A common mistake after a hack is changing the admin password and thinking you’re done. But an attacker may have obtained much more — database credentials, FTP, API keys, session cookies — and every unchanged key is a potential way back. Here’s the full checklist.
Rotate all of this
- All WordPress users — especially administrators. Remove accounts you don’t recognize and force a password reset for the rest.
- The database password — set a new one and update it in wp-config.php.
- Secret keys and salts in wp-config.php — generate new ones from WordPress’s official key generator; it logs out all existing sessions.
- FTP/SFTP and hosting passwords, including any extra accounts.
- API keys and tokens for payment, email (SMTP) and integrations — anything an attacker could have read from wp-config or the database.
Do it in the right order
Rotate keys and passwords after the site is cleaned — otherwise the attacker can just read the new ones via a backdoor that’s still there. Turn on two-factor authentication on all admin accounts at the same time, so a leaked password isn’t enough to get in next time. And check roles: an attacker may have elevated a normal account to administrator.
Don’t forget beyond WordPress
The hack may have spread beyond the site itself. If the same password was used on email, the domain registrar or a CRM, those should be changed too. And if sensitive customer data may have leaked, you might have an obligation to inform those affected — take it seriously before it becomes a bigger issue.
Don’t let one forgotten key undo the cleanup
A WordPress cleanup includes rotating keys and salts as part of the process, so nothing is forgotten. And with Managed WordPress hosting, SSL, PHP and access are managed centrally — fewer keys scattered around means fewer things that can leak, and a clear place to rotate them when needed.