I don’t claim to be an expert on this subject, however–though preventative information was everywhere–I found it difficult to find specific information on what to do after you’ve been hacked (just telling me to update WordPress and look for ‘suspicious code’ doesn’t cut it).

So I wanted to share what I learned, in case it helps someone out there who finds themselves in the same boat I once was.

A few things first:

1. My site is self-hosted, running the software from WordPress.org.
2. WordPress is installed in a subfolder off of my root directory (/blog).
3. I run CPanel Accelerated 2 as the back-end for my main site.

Yes, this site was hacked. At the time, I honestly couldn’t tell; It looked and behaved exactly as it always had. In fact, the only way I knew was because some of my friends pointed out that Google had flagged it as an ‘attack site’. Google Analytics also sent me an Email informing me of the detection, urging me to clean my site and resubmit it to the search engine once I was done.

Here’s what I did:

1. I called my web host.
   They sent me a couple of Emails with general information on how to change my passwords, how to restore old backups (something they really encouraged), and it even came with a link to Google Analytics. Basically, it was no help at all.
2. I logged into CPanel, my main page’s back-end.
   This allowed me to put my site into Maintenance Mode, to prevent visitors from coming and to minimize damage.
3. I changed my password to something temporary.
   This was so I could change it again once the site was cleaned.
4. I checked the users.
   There was an extra one I did not create. I deleted it immediately and also deleted an extra account I no longer use.
5. I logged into wp-admin, the WordPress back-end.
   I made sure I had the latest version of WordPress installed.
6. Like in CPanel, I changed my password to a temporary password.
7. Once again, I checked for rogue users.
   I found one here, just like I did in CPanel, and deleted it. It was named with random characters, something like ‘2x34jh25’.
8. Any outdated WordPress plug-ins are security risks.
   I updated all plug-ins, and deleted the plug-ins I never use.

Whew! That’s round one. Exhausted yet? I was. But worse, I wasn’t sure what to do next. Thanks to a lot of help from forums, though, I found out how to snuff out malicious code, which we’ll do in the next round. Hope you’ll join me!