.

If at random I pick 10 personal or business websites running WordPress, 6-8 of them won’t have directory browsing disabled. This allows anyone to easily sniff around the wp-content/uploadsfolder or any other directory which doesn’t have the default index.php file. In fact, the screenshot you see is from one of my client’s site, before I recommended the fix. Code snippet to disable directory browsing:

# Disable directory browsing
Options All -Indexes

3. Allow Only Selected Files from wp-content

As you know the wp-content folder contains the most your themes, plugins and all media uploads. You certainly don’t want people to access it without restrictions. In addition to disabling directory browsing, you can also deny access of all file types, save a few. In essence, you can selectively unblock files like JPG, PDF, DOCX, CSS, JS, etc. and deny from the rest. To do this, paste this code snippet in your .htaccess file:

# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>

You must create a new .htaccess file with the code and paste it in the wp-content folder. Don’t place this in the base installation directory – else it won’t work. You can also add any file type to the list by appending a ‘|’ after ‘rar’. The above list contains the necessary files – XML, CSS and JavaScript, common image and document formats and finally the most-used archive formats.

4. Restrict All Access to wp-includes

The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress – one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to content of the wp-include folder. You can disable access using this following code snippet:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

5. Allow only Selected IP Addresses to Access wp-admin

 The wp-admin folder contains the files required to run the WordPress dashboard. In most cases, your visitors don’t need access to the WordPress dashboard, unless they want to register an account. A good security measure is to enable only a few selected IP addresses to access thewp-admin folder. You can allow the IPs of the people who need access to the WordPress dashboard – editors, contributors and other admins. This code snippet allows only fixed IPs to access the wp-admin folder and denies access to the rest of the world.

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 302.143.54.102
allow from IP_ADDRESS_2
</Limit>

Make sure that you create a new .htaccess file and paste it in the wp-admin folder and not the base installation directory. If it’s the latter, no one except you will be able to browse you site – not even search engines! You certainly do not want that. A couple of downfalls of this measure is as follows:

• If your site allows or promotes new user registration, it would be nearly impossible to keep track of the number of users. For example at WPExplorer, if you want to download our awesome free themes, then you have to register.
• People with dynamic IP addresses (mostly ADSL broadband users using PPP or PPPoEprotocols) have their IPs changed, every time they logout and login to their ISP. Certainly it would be impractical to keep track of all these IPs and add them to the htaccess file.
• Mobile broadband: Whether you’re on 3G or 4G, your IP address depends on current cell tower you’re connected to. Say you’re travelling – your IP will be constantly changing with every couple of miles you move from the origin. Again, keeping track for the htaccess file is nearly impossible.
• Public Wi-Fi Hotspots: Using credentials when connected to the Internet using a public Wi-Fi hotspot is a big no-no, since a kid with a tiny software can extract every character you type. Not to mention, each Wi-Fi hotspot will have a unique IP address.

Thankfully, all these disadvantages (save the first one), can be rectified by using a VPN. If you set your VPN to connect using only a single IP address, then you can just add it to your htaccess file, and all your problems will be solved.

6. Protect wp-config.php and .htaccess from everyone

The wp-config.php file contains the most sensitive access credentials of your WordPress site. It contains the database name and access credentials and various other critical data, amongst other settings. Under no circumstances do you want other people looking into this file. And of course, you want to disable public access to the source of all this security – the .htaccess file itself. You can disable access to wp-config.php with this following code:

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>

To deny access to all htaccess files (remember some may reside in the wp-admin and other folders), use this code snippet:

# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

7. Deny Image Hotlinking

One of the coolest .htaccess file hacks, this one sends content scrapers running with their tail between their legs. When someone uses your site’s image, your bandwidth is being consumed and most of the time, you’re not even credited for it. This code snippet eliminates that problem and sends this image when a hotlink is detected.

# Prevent image hotlinking script. Replace last URL with any image

 link you want.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourotherwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L] 

8. Enable Browser Caching

Also known as client-side caching, this .htaccess hack with enable the recommended browser caching options for your WordPress site. You could also use it in other projects – HTML sites, etc.

# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>

9. Redirect to a Maintenance page

When you’re migrating webhosts or performing some maintenance task, it is always recommended to create a static “down for maintenance” HTML file to inform your visitors that the website is undergoing an upgrade or maintenance operation. Simply create a maintenance.html file (or any other filename) and upload it to the base WordPress installation directory. Paste the following snippet in your .htaccess file. Once the operation is over, make sure to delete or comment out these lines to go back to overall operation. You can comment out by appending a ‘#’ at the beginning of each line.

# Redirect all traffic to maintenance.html file
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L] 

10. Custom Error Pages

You can also the .htaccess file to configure user-friendly custom error pages for errors such as 403, 404 and 500. Once you have prepared your error page – let’s say error.html, upload it to your base WordPress installation directory. Then add the following code snippet to your .htaccess file to enable the custom error page:

# Custom error page for error 403, 404 and 500
ErrorDocument 404 /error.html
ErrorDocument 403 / error.html
ErrorDocument 500 / error.html

Conclusion:

Today we’ve learnt some of the coolest htaccess hacks to strengthen your WordPress site. I would suggest you to try out each module one by one while taking a backup of the .htaccess file before and after testing each module. This is because the .htaccess file is very critical. A missing ‘#’ character or misplaced ‘</IfModule>’ could destroy your site’s integrity. If you access your WordPress dashboard frequently on-the-go, it’s recommended not to enable selective IPs to yourwp-admin folder.

How to Recover a Hacked WordPress Site

A couple of days ago, I did something I normally try to avoid; I took to social media to rant. This was after I received a disheartening message via email, which prompted me to contact my web host, but the tech support did everything but help matters, hence the need to air dirty linen on Twitter.

Being who I am, I would have chosen to let this matter slide, but the kind of support I received from my web host when I needed help the most sucked big time. It was both a shocker and an eye opener. Now I’m a dissatisfied customer shopping for a new web host.

I mean, what did they expect after such poor customer support? One of the reps had the audacity to ask me to move my site elsewhere if I was dissatisfied. The nerve. Please recommend a great host in the comments, and put a smile on my face  But apart from the shoddy customer service, what was the cause of my woes? Here’s the story behind this disheartening email.

 Recently, I fell victim to a really determined hacker who gained access to my WordPress site, eventually taking over my entire public_html directory. Or vice versa – I really don’t know how I was hacked as my web host failed to provide this info even after I inquired a couple of times.

Now, I had six WordPress sites living on this account. As a result of the hack, all of them were taken down as a security measure, which is totally understandable. But as the situation went completely out of control, traffic dwindled and I never received a single inquiry in the 72+ hours I was locked out of my businesses.

So I went to Twitter and made a lot of noise, after which a seemingly nice fellow named Matthew (thank you if you’re reading) came to my rescue. After Matt intervened I was able to recover my main site although it had suffered major blows in terms of core functionality. The other five websites weren’t as lucky, they had to bite the dust, leaving me with a bad taste in the mouth.

It was a frustrating and stressing experience especially with the little help I was getting from the support reps at Bluehost. Yes, I just snitched on you Bluehost. Suffice to say, this is the second time I have been hacked on their shared hosting package. I should start learning.

Disclaimer: My experience doesn’t discount the fact that you might been having a great time with the host – this is just my isolated experience.

What did Matt do differently? He made me a malware.txt file containing details of the corrupted files. Cleaning most of these files was easy, but it meant deleting important plugins and replacing core files that left my main site with serious incapacity. It was up though in no time, which was better than nothing.

I deleted the other five completely because they were corrupted and the backups – according to the support reps – were also corrupted. You know, like beyond repair. It’s a shame. Now I have to start work on five different websites, which is really disappointing for a big company such as Bluehost. Either way, I gave Matt a great review, but the other reps weren’t as lucky. But I’m still worried I might be hacked again, and it’s not the kind of mindset you need when running a business.

Ranting aside, getting hacked isn’t something you should ever wish on anyone, even your worst enemy. Even if you end up recovering your site, it will cause you unduly stress and cost you precious time and money. If your web host sucks like mine, you risk being hacked a second time. You will lose traffic and sales, and the bitter memory will take long to die. Your credibility lies on the line too, so yeah, getting hacked is no fun.

So what are you to do when some jerk somewhere hijacks your WordPress site, and destroys all the efforts; time, money and ambition, you’ve put in your project? Is there a number you can call? The internet police maybe? Is there a quick fix-it-all button you can click, and recover your site in minutes, rather than days?

Do you have to go through a harrowing experience like I did, or will your host of choice understand you’re already under stress for losing your digital assets? What is a WordPress user to do? Are hackers to be feared or can you protect yourself? Here are some tips that you can employ to hopefully never have an experience like I did.

WordPress Security

They say prevention is better than cure, and I agree. WordPress security is key. At the same time, no matter how hard you try, the bad guys always seem to know exactly where to hit and break into your fortified website. This I say because I was using top-of-the-class security plugins on my websites, but I was still hacked.

Whether you’re a WordPress neophyte or a seasoned webmaster, you should always look into bolstering your WordPress security as opposed to trying to recover your site when it’s already lying in pieces. Before we discuss how you can restore your hacked WordPress website, let’s see what’s available out there in terms of preventative measures. How can you better your chances of remaining unshaken even if/when hackers throw everything they got at your WP-based online business? Here’s the juice.

Invest in a Great Web Host

What makes a great WordPress host? We’ve discussed how to choose the best WordPress host in the past, so I won’t go into the finer details. However, let’s mention a few important considerations to keep in mind when selecting the perfect web host.

Price vs. Value

First of all, you shouldn’t look into “pinching pennies” with your hosting solution. Low cost of hosting is primarily why I chose and stuck with Bluehost. I had no idea this would turn around and bite me in the a**.

I have a simple question for you, mi amigo. Would you rather pay $4 per month and risk getting hacked (+ poor service) , or $29 a month and get stellar and personalized service that’s tailored for your business? How much is your peace of mind worth?

In the recent past, I was so sure I was saving money by paying $4 per month for hosting. Now I know better, and I am contemplating moving to managed WordPress hosting. Unless of course Bluehost is willing to massage my ego with a huge birthday cake, or something. I’m kidding of course, but they should look into their customer care. You should consider managed WordPress hosting as well, if you don’t want to lose your business later on.

The problem with the $4 a month shared hosting plans is your site lives with a million other sites on the same server, which means if one of the other sites is compromised, you’d be lucky to escape the onslaught. If you collect/store customer data on your site, you don’t want this kind of info falling into the wrong hands. If you’ve invested time and money in creating great content, you don’t need some hacker to reduce it all to a Viagra-peddling homepage, or worse, nothingness.

We need to relocate to managed WordPress hosting people. Many of the more affordable hosts are already offering managed hosting plans, and if we ramp up the demand perhaps the prices will come down as a result. Sounds like a plan, right? Moving on…

Quality Support

Do we even need to talk about why your web host should provide great support? Being available at a moment’s notice is great, but I have had to wait more than 20 minutes to have a live chat session with a Bluehost support rep. And when they do show up, they aptly tell you they’re on multiple chats at the same time, as if you’re supposed to make up for their under staffing. Not cool guys, not cool.

So you end up wasting even more time on trivialities, since they are carrying over issues from other chats. Could this be the reason why they have terrible attitudes at times? But instead of pointing fingers, am I expecting too much out of $4 a month? Perhaps I am. Choose your web host carefully, or you could pay with the loss of traffic (or potentially your business).

That aside, do they have secure servers? What other security measures do they have in place? Will you be able to restore your WordPress site in case it’s hacked, or will they tell you your backups are corrupted too? Will they notice the intrusion long before the attacker causes serious damage, or will they shut down your site and notify you when it’s already too late?

Do you really have to stay on that shared hosting package? Is your web host secure, or do they leave you vulnerable to all manner of attacks? The only way to find the answers to these questions nad any others you might have is to read reviews (and this post counts as one) and do the necessary research. I mean it, just do it, and you’ll be surprised just how much you can learn about a company on the big WWW.

Get Clean WordPress Themes + Plugins

The hacker’s favorite playing field, themes and plugins (especially poorly coded types) provide easy access to your site admin. Right this minute, some hacker is probably trying to gain access to your WordPress site/blog using a poorly-coded theme or plugin. If a hacker uses a backdoor hack (hidden in a theme or plugin) to access the admin area, you’re roast goose. They can wreck havoc however they wish.

As such, it’s important to download themes and plugins from trustworthy sites. Are you looking for a clean theme? We recommend  Themeforest. Need clean plugins? Check out the WordPress Repo . Know of any other trustworthy sites where we can get themes and plugins? Please share in the comments.

Update Themes + Plugins + WordPress

At times, a great theme or plugin might come with a security flaw. Usually, developers release updates to seal these security holes. However, if you don’t update your theme or plugins, you become an easy target for hackers who -in most cases – are aware of the security flaw. After all, info about the security flaw is available in the public domain, so yeah, hit that update button already.

Keep them themes and plugins up to date. Remember to upgrade your WordPress installation as well, or you’ll cry foul when hell breaks loose.

Backup Your WordPress Site

Don’t be the one to rebuild your WordPress site(s) from scratch like yours truly. With full and regular backups, you can restore your WordPress site with ease even if the hacker person tore it from the hinges and flung it all the way across Atlantic Ocean.

And please don’t make the mistake of assuming your web host keeps secure backups of your site, even if they proudly proclaim it in their marketing brochures. The only (and best) way to protect yourself is investing in a professional and reputable back up solution such VaultPress even offer their own backup options with various plans.

If you know your way around your web server, you can even create manual backups at regular intervals (and for added security we recommend taking your own manual backups in addition to one of the plugins mentioned above). Bi-weekly is a great schedule to start with. Just compress your WordPress website, and download it to your local machine. Download also the WordPress database, and save both on a secure folder on your computer. Ensure your computer is clean.

There are many WordPress backup plugins too to do your bidding, so worry not if you can’t find your way around a web server. You can read more about securing your WordPress website, and share your tips as well. Let’s move on, and see how we can recover your hacked WordPress site.

How to Recover a Hacked WordPress Site

You just woke up, and your site isn’t there. Poof, gone with the wind just like that. You probably just got an email or text message letting you know the proverbial rainy day is here you’ve lost the reins of control to some masked mongrel out there. What to do?

Your first reaction would be panic, which is alright since it means you’re still alive, and can do something about the hack – or if you’re really lucky – the hacker. But you shouldn’t worry yourself to the point of mental meltdown, we still need you. After all, the damage is often recoverable in no time.

You Can Still Login

With some hacks, you might still have access to your WordPress admin area. If this is you, you can recover your site easily by eliminating the damaged files and sealing the point of entry. Usually, Google and your web host will let you know when you’ve been hacked. They might even show you the hacked files and URLs.

All you have to do is login into your WordPress site, remove the affected files, or change your login details and update your entire WordPress installation. Just reinstall WordPress from your admin area. You might need to replace infected themes and plugins with new fresh copies as well.

Uh-oh, You’re Locked Out

Other times, a hacker may completely lock you out or have you locked out of your WordPress site(s). This happened in my case – I couldn’t login into any of my sites. How did I recover my site? I would love to tell you it’s easy, but I would be lying through the teeth.

First, contact your web host, and even if they aren’t forthcoming with the info, pressure them to provide details of the hack, including a list of the infected files. If the live support guys give you a hard time, give them a ring, and if that isn’t enough, just take the battle to them on social media. Many companies, not just web hosting companies, will think twice about tarnishing brand reputation on social media on the account of one disgruntled customer. Be polite however; don’t go hurling unprintable expletives. This is what I did, and sure enough, Matthew saved a malware.txt file in my server.

With such a file in place, cleaning and eventually recovering your WordPress site is a matter ofeliminating and replacing affected files. Nevertheless, it can be a long process, especially if the damage is extensive since you have to find each affected file one by one.

However, with a file showing you where the infected files are, all you have to is login into your cPanel -> File Manager and delete/replace victimized files. Note, this might force you to delete entire plugins, and even themes. If you don’t use a child theme, and your parent theme happens to be infected, you’ll lose your custom design, but hey, at least your site is up! You can always replace plugins, so this shouldn’t be a problem.

Deleting core WordPress files will incapacitate your site in ways you definitely don’t want. The best course of action to take if this is the case is to replace affected files with new ones. Just ensure the replacement files are from the same version of WordPress you’re using. Otherwise, you’ll break your site. See why it’s important to keep your WordPress installation updated all the time?

If you have a reliable backup solution in place, your chances of recovering your hacked WordPress site increase tenfold. All you have to is rollback to a previous version of the site, and relax.

Note that after recovering your site, it might need some rebuilding. After you’ve reinstated your WordPress site (which means you can login to the admin area), check to ensure all core functions are working. Things to look for include widgets, contact forms, social media and anything else tied to any affected plugin or theme.

For instance, after restoring my site, none of my forms were working since I had to delete Contact Form 7, the plugin that drives all my forms. I had to delete Jetpack as well so I lost social sharing, comments and RSS feeds among other features. I deleted All in One Favicon as well, and lost my custom favicon. I recovered all these features simply by reinstalling the affected plugins.

Note, the plugins in their own weren’t the problem, but since the hacker had access to my server, and admin access to my WordPress sites, they could add malicious code wherever they willed. I deleted WordPress SEO by Yoast as well, which means my SEO efforts tanked. I took the hit like a man is supposed to, and I’m still recovering.

Luckily the hacker didn’t seem bothered with my content. They/she/he/it didn’t add fluff and links to some phony sites like it happened in the past. I’m still rebuilding my site, and considering a site/content redesign. See? Getting hacked wasn’t all that bad after all. It opened my eyes to the things I was doing wrong, and gave me the impetus I needed to take action for the better. In fact, if Bluehost support reps hadn’t wasted so much of my time, I would have restored my site in no time, and spared them this detailed review.

Back to hacking, once you’ve cleaned your site, contact your web host to remove you from the blacklist. At the same time, recovering your hacked WordPress site won’t mean jack if you get hacked the second time. If the security holes are left unsealed, all your recovery work is in vain. Contact your web host, and let them advise you on how to seal the breach. At times, the problem could be another site on your shared hosting plan. While this might give you some peace of mind, you should upgrade to a more secure plan or invest in the security optionsaforementioned.

The most fundamental thing to do after restoring your site it to change all login credentials, admin email included. This will ensure the hacker doesn’t regain access to your website, or even your other online accounts. A word of caution: Even if you change your login details, the hacker might still be logged into your site, which defeats the whole purpose of obtaining new login details. What to do? Firstly, if you have several users on your site, ensure none was the point of entry. You can create new ones for your various users; writers, web designers, editor etc.

Secondly, you need to change security keys in your wp-config.php file to automatically logout all unauthorized users, including the hacker. Generating new security keys is easy peasy work. Just go to creating new security keys, generate new keys, login to your server and update wp-config.php with the new details. The process is rather straightforward we don’t expect you’ll run into any trouble.

Recapping

What else am I forgetting? Let me see; in a nutshell this how to protect yourself, and recover your WordPress site should the unthinkable happen:

• First, get a better web host preferably managed WordPress hosting 
• Invest in WordPress security solutions – Firewalls, backups – the works
• Create strong login details, and keep them private
• Clean your computer, and keep the software on it updated
• Update WordPress, themes and plugins
• Get themes and plugins from reputable sources

And should the worst happen:

• Don’t lose your mind, there’s always a solution. Rebuilding from scratch too is an opportunity to improve
• Contact your web host, and drive them insane
• Fix the problem or hire a professional (they are readily available)
• Rise from the ashes and soar up in the sky once more
• Be awesome, and perhaps document your experience to help another

Resources

Perhaps I left out some areas innocently, or you simply couldn’t recover your site with the tips shared here. Perhaps you just want to learn more. Who am I to stand in your way? After all, we really want you to recover your hacked WordPress site. So here’s a great list of resources to make your work easier: