You know I've been on a mission to help rid ourselves of all the problems we see with sites being defaced, hack'd, crack'd, and pillaged. Frankly, if you have a WordPress blog that hasn't been upgraded to the latest version (currently 2.5.1), it's not a matter of IF but a matter of WHEN you can expect to see it attacked.

Luckily, I'm not the only one who has been noticing the ever-increasing problem, and lucky for all of us, there are now some steps you can take to help defend your sites from these kinds of attacks. Below I'll list the various actions you can take (or point to resources) - some are preventive measures, and some are after-the-fact cleanup steps. Either way, you need to have as much information at hand as possible to effectively deal with this problem. (Note that although some of these steps are specifically for WordPress, some can be used elsewhere. I'll note that as we go along).

Preventive Steps

  • Install the Login Lockdown WordPress plugin. This will prevent brute force attempts at grabbing your admin password. (WordPress only)
  • Install the WordPress Database Backup plugin. You can set this plugin to automatically backup your blog's database every night and email it to you, so you never have to remember to backup. This is essential for being able to revert back to a known-good state. Once installed, test it, and make sure you get a good backup right now. (WordPress only)
  • Backup your site's files now while you know they are clean. You can grab a backup from CPanel if your host uses that, or you can just FTP all the files down. In the comments below, Paige points to a nice post showing how to automate the CPanel backup here.
  • Install the WordPress Automatic Upgrade plugin. It makes upgrading WordPress blindingly easy, and the easier that step is, the more likely it is that you will actually DO it. (more info on the plugin here). Once installed, use it! (if you aren't already running the latest version, that is) (WordPress only)

After The Fact

  • Even though this tool detects problems after the fact, you need to sign up for SERPGuard NOW. This is a brand new tool that Nick Wilsdon has graciously created for us all, and it's an essential tool in this fight. (more info on the service here, here, here, and here). Basically, what SERPGuard does, is monitor Google's malware and phishing blacklists, and alerts you if your sites are on them. This happens frequently when your site is attacked, and the sooner you find out about it, the better. Google does list this information in the Webmaster Tools, but if you aren't using WMT, or you just don't regularly visit it, you won't know that you've been hit. (Google claims to email webmasters, but I've seen people get hit and never get an email). SERPGuard definnitely lets you know, and there are various ways to be informed (email and RSS). This won't prevent an attack, but it will warn you QUICKLY if you've been attacked. (For all sites, not just WordPress).
  • Once you know you've been attacked, it's time for the cleanup process. Smackdown has a comprehensive post about cleaning your hacked WordPress blog, so I'll just link to it here. Obviously, I hope you never have to use that post, but if you need it, it will be a lifesaver for you. (WordPress only)
  • Finally, if Google has kicked you out of the SERPs (and they probably have), you can request reinclusion and explain what happened, and that you've cleaned everything up. You'll need to do this via the Webmaster Central, however, so you'll have to sign up there if you haven't already. (ADDED LATER FROM COMMENTS BELOW: You can also get your site reviewed through . This can be useful if you do not want to create a GWC account for the site. However this will likely be a slower process than Google, who is looking to get a 24hr turnaround on requests.) (For all sites, not just WordPress)

Google has also blogged about this subject, so if you want to see their advice, you can get that here and here. (For all sites, not just WordPress)

If you take the proactive steps to protect your blog, you may never need the "after the fact" steps, but keep them handy - just in case. They'll help prevent your blood pressure from exploding when you're trying to figure what the heck to do.

Final note: The first person who complains about the inappropriate use of the term "hacker" instead of the more appropriate term "cracker" gets a virtual SLAP from me. Even Google uses the term "hacker" in their posts above, so I figure it's ok for me to do so as well.