Some key steps:
- Update plugins, themes, core WordPress to most recent versions
- Remove extraneous logins from WordPress and hosting (old developers, past employees, etc.,)
- Reset all passwords in WordPress and hosting account. This means forcing a password reset request for all users.
- Make sure all accounts in WordPress and hosting still have your emails or emails you recognize associated with them. Delete ones that don’t.
- Install security scan plugins one at a time, then deactivate and delete them, one at a time. Make a note of any issues uncovered.
- Talk to a good dev resource about cleaning up any other issues. For example, free contact form plugins can have
- Create additional layers of authentication for CMS access to prevent brute force attack break ins.
- Remove any found pages through a Google search or internal site search and ask Google to not count them in GSC.