WordCamp Brisbane Presentation: Oh Sh!t I’ve Been Hacked! Help!
At this year’s WordCamp Brisbane, I was fortunate enough to present on a WordPress-related topic that I consider myself well-versed in: Unhacking websites, repairing websites and protecting them from future hacking attempts.
If your website has been hacked and you need it fixed immediately, please use our ‘Fix a Hacked WordPress Website‘ service to get your website back up and running.
If you were lucky enough to have attended, these slides will help guide you through all the resources from the presentation, along with additional resources collated from conversations during the question time.
Links and Resources
Have I Been Pwned
Website to see if you’re username, password, email, and other credentials have been compromised.
PatchStack Vulnerability Database
Database of all known vulnerabilities in the WordPress ecosystem, from themes to plugins.
HT Password block for Admin URL
Tutorial on how to lock down your admin login with an htpasswd restriction to help prevent brute force login attempts.
Logging Activity on Your Websites
Activity Logger
Activity audit logs for WordPress
Logify WP Logger
Recommended and built by attendees at WordCamp for logging and tracking why things have been added, modified or changed in WordPress.
Backups
DNS Security
Cloudflare
DNS management tool that allows for security on the DNS level and Web Application Firewall
Managed & Specialised WordPress Hosting
Kinsta
Specialised WordPress hosting
Staq
Specialised WordPress hosting with a focus on security and an inbuilt malware scanning tool.
Security Monitoring Tools
BitNinja
AI-powered server-level security. Protects your entire server.
Patchstack
Managed security and monitoring for your WordPress website.
Sucuri https://sucuri.net/
Website security monitoring
Wordfence
WordPress-level security tool for monitoring changes on your websites and helping secure your website.
Password Managers
1Password
Excellent password manager
Bitwarden
Open source password manager with a random email generator.
Dashlane
It’s the only password manager that hasn’t been compromised.
Email Logins
SAML Login SSO
https://plugins.miniorange.com/wordpress-single-sign-on-sso
Single sign-on login plugin to allow you to use a centralised tool, such as Google login, to manage passwords as opposed to relying on stored usernames and passwords.
Addy
Anonymising emails. Creates an email alias so you don’t need to worry about having your email compromised.
Two-Factor Authentication Methods
Two Factor Authentication
I highly recommend enabling two-factor authentication (2FA) via the available plugin or service.
WP 2FA
A plugin that you can use to enable 2FA on WordPress logins
YubiKey
2FA device that can be used for passwordless login and as a 2FA device. It’s a physical device that requires physical interaction to authenticate and log in to websites.
CardanoPress Web3 Wallet Login
Instead of a regular username and password, use a web3 wallet that allows you to connect a crypto wallet and sign in using your private key locally rather than interacting online with a database of stored credentials.
Go Static
Simply Static
Create a static version of your website that can’t be hacked: no database, no login, no hacking.

Need Help Unhacking or Dehacking Your WordPress Website?
If you find yourself stuck or don’t have the time or skills to fix or repair your hacked WordPress website, give us a call. Send us a message via the contact form, and we’ll gather all the details from you to get started in cleaning up your website.
You can find additional resources and guides to repairing a hacked website in one of our latest posts, or look into our managed hosting and WordPress maintenance plans to help avoid the situation in the first place.
Also, check out our adventures at WordCamp Asia 2025.
Ready to build a project?
Let's create something amazing together.