Step 1: Change Every Single Password

This is the very first thing you should do. Hackers often leave themselves a "back door" by saving your old passwords. If you don't change them, cleaning the malware doesn't fully lock them out. Change the passwords for:

• Your WordPress admin account(s)
• Your web hosting control panel (e.g., cPanel, Kinsta, SiteGround)
• Your FTP, SFTP, or SSH account
• Your database (your host can help with this)
• Any centralized WordPress management platforms you use — such as ManageWP, WP Umbrella, or MainWP. These platforms have access to all your sites, so a compromised account there can be just as dangerous as a compromised WordPress admin.

Step 2: Turn On Two-Factor Authentication (2FA) & CAPTCHA

A password alone is no longer enough to keep bad actors out. Two-Factor Authentication (2FA) adds a second layer — like a second deadbolt on your front door. After entering your password, you'll also need to enter a short code from your phone. Even if someone steals your password, they still can't get in without your phone.

Setting this up is easier than it sounds. Install a free plugin like WP 2FA from the WordPress plugin directory — it walks you through a simple setup wizard in minutes.

Alongside 2FA, you should also add a CAPTCHA to your site. You've seen CAPTCHAs before — those "I'm not a robot" checkboxes or image puzzles. They exist because automated bots constantly try to abuse login forms, registration pages, checkout pages, and contact forms. A CAPTCHA forces the visitor to prove they're human before the form will submit, stopping the vast majority of automated attacks.

Make sure CAPTCHA is enabled on all of these: your WordPress login page, any user registration page, your WooCommerce checkout, and all contact/inquiry forms. Free plugins like Advanced Google reCAPTCHA or Cloudflare Turnstile make this straightforward to add without any coding.

Step 3: Update WordPress, Themes & Plugins — All of Them

Outdated software is the #1 reason WordPress sites get hacked. Developers release updates regularly to patch known security holes. If you don't update, those holes stay open — and hackers know exactly where to look.

From your WordPress dashboard, go to Dashboard → Updates. You'll see everything that needs updating. Click "Update All" and you're done. This takes less than 2 minutes and is one of the most powerful things you can do.

Step 4: Delete Plugins & Themes You Don't Use

Many people deactivate plugins or themes they no longer need — but leave them installed "just in case." This is risky. Even a deactivated plugin can contain vulnerabilities that hackers exploit. If you're not using it, delete it completely.

Go to Plugins → Installed Plugins, and remove anything you haven't used in months. Do the same under Appearance → Themes — WordPress only needs one active theme plus one backup.

Step 5: Review All User Accounts

Attackers sometimes create hidden admin accounts on your site as a backdoor for future access. After a cleanup, take a few minutes to review who has access to your WordPress dashboard.

Go to Users → All Users. Look for any accounts you don't recognize and delete them immediately. Make sure only people who genuinely need admin access have it — everyone else should have a lower role (like Editor or Author).

Step 6: Add a Firewall or Runtime Application Self-Protection (RASP)

There are two powerful technologies that can shield your WordPress site from attacks, and it's worth understanding the difference.

A Web Application Firewall (WAF) acts like a security guard at the entrance to your site. It inspects incoming traffic and blocks requests that look suspicious before they even reach your website — known bad bots, exploit attempts, malicious scripts, and so on.

Runtime Application Self-Protection (RASP) goes a step further. Instead of only guarding the entrance, RASP works from inside the application itself — monitoring what's actually happening in real time and stopping attacks even if they somehow make it past the front door.

For WordPress sites that have recently been compromised, combining both approaches provides the strongest defense. Monarx's ThreatShield delivers exactly this — server-level protection that works at runtime, catching and blocking threats that traditional firewalls miss entirely.

Step 7: Lock Down Your Login Page

One of the most common attacks against WordPress sites is a brute force attack — automated bots that try thousands of username and password combinations until they find one that works. By default, WordPress puts no limit on login attempts, making this attack trivially easy to run.

Here are three things you can do to make your login page much harder to attack:

• Limit login attempts: Install a free plugin like Limit Login Attempts Reloaded. After a set number of failed tries (like 5), it temporarily locks out that visitor.
• Add CAPTCHA to your login page: As covered in Step 2, CAPTCHA stops bots from attempting automated logins in bulk.
• Change your login URL: By default every WordPress site uses /wp-login.php or /wp-admin. A plugin like WPS Hide Login lets you change the login URL to something only you know. Bots scanning for the default login page will come up empty.

Step 8: Install an Activity Log Plugin

Do you know who logged into your WordPress site yesterday? What files were changed last week? Which admin deleted that page? If you can't answer these questions, you're flying blind — and after a security incident, that's a serious problem.

An activity log plugin keeps a detailed record of everything that happens on your site: who logged in (and when), what content was changed, which plugins were activated or deleted, any failed login attempts, and much more. This log becomes invaluable if something goes wrong — it helps you pinpoint exactly what happened, when it happened, and where the attack came from.

Two excellent free options to get started:

• WP Activity Log — the most comprehensive activity logging plugin for WordPress, with real-time alerts and detailed audit trails
• Simple History — a lightweight, easy-to-read log of all admin actions, great for smaller sites

Step 9: Set Up Automatic Backups — Stored Offsite

Backups are your ultimate safety net. If something goes wrong — another hack, a bad plugin update, or an accidental deletion — a backup lets you restore your site to exactly how it was. Without one, you could lose everything: your content, your customer data, your entire business presence online.

Use a plugin like UpdraftPlus (free) to automatically save a copy of your site on a schedule — daily or weekly depending on how often your content changes.

Step 10: Keep Your Site Continuously Scanned for Malware

Security threats evolve every day. New malware, new attack techniques, and new vulnerabilities appear constantly — which means a scan you ran last week may not catch something that showed up yesterday. One-time or infrequent scans leave dangerous gaps in your protection.

The best approach is continuous, automated scanning — where your site is monitored around the clock, not just when you remember to run a check. And when something is found, you want it fixed immediately, not sitting in a report waiting for someone to read it.

Step 11: Make Sure Your Site Uses HTTPS (SSL)

If your website address starts with http:// (without the "s"), the connection between your site and your visitors is not encrypted. This means that anyone spying on that connection can read the data — including passwords and personal information.

Check that your site uses https:// (with an "s" and a padlock icon in the browser). Most modern hosts provide a free SSL certificate — contact your hosting provider to enable it if it's not already active.

Your Post-Cleanup Checklist

• Changed all passwords
• Checked email on haveibeenpwned.com
• Enabled 2FA on all admin accounts
• Added CAPTCHA to login, checkout & forms
• Updated WordPress core, plugins & themes
• Confirmed auto-updates are enabled
• Deleted unused plugins & themes
• Reviewed all user accounts
• Added WAF or RASP protection
• Limited logins & changed login URL
• Installed an activity log plugin
• Set up offsite automatic backups
• Enabled continuous malware scanning
• Verified HTTPS is active
• Enabled real-time protection (Monarx)

This guide is for educational purposes. Always consult a security professional for site-specific advice.