WordPress

Checklist: rotate all passwords and keys after a WordPress hack

Change only the admin password and you leave doors open. Here's the full list of what must be rotated after a WordPress hack — and in what order.

A common mistake after a hack is changing the admin password and thinking you’re done. But an attacker may have obtained much more — database credentials, FTP, API keys, session cookies — and every unchanged key is a potential way back. Here’s the full checklist.

Rotate all of this

  • All WordPress users — especially administrators. Remove accounts you don’t recognize and force a password reset for the rest.
  • The database password — set a new one and update it in wp-config.php.
  • Secret keys and salts in wp-config.php — generate new ones from WordPress’s official key generator; it logs out all existing sessions.
  • FTP/SFTP and hosting passwords, including any extra accounts.
  • API keys and tokens for payment, email (SMTP) and integrations — anything an attacker could have read from wp-config or the database.

Do it in the right order

Rotate keys and passwords after the site is cleaned — otherwise the attacker can just read the new ones via a backdoor that’s still there. Turn on two-factor authentication on all admin accounts at the same time, so a leaked password isn’t enough to get in next time. And check roles: an attacker may have elevated a normal account to administrator.

Don’t forget beyond WordPress

The hack may have spread beyond the site itself. If the same password was used on email, the domain registrar or a CRM, those should be changed too. And if sensitive customer data may have leaked, you might have an obligation to inform those affected — take it seriously before it becomes a bigger issue.

Don’t let one forgotten key undo the cleanup

A WordPress cleanup includes rotating keys and salts as part of the process, so nothing is forgotten. And with Managed WordPress hosting, SSL, PHP and access are managed centrally — fewer keys scattered around means fewer things that can leak, and a clear place to rotate them when needed.

Bygg på ett moln du faktiskt äger.

Ingen bindningstid. En körande VM innan du betalar en krona.