Sorry to hear about this mate, it’s a PITA.
Unfortunately the horse has bolted.
But, once you get the site up again, I’d suggest doing the following:
- Always update your WP to the latest version, including plugins.
- Add a cronjob to do daily DB back-ups (there are a few plugins for this).
- Chmod you .htaccess to 400 or 440.
- There are WP plugins which will limit the number of failed login attempts. These can also be set-up to send you an email in such cases.
You’ll find some good stuff here about hardening your wp files, directories and .htacess file.
Hardening WordPress
You may also find this plugin helpful:
WordPress › BulletProof Security
If your using a static IP you can add a deny all (accept your IP) to a .htaccess file within the wp-admin folder. However this can play havoc with plugins. 9 times out of 10 hackers will use some type malicious injection string or gain access to your .htaccess file or use brute force to try to gain access to wp-login. The later is why it’s good to use at min a 11 character password: Alpha + Numerical + Special Character.
It’s also advisable to change the DB prefix from the generic wp_ to something else (always keep the trailing underscore “_“. If this is a New install do this via wp-config. If your changing an installed WP, make changes to both your wp-config and also your database to reflect the new prefix name.
Change the generic User-Name (used to log into wp-login.php from admin to something else. This can be done via your Database. Browse the SB entry users and look for the admin (will be first entry). Edit this entry and look for the following:
- user_login (change from admin to something else)
- user_nicename (change from admin to say your site name)
- display_name (change from admin to say your site name)
At the end of the day, if someone wants to gain access they will. However, it’s your job to make it a PITA. To the point where most will give up and move onto something easier.