Today when I went to one of my web sites I noticed that someone posted a new photo right on the front page, but I’m the only user, but to my surprise they also left a message that says Hacked by bla bla bla, I went and login into WP and It looks like the password was deleted (they left it without a password) so I had no problems logging-in, I checked all pages and it looks like the only one they play around with was the main page, I edited this page and I was able to restored my preview page content by going to the history changes. I was so happy learning WP, creating themes and actually recommending it to one of my clients but now what do I tell him, that someday the site may disappear or hacked, I’m a little scare since I don’t know much about security.
I was reading about security for WP (Digging into WP) and it looks like there are a lot of options to secure your site.
1- Any suggestion on what to do after your site has been hacked?
2- What are the first steps you go through to make WordPress more secure when you create a site for a client and be confident that it is secured?
3- What do you tell the client, do you let him know about the risks?