Wordpress Site was hacked - No access admin,cpanel

Question

someone hacked my wordpress site and I cannot access ftp, cpanel and admin. I contacted the hosting company and they send me the new password in order to access via ftp but I cannot access via admin and via cpanel. How can I solve this problem? And How can I prevent this in the future? I saw that there are some plugins like "Better WP Security". Is it enough to prevent future attacks? Thanks for your help

Answer 1

That is lots of depend how your hosting manage there security for Wordpress or Other CMS in PHP the common way to hack admin and cpanel is SYMLINK attack. 1st check all the permission on the host like for change and modify and second thing use strong .htaccess in the your main index dir. And check all the your dir on your account if there is any PHP shell exists there than delete it immediately.

Answer 2

Using Better WP Security is an option, yes, but most of all try to use strong passwords, always keep up to date your plugins and Wordpress itself.

Do not store your password on the computer as (text) files (try to remember them, I know, it sounds hard to do, but this is the only way).

Also check all computers, from which you login into Administration area for viruses and/or Trojan horses/key-loggers.

This was for prevention.

Now, how to deal with current situation - it depends, the best way is to disable (and remove) all plugins, and start with clean Wordpress installation. The posts and pages are inside the database, so you should not lose any information, but you can make a backup of all of your files (and custom page templates, if any).

Answer 3

There are certain key points that you can use to make your website more secure.

First Check your site on sucuri.net to get more info on malware, spam etc...

1. Use security plugin

I recommend to use Wordfence. Which has lots of features and is able to do

• Scans over 44k+ malwares definitions
• Detects phishing attempts
• Removes Sh3lls
• Backdoors
• Trojans
• Monitors
• DNS security and many more...

Better WP Security (aka iThemes Security) is also good plugin to secure your WP. Which has also great features.

(both plugins works together - No doubt )

Comparison of Better WP Security and WordFence

2. Secure your .htaccess

secure wp-config.php

<Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

Disable directory browsing

# directory browsing
Options All -Indexes

Protect .htaccess itself

<files .htaccess="">
order allow,deny
deny from all
</files>

Disable hot linking

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

3. Protect your self

• Use strong passwords, never share with anyone
• Save your self from Social Engineering
• Tips from Codex (Hardening Wordpress)

4. Get yourself updated.

• Use updated version of WordPress, Plugins, Themes.