How Do I Know If My WordPress Site Has Been Hacked? This is a question that does come up and with around 20,000 websites getting hacked per day then with this issue the medicine is better than the cure.
When you use WordPress for a website it is generally secure if you take a few basic security measures, but it’s always possible that your WordPress site will get hacked and malicious code injected – simply because of its popularity, there are hackers and bots that scan for vulnerabilities and weaknesses. Hackers exploit security vulnerabilities in the content management system (CMS), out-of-date plugins and themes, or WordPress Core files and gain access through them. Once in they can perform a variety of tasks and actions that can cause chaos on hacked websites.
WordPress security plugins can help to solve this problem by scanning website files every day for any changes which are not authorized. If any are found they can be automatically fixed or you can quickly look into what has happened to your website. Prevention is definitely better than cure and this should be taken seriously.
How do I know if your WordPress site has been hacked? Even the most attentive site owners WordPress site can be hacked, whether through a lapse in attention, incorrect permission for the htaccess file, or a password that is breached elsewhere and then found to work on this site, you need to pay attention to your WordPress website for any error messages or telltale signs.
Table of Contents
Definition: What is Malicious Code?
Malicious code is website code that performs tasks or actions for the website owner without their knowledge and will often result in unwanted or dangerous behavior.
There are a few telltale signs that may help you figure out if your WordPress site is hacked or compromised. In this article, we will share 12 common signs that your WordPress website is hacked.
1. Sudden Drop in Website Visitors
If you’re seeing a sudden drop in website traffic, this could be a sign that your WordPress site has been hacked and infected with malicious code, you may spot this through the Google Search Console or through a drop in messages and inquiries but once web traffic drops it is hard to get back. Hacked WordPress websites are often infected with malware and trojans that hijack your website traffic and redirect it to spammy websites. Another reason for the sudden drop in traffic might be Google’s safe browsing tool, which might be showing warnings to users regarding your website. You can check your website using Google’s safe browsing tool to see your safety report.
Each week Google blacklists around 20,000 hacked websites for malware and around another 50,000 for phishing, you need to avoid being one of these statistics at all costs otherwise your traffic will plummet. Hacked WordPress sites will take a long time to gain the rankings and the confidence of Google again.
2. Bad Links Added to Your Website
One of the most common signs that your website has been hacked is when bad links are added to the website. Hackers will often add links to spammy websites, and these links can be difficult to remove and can sometimes be embedded in the website code. These will often lead you and the visitors to phishing pages and other nefarious websites created by malicious hackers.
On hacked WordPress websites you will need to find and fix the backdoor used to inject this data into your website, you may need the services of a specialist or input from security researchers.
Your Website’s Homepage is Defaced - The Site is Hacked
A defaced homepage gives a clear indication that your site is hacked. The most dangerous part of this attack is the hacker could have inserted links to spam or a malware infection on your website, even replacing your login pages with their own, allowing them to gain your information and complete access to your WordPress site. Sometimes new files are added that will block existing pages and the hacked WordPress website may even demand a ransom for it to be restored. Even after they have released and restored your WordPress site or WordPress sites, what is to stop them using the same exploit or vulnerability to do it again and demand the ransom again?
You will find that many web browsers will now give the user a warning if the website or WordPress site is considered unsafe and be presented with the “Red Screen of Death” on Google Chrome.
If you have linked your website to your Google Search Console then you may get a warning message from them which notifies you of the hack, this is not so useful when it is right in your face and the hacker is gloating about it, but it can be when you have no idea!
You are unable to Login to my WordPress Site
If you are having trouble logging into your WordPress site, it’s possible that you have a hacked site and your account has been deleted by a hacker.
Since the account doesn’t exist, you won’t be able to reset your password from the login page. However, there are other ways to add an admin account using phpMyAdmin or via FTP.
Even if you can’t log in, your site is still at risk until you figure out how the hacker got access as they will have another way.
Suspicious User Accounts in my WordPress Site
If your website has open user registration and you are not using a form of spam user registration protection, then you should remove the spam users added to your site.
If you didn’t allow user registration and your website is being filled with weird and spammy users then your website is most likely hacked!
If that is the case then they will likely have administrator privileges and you’ll be unable to remove them.
Unknown Files and Scripts on Your Server
Unknown files and scripts on your server can be a sign that your website has been hacked. If you’re using a site scanner plugin like WordFence, it will compare your existing files to those of a standard website and alert you when it finds an unknown file or script on your server that is out of place or has had malicious code added. Making sure your WordPress website has the correct file permissions for the folders and files will help to avoid this issue, the htaccess file is a common file for hackers to access.
You will need to connect to your WordPress site using one of your FTP users and a client such as Filezilla. The most common place where you will find malicious WordPress files and scripts is in the /wp-content/ folder. Deleting these files immediately will not guarantee that these files will not return after a short period of time as the entry point still remains. You will need to complete an audit of the security of your website, especially the file and directory structure, a malware scanner can help with this.
Your Website is Often Slow or Unresponsive
Any website or item that is online can become subject to a random denial of service attack. This type of attack will attempt to gain access to the WordPress website using brute force attacks, if you are using one of the many available security plugins then you should be able to block the incoming traffic. Sometimes hosting providers offer this service or CDNs such as Cloudflare offer protection. They will be able to block all the IP addresses that are being used in the attack, if not you can check the server logs for the offending IPs and the error logs for any other issues.
Unusual Activity in Server Logs
Generally, the server logs are accessible and you can find them on your web server. The server log file contains a record of all the activity and errors happening along with the internet traffic. You can check the Error Logs should you need to see the errors.
The server logs are useful as they enable you to see and understand what is going on, if you cannot understand then you can contact your hosting provider and they will be able to check them for you. If you are subject to brute force attacks you should be able to see that information here.
Failure to Send or Receive WordPress Emails
When a website is hacked it will often use the same server to send spam emails. The majority of WordPress hosting companies will allow you to have a free email account and this uses the host’s resources, if (or the hacked website) starts to send out mass emails the host will notice the increase in resources through their spam detection and block your activity which will result in various error messages. The spam emails will generally be blocked shortly after and the hosting provider may issue you a warning or suspend your account until it is fixed.
Suspicious Scheduled Tasks
Cron jobs are standard on a web server, they allow tasks to be automated such as publishing new blog posts, deleting old comments, and removing trash from the website. Malicious hackers can exploit the cron feature and run tasks from your web server. They will sometimes use your server to reschedule the infection so that the site becomes infected again even after it is cleaned.
Hijacked Search Results for Your WordPress Site
You may see your website in the Google search results with an incorrect title and/ or meta description, this is a clear sign that things are not as they should be and you have a hacked WordPress website. The hacker will have changed, edited, inserted malicious files, and malware infections into your WordPress files.
The hacked sites show incorrect meta titles and descriptions only to search engines as they have exploited a backdoor to inject malicious website code.
Pop-ups or Pop-Under Ads on Your WordPress Site
The injected malicious code may cause your WordPress site to display advertisements in the form of pop-ups, pop-under ads, and in-text links. The hacker is injecting this with the recent vulnerabilities that have been found when using outdated plugins. They are not usually obvious at first to the site owners but can be found in certain areas and on particular pages as they are embedded in the PHP files and website code.
Securing and Fixing Your Hacked WordPress Site
If you notice that your site has any of the above issues you will need to install a plugin such as WordFence and perform an in-depth scan of all the website files. If you have any website malware or suspicious files detected you will need to have those repaired or deleted and clean your website up. The security plugins can normally take care of the malware code and this aspect of your website security. You will then need to adopt the best practices and ensure your website is kept updated and you have automated security tools to maintain the best level of cyber security.
Your hosting company will likely take action and ban your hosting account if the website is hacked as the server resources may peak and the infected files may affect other websites on the server.
How to Prevent the Hacked Website Issue Reoccuring
Getting hacked can be a pain but if you’ve got the right tools and know what you’re doing then it’s generally easy enough to fix and you will probably sleep better knowing that your website is back to its regular safe self, but prevention is often easier than cure.
You should make sure that you keep the site regularly updated by yourself or by using a third-party service to do it for you. A weak password, out-of-date plugins, and themes are usually the culprits of the hack and allow the hacker to bypass any security measures.
Keeping on top of your updates is key and allowing only authorized users is even more so! Security issues need to be addressed ASAP as there are always people and bots on the lookout to exploit them. As website owners you may not get any error messages telling you the website is hacked, there are spam emails being blocked, or there is detected malware until it is too late and your Google Analytics drops, your Google webmaster tools plummet, and your hosting company blocks you and you can no longer access the WordPress Dashboard.
Making sure that you have a strong and unique password is key to your WordPress website security. Without this nothing else matters. Another tip is not to use the username “Admin”.
Update Plugins and Themes
Making sure your WordPress plugins and themes are up to date will help to reduce the possible entry points into the website. These are updated for various reasons.
- Security – An exploit may have been found in the plugin and the latest release may patch this. Keeping on top of these is important, an out-of-date plugin will leave your website vulnerable to attack.
- Compatibility – A plugin or theme update may add compatibility with other parts of the website. If the updates are ignored then it is likely that they will soon become incompatible with other parts of the site.
- Features – New features and functionality are introduced and released, these can sometimes cause compatibility issues.
- Performance – Increasing the performance of a plugin or theme, removing code, making it less buggy, are also things that are done in plugin and theme updates.
There are automated systems to update your site but these are not recommended unless you intend to not visit your site for months at a time.
Run Regular malware scans
You can often run regular malware scans from your hosting platform in the Cpanel, if not you can also use a plugin such as WordFence, this will allow you to check your files and make sure they are all as they should be.
Monitor Files for Changes
Using a security plugin, such as iThemes Pro, will allow you to monitor your WordPress files for changes, you will be able to see the changes that have been done. If you are changing and updating the website regularly then it is not always the easiest thing to differentiate between yours and those of someone else, if you are active you will likely be updating the plugins regularly. This feature is best used if you are not active on the site.
Monitor Your Website Traffic
If your website has been hacked, you might notice a sudden drop in website traffic, bad links added to your website, your website’s homepage is defaced, you’re unable to login to WordPress, suspicious user accounts in WordPress, unknown files and scripts on your server, your website is often slow or unresponsive, unusual activity in server logs, failure to send or receive WordPress emails, or popup ads on your website.
You can watch closely your website traffic and ranking activity by using tools such as Google Analytics and Google Search Console.
Use Google Search Console and Browser for Notifications
If you’re not sure if your website has been hacked, you can use Google Search Console to monitor your website for malware and other infections. If Google finds a malware infection on your website, it will send you an email notification. You may also see a warning sign displayed to website visitors directly in the browser. If you have a hacked WordPress site you need to know.