- First step, remove any users named “admin” (create a new admin-level user with a totally different name, log out, log in as that new user, delete the user named “admin” and attribute all their posts/pages to another user);
- Then remove any users with the ID of “1” even if their name isn’t “admin.”
- Then make sure all the passwords are “strong,” random 12+ character strings of numbers, upper- and lower-case letters, and symbols. (I use 1Password to manage mine.)
- Make sure everything is up to date: core, themes, plugins. (Of course, make sure you already have backups first, before you update.)
- Save a few backups, go back a month or more, to your computer or at least another location other than just your server. Attacks can spread from one installation through to others in one affected web host account, even if there is a vulnerability in just one. And the attack could have breached one of your lesser-maintained installations a couple of weeks ago and been working its way from there, hence the back-copies, just in case.
- If you know what you want to see, look at your wp-config.php file for anything funny or out of place…or even just missing. If you don’t, ask someone else to do it for you. Worth looking at anyway if you have an old site, or you’ve taken over a site you didn’t create. I was surprised to find no AUTH keys in one, plus some extra lines of code just before the closing. Even if the site wasn’t victimized, that wp-config.php file was so old, pre-2008, it really needed fixing.