Massive WordPress Security Alert – My WordPress Website Was HACKED! Must Watch Video!!

I thought it could never happen to me. I was wrong, my website was hacked. Find out what happened and why it was not that big of a deal for me.

Make a backup now. Here is a vintage WPCrafter video that will show you exactly how I backup offsite using a free tool

Get better hosting

All of my opinions in this video are my own, I was not paid to make this video. Whenever there is a link in any of my videos, if there is an affiliate program available, it’s safe to assume that you are clicking on an affiliate link. Please check my website for any associated bonus I may be offering, for supporting me, or ask in the comments below.

36 Responses

  1. Blog Tech Support

    Hi Adam, I've installed the Social Warfare Pro plugin. My website wasn't hacked, but Warfare plugins emailed me right when I've heard about it to let me know that there's a security update.

    So even though they should have been on top of this, they are doing everything they can to fix it.
    Now, I'm just getting started with my blog, so no harm is done and even so, it's already fixed, I can understand if you're having multiple hacked websites that it will hurt.

    Keep coming with these videos.

  2. Miguel Ruiz

    In regards to these plugin vulnerabilities, should this be something we should be concerned with on local wordpress installations? Also, once the plugins are deleted, do any of these leave remnants in the database? Such as extra tables?

  3. Giuliano Cavallo

    Hello Adam, there is another hack via the register to site e-commerce, someone will register as a customer to buy or download for example, but somehow the user made himself administrator. I deleted them since administrators can delete content or edit links i suppose. I deactivate register option for now.

  4. Raunak Hajela

    My teammate mentioned about this vulnerability a long time back and also about WebArx. Luckily he manages web security for me and our clients so I don't have to worry about this. He patched this vulnerability for our websites. I didn't know it was this serious, from now on I will share these reports on my profile and keep everyone posted 🙂

  5. North Texas Turf Pros

    Just a brief clarification. In my formal life in the banking industry I was an Enterprise Risk Analyst and a control tester for JPMC and a very large corporate credit union. Your suggestion, which is over all great by the way, is technically a “loss mitigation” control – rather a way to “prevent” the risk from occurring; which is how you described it. (Not trying to be nit-picky, but to just add value to your suggestions and explication). Backups won’t prevent a hack from occurring; they will just help with what’s called “business continuity” I.e, processes and procedures that assist with a businesses ability to get back up and running after an incident causes down-time. Firewalls and dedicated IPs and things of the like help with preventing hacks. Thanks for the update Adam!

  6. fjuraa

    Hi Adam, I was creating a backup with updraft and uploading it to google drive, but I noticed that it cut my "uploads" folder into more pieces, did you ever experience that? Not sure how I would then import it, if it has many parts…

  7. K Hell

    Social Warfare doesn’t seem to be GDPR compliant either – so go for Shariff. It’s free and the only social sharing plugin for WordPress that can deal with the gdpr compliance.

  8. Bhalesh Patel

    I'm curious to know why you didn't add WPXHosting on your site under managed WordPress hosting. If you don't know much about it then I'd suggest you to take a look. Not only is it similar Kinsta (If not faster) and cheaper, their support time in mind blowing.

  9. Jonathan Blair

    Hey Adam, I’ve had a clean history of not being hacked until I used WebArx…It is a startup and so I think my website may have been hacked through their plugin. If you think about it, they offer a service of cleaning up websites as a extra service, so if your site goes down while using their service, maybe you’ll pay them to clean it up. I am curious if only the websites with WebArx were hacked. I have switched hosts, as they were not helpful either and started using Malcare which has a one click scan and clean up. After a long fight and many cleanups, I haven’t been hacked using Malcare and would highly recommend! As well as using ManageWP for backups as it is so cheap and very reliable and easy to restore a website if something goes wrong.

  10. Alexander Bjerkvik

    Been receiving more emails from iThemes lately about people trying to log-into some websites. Keep trying, since I have the usernames and passwords from hell 🙂

  11. Site Studio

    I actually just wrote a post about my site being hacked as well, there was a whole other site (viagra pills) attached to my site in a subdirectory. It was a very tricky hack because It was even in all my backups going back over a month back. I had to export my content and blow up the site, and started over.

  12. Cary Huff

    Thanks for not only looking after us Adam, but giving us timely solutions. G'day from Australia mate. 🇦🇺😎

  13. Okba Cherboub

    1. Backup your website
    2. Hide your wp-admin url
    3. Install itheme security plugin
    4. Don't use admin for username
    5. Keep your plugins updated
    6. Never download free plugin from Google
    7. Check any file before use it with virustotal
    8. Use password generator to generate secure pass
    9. Check any link with https before open it.
    10. Keep your mind updated with all WordPress news.
    11. Good luck 👍

  14. WP Eagle

    Great video! Lot of hacking going on right now. I did a video on this just the other day!

  15. Sacred Walk Home

    Thank You, Adam for keeping us updated. Your're the best. I viewed your backup video. I use Updraft for backing up my site and those I manage.

  16. Colin James Web Design

    Hi Adam, I too have WebArx installed and also Malcare (both on your recommendation) and have them installed on various clients as well as my own websites. The bottom line is Malcare catches and stops things that WebArx doesn't, plus using their software you can clean up the problem really quickly. On the odd occassion, I've been unable to clean the hack myself an email to their excellent support team will have one of their techies clean the affected site for you, all at no extra cost. Plus you can update all your plugins via the dash as well.My backups via Updraft Plus – guess who recommended it.
    I'm going to show my clients who don't want to pay for pro-security/back ups this video.
    All the best.

  17. ilmadii janaat

    hi. i have problem with my wordpress website and my hosting company send me this ticked- I have reviewed the account and did not see any caching setup on your WordPress site. The site is still generating a large amount of CPU usage and the restrictions are still in place. so please can you help me to fixed or can you send me Link if you already upload video that you talking about this problem

  18. Kevin Roberts

    Best Protection: regular backups
    Second-best Protection: paying attention to Adam Preiser

    Thanks for this post Adam.

  19. Byron Tabor

    Never say never,
    Do sites that only publish once every few days need to be backed up every 4 hours, or even daily? How important is it to backup a site for the sake of saving comments that are received between updates? How do tell exactly when the hack occurred, so you don't upload a backup that is hacked?

    I have an exact duplicate of each of my sites, running on a WAMP server, that's blocked from connecting to internet. A little more work but all plugins, themes, etc updates, I install manually. I also back these up to online backup sites. Although I may have a vulnerability, it can't be acted upon while on my computer. It much easier to delete the plugin (or fix the problem), and just upload this version.

    Backing up regularly is fine, but if you don't know which backup is clean, and you have backups from every 4 hours, how many will you have to try before you find a good one? The reason I say this, I had someone contact me to fix their site one time, I went through 2 weeks worth of 6 hour backups before I found a clean one. I've had clients who didn't know their sites had been hacked for months.

    What's the easiest way to tell which backup is clean? Is trail and error the only way?

  20. Vegard Bell

    Paid plugins with frequent updates, and not too many plugins…and also daily backups. That's my plan.

  21. Steven Serfes

    Social Warfare plugin regarding a zero-day vulnerability affecting their sites. At this time, the plugin’s developers have issued a patch for the flaw. All users are urged to update to version 3.5.3 immediately

  22. digwillhachi

    Thank god i don’t use this plugin. I was sweating for a min. My thoughts go to those who were hacked. Such a pain in the butt.

  23. Manash Malakar

    Tomorrow i am working on my website and my itheme security detects some suspicious activity to my website who doing something wrong to my website… I am sharing that ip addresses 1., 2. They are lockedout by the security pligins… Can you tell me that is that good or bad?

  24. Jayjay F

    Wpeagle is another YouTubed who also got hacked he uses wordfence and I recommend ithemes to him after watching your video, in the WordPress community we should help each other