Free WordPress security guides
Plain-English guides for stressed site owners
Everything here is written the way I’d explain it to you directly — no fear-mongering, no jargon. Start wherever your worry is.
Start here
The foundations
01
Identifying Website Hacks
The calm first step: how to tell whether your site is actually hacked.
Read guide →02
Hack Detection & Indicators
The tell-tale signs of a compromised site, in plain English.
Read guide →03
Types of Hacks & Their Specifics
The common ways WordPress sites get hit — and what each one means.
Read guide →04
Security Best Practices
Practical habits that keep your site out of trouble in the first place.
Read guide →05
User Access and Permissions
Who can do what on your site — and why it matters more than you think.
Read guide →06
Backup and Recovery Strategies
How to make sure a hack is a bad day, not a disaster.
Read guide →07
Monitoring and Long‑Term Protection
Catching problems early so they never become emergencies.
Read guide →08
Website Monitoring Services
What monitoring actually does for you, and when it's worth it.
Read guide →09
Website Security Packages
What ongoing protection looks like, and how to choose sensibly.
Read guide →10
Why WordFence
Why I lean on Wordfence for WordPress security, and how to use it well.
Read guide →11
Preventing Future Hacks & Hardening
Closing the doors before anyone rattles them: hardening that actually matters.
Read guide →Rather not do it yourself? That’s what I’m here for.
It just happened
Emergency playbooks
What to do right now, in the right order, without making anything worse.
Hosting Suspensions
That 'Account Suspended' page isn't the end. What hosts want, and how fast you can be back.
Read article →How Sites Get Hacked
The honest answer to the question every hacked-site owner asks me first.
Read article →Hacked Site First Steps
The first hour after you discover a hack. What to do, and what not to touch.
Read article →Warnings & blacklists
Google warnings, blacklists & the fallout
What each red screen, search label and disapproval means, and how it gets cleared.
Deceptive Site Warnings
The red Chrome screen, decoded: what each variant means and how to get it taken down.
Read article →Google Ads Compromised Site
Ads disapproved for a compromised site? Why Ads is stricter than search, and the way out.
Read article →Search Console Security Issues
Every detection type in the report, and how to write a review request that passes.
Read article →Hacks and Your Rankings
What a hack really does to your rankings, and how fast they come back after a proper cleanup.
Read article →This Site May Be Hacked
That little warning under your Google listing, what triggered it, and how to make it go away.
Read article →Know the hack
Field guides to specific hacks
What your site is infected with, how it behaves, and how I clean it.
Defaced Websites
The 'Hacked by' page is the loud part. Recovery means finding the quiet parts too.
Read article →Site Sending Spam Email
Bounce floods, an angry host, blacklisted mail. Finding the mailer script and shutting it down.
Read article →Hidden Admin Users
That admin account you didn't create — and the ones that never show on the Users screen.
Read article →Hacked .htaccess Files
Redirect rules that only fire for Google visitors — and the ten copies you didn't clean.
Read article →Japanese Keyword Hack
Japanese spam pages ranking under your domain, on a site you never touched. Very fixable.
Read article →Malware and Site Speed
When 'my site is slow' really means 'my site is infected', and how to tell the difference.
Read article →Nulled Themes & Fake Plugins
Why the free copy of a $60 theme is never free — you're the payload.
Read article →Phishing Pages
A fake bank login in a folder you never made, and scary emails about it. Here's what to do.
Read article →Reinfection Loops
You cleaned it. It came back. Something survived, and here's how to find it.
Read article →WordPress Backdoors
Why cleanups fail: the hidden doors hackers leave behind, and how I hunt them down.
Read article →Pharma Hack
Google sees Viagra spam on your site. You see nothing. One of the oldest hacks still running.
Read article →WordPress Redirect Hack
Visitors land on casino or pharmacy pages, but the site looks fine to you. Here's why.
Read article →wp-config.php After a Hack
The one file that holds your database keys — what to inspect and rotate once you've been hit.
Read article →Costs & choices
Costs, timelines & decisions
Straight answers about money, time, and whether to DIY or hand it off.
Backups vs. Cleanups
Why rolling back to last week's backup usually brings the hack right back with it.
Read article →Hacked Website Repair Costs
Honest numbers for cleanup work, and what makes some hacked sites cost more than others.
Read article →Hack Recovery Timelines
The honest clock on a recovery: hours for the cleanup, days for Google, longer if you wait.
Read article →Choosing a Cleanup Path
Plugin, service, or a person? Where each one shines and where each one leaves you stuck.
Read article →Recommended reading order
Detect, recover, then prevent
01
Confirm and preserve
Start with the owner checklist. Record symptoms and take a backup before making destructive changes.
Owner checklist →02
Investigate the indicators
Use the technical IOC checklist to examine files, users, tasks, database content and logs.
Technical checklist →03
Recover and harden
Remove the payload and persistence, close the entry point, rotate access and monitor for recurrence.
Prevention guide →