Check the access logs to find how the one got in and from where , ask your host to blacklist that IP . Follow up some of these steps to be sure that you are safe .
1 . Update your Wordpress to the latest version .
2 . Update your all plugins as well .
3 . Keep backup for your site , maybe you may try some plugins for the database backup ; which keeps the site backup going as some separate remote space or to your email .
4 . Once hacked , try changing your login password for wordpress , cPanel and even database that you are using . Or i prefer you to create a new user for the same database and use it and delete the old once's .
5 . Use the WordPress Key Generator to generate keys (
https://api.wordpress.org/secret-key/1.1/) . I didn’t know much about wordpress keys but it is another important security measure. These keys work as salts for WordPress cookies thus, ensuring better encryption of user data.
6 . Install
WP Security Scan Plugin , This plugin is the real deal. It’s simple and automates stuff. It will scan your wordpress blog for vulnerabilities and inform you if it finds any malicious codes etc. If the texts are in green in the admin panel then you should be good.
7 . Block search engine spiders from indexing the admin section .
To do so , create a robots.txt file in your root directory. Then place the following code in the file:
PHP:
#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*
8. Secure your WP-CONFIG . it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick .
PHP:
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
There are many , but maybe the above may help you to secure your site and keep it stable for longer .