Question: In the last two weeks, all of my WordPress websites that are under my hostgator hosting account have been hacked. Hostgator is currently doing a scan for malware – but since that is what they did last week, I need some suggestions for better security. Thanks for any type of “best practices” or links to white papers, etc. where I can get suggestions for protecting these sites more effectively.

Answer: WordPress can be an incredibly secure platgorm but it’s important to have a security plan in place to avoid the issues your seeing. But since you are in this situation now, here is what we would suggest:
Buy a Sucuri plan with enough slots to cover all your sites.  Then, submit cleanup requests and setup server-side scans for each individual site.  After that is done, install the (free) Sucuri scanner plugin and do all the hardening steps for each site.  Then, from inside the plugin, run a malware scan.
The next step is installing WordFence and BruteProtect on each site.  In WordFence, choose the compare plugins and themes against repo versions options, and run a WordFence scan.  Make sure WordPress and all plugins are updated to their latest versions.  Do a plugin/theme audit and remove inactive/unused plugins.
After all this, don’t forget to change your passwords (Admin, FTP, and DB).  Then reset your salts+keys in WordPress config. They are the security strings WordPress uses to sign login cookies, nonces, etc.  If a hacker knows those, they can fake nonces/cookies which may allow them access in the future. The Sucuri plugin has a one click “reset salts + keys” option, which should work if your wp-config.php is writable by php.
Finally, consider looking for a new hosting service.
In summary:
  1. Buy a Sucuri plan, submit cleanup requests, and set up server-side scans.
  2. Get the (free) Sucuri scanner plugin.
  3. Run a Sucuri malware scan.
  4. Install WordFence and BruteProtect.
  5. In WordFence, compare plugins and themes against repo versions.
  6. Run a WordFence scan.
  7. Update WordPress and all plugins.
  8. Remove unused plugins.
  9. Change passwords.
  10. Reset salts+keys.
  11. Optional: Start looking for new hosting
See the following references for additional info:
There are decent number of steps there, but they should set up a strong defense for the future. If you’d like us to assist we can take care of this for you…just submit a WordPress project request.
Nick Ciske

Nick Ciske – CTO / CISO

Nick has a degree in Multimedia Design and over 20 years of experience working in web development and digital media. In his career he’s built or rebuilt just about every kind of website, including many content management systems (before WordPress), several custom e-commerce systems, and hundreds of websites.