I’ve been Hacked! Using Better WP Security and BackWPup.


When you run a lot of blogs sooner or later you’re going to be hacked. It happens to the White House, the FBI and yes it can even happen to you.

In fact, it’s not really a matter of can, it’s more like WILL happen to you. So given that it has happened to me and my clients at different times, here’s the steps I have taken to ensure that it happens as little as possible. Also I’m including what I do to help ensure I can recover when the worst happens.

The first thing you want to do is get your site clean. With all the different ways that a site might be vulnerable, and all the places malicious code can be injected into a site, I recommend using a service like, Sucuri.net.

Sucuri will scan your site and clean it upon request. They also monitor your site so you catch an infection or hack quickly. Cleaning the site is usually pretty fast and the team at Sucuri is always super helpful, I really can’t say enough good things about them. If your site is Blacklisted for having malware from an infection, Sucuri will also submit your site for reconsideration to Google on your behalf.

Once clean your goal should be to get your wordpress install hardeden against future attacks.

I have two plugins that I like for protecting my site, I don’t use them together, it’s more of an either or thing.

Wordfence – Wordfence is easy really easy to use, simple to install, it has one click hardening for the site. It will also scan the site, report any infections, and then compare files against the orginal wordpress.org install files, orginal theme files and original plugin files. Then if something is changed it will notify you of the change. So if your site is hacked again you’ll be able to find the hole and fix it quickly. Wordfence should protect you against reinfection but new tools and techniques, new holes and vunerabilities are found all the time. So having a way to track problems quickly is important.

Better WordPress Security – This plugin can lock your site down tight. And it will report on file changes, but not compare them to the WP originals. I find this plug does a better job securing the site but is more difficult and complicated to use. It’s a great choice it just has a learning curve to it.

So that leaves us with a restore problem after an infection occurs. You want to find the fastest, easiest way to restore your site or replace the infected files. Wordfence makes this easy if it’s a wordpress, theme or plugin core file. Wordfence will pull the file from wordpress and replace the infected one for you on a file by file basis. Really fast and easy.

But what do you do if the file has been modify by you, and it no longer matches the original theme file? Well your first step is to make sure you have a backup plan. You can’t restore what you don’t have backed up. So here’s the two plugins I use for backing up my wordpress sites.

BackWPup – great easy to use plug in. It will back the database and the files of your site. It can store them locally or it can store them in Dropbox, Amazon S3, email them you and several other options.

Updraft – another great plugin, not as many options but what I have found is the BackWPup is not friendly with all hosts, and that’s when I switch to Updraft, it seem to work fine with all hosts. If it uploaded correctly to my Amazon account I might even make it my default. There is another issue with Updraft, it appears that it may be an abadoned project, no updates have been made to the plugin in about two years.

Once your site is backed up, anytime you have an issue you just replace the infected files and you’re back on your way. Having a backup also makes it easier to switch hosts if needed.

Here’s a couple house keeping things to keep in mind for your site’s security.

Change the admin username, it should not be “Admin”. Better WordPress Security will do this with one click for you.

Use a better password. I like to use a formula for making my passwords. Pick a base word like “texas”.

Add the first three letters of the site. Say Paypal.com, so now I have “paytexas”.

Add your birth year to the end. “paytexas1973”

Change “e” to “3”, “i” to “1” and “o” to “0” for “payt3xas1973”

Captialize the first letter “Payt3xas1973”

So gmail would be “Gmat3xas1973”

It’s easy to remember, it’s always unique and very hard to crack with brute force.

I hope you found this article helpful, let me know in the comments what you do to make sure your site is protected.


We would love to hear your thoughts.