DEV Community

BitofWP
BitofWP

Posted on • Originally published at bitofwp.com on

Did your WordPress site get hacked? Find out what to do next!

WordPress Hacked Issues?

If you’re using WordPress, you should know that it gets hacked more often than any other CMS or platform. That’s because of its enormous popularity. In fact, WordPress now powers over 33% of the web accounting for nearly 75,000,000 sites.

As such, WordPress is often targeted by hackers for profit. Hacking has become a very lucrative (though illegal) business, earning hackers trillions of dollars each year. That’s right. Trillions. According to some sources, cybercrime generates at least $1.5 trillion annually, costing companies of all sizes a lot more money than they’d like to lose.

These statistics show that hacking is a real threat and that it can happen to anybody. In fact, it may have already happened to you.

If your WordPress website has been hacked (or you want to know what to do if it is), keep reading. We’ve outlined the consequences of a hacked WordPress site, how to tell if your site has been compromised, and what to do in case your site is overtaken by cybercriminals.

The Consequences of a Hacked WordPress Site

First and foremost, when your site gets hacked, know that you’ve lost all control over it. Someone else has broken in and can access it, change it, deface it, or even delete it if they want to. Keep in mind, however, that deleting your site is not likely to happen. That’s because hacks are typically initiated for the purpose of accessing protected information or for use as a legitimate site to redirect users to a hacker’s website. The WordPress Pharma Hack is an example of such malware infection.

Sites with good SEO rankings are an obvious target – hackers will use the hard-earned reputation of highly trafficked websites that rank well in search results and redirect that traffic on their own site. This simultaneously increases their traffic numbers and search rankings, while in turn reducing the organic traffic on the hacked site. If you’re running an online business, this means that you will start to lose money and customers very soon.

On top of that, Google and other major search engines have developed algorithms to recognize sites infected with malware automatically. Website hacks are bad enough by themselves, but your problems can get even bigger if Google notices your website is hacked.

Now let’s take a look at how people can tell if your WordPress site has been hacked.

How People Can Tell If Your WordPress Site Has Been Hacked

It can be tough to know when your site has been hacked because cybercriminals are stealthy when they overtake a website and use it for their own gain. That said, if someone runs a Google search and your hacked WordPress site pops up in the search results, they may notice a message like this:

This message might appear under your site if the Google algorithm detects one (or more) of the following issues:

  • Your site has been altered by a third-party.
  • Suspicious links or pages on your site which are not malware related in a way that would infect your users, but still shouldn’t be there. (e.g., hidden and cloaked spam pages selling things like Viagra products).
  • Malware Redirects that take site visitors to another website once clicking on your Google search results

A warning like this can reduce site traffic by as much as 95%. And the worst part is, Google still hasn’t detected any malware on your site. It is only issuing a warning to potential visitors but has the power to convince people not to visit your site.

In the case Google does find malware on your site, your site will get quarantined and blacklisted.

Next, Google will remove your website pages and posts from its search results. Then, when someone tries to access your site directly, they will see a warning saying that “The site ahead contains malware.” The message might vary depending on the browser, but will look similar to this:

So, apart from having to clean malware from your site, you will also have to remove your site from the Google blacklist(and any other search engines blacklists).

Every day your site spends in quarantine will cost you money, your reputation, and your SEO rankings. If you rely on your website to generate revenue, this can be devastating.

While you can clean your site and delist it from Google’s Blacklist yourself, it might be a good idea to hire a professional WordPress Security company to do it for you. They will have the tools and experience to Fix your WordPress Hacked Site better and faster, resulting in less downtime for your site.

Now let’s look at how you can tell whether your site has been hacked.

5 Signs Your WordPress Site Has Been Hacked

Let’s say your site hasn’t been blacklisted yet, but you think that it might be compromised.

Here’s a list of 5 things that should cause you concern.

1. Your Homepage has been defaced

There once was a time when Vogue’s UK site was defaced with a bunch of velociraptors.



While this may seem humorous, this is just one example out of many where hackers break into a website and leave special messages for site visitors to see. And no matter how silly they may seem on the surface, the truth is, defacement of a website can have a negative impact on your business.

That said, most hackers are not breaking into sites to play around; they are looking to profit off your hard work without anyone noticing. If hackers have changed your homepage to include something that they thought was funny, like a troll message or ‘hacked by’ calling card, they are usually doing it to gain notoriety. It’s also a pretty obvious sign that your site has been compromised.

2. Your WordPress site performance has dropped



When the site is under a ‘Brute Force Attack’ or there is a malicious script using your server’s resources, you’re likely to notice that your site takes longer to respond to clicks or even returns 503 server errors. It may even crash because the strain is too much for your servers to handle at once.

That said, a slow loading website might not necessarily be hacked because many things affect site speed and performance. For example, your site may take longer to load because of things like:

  • A strain on the server resources in a shared hosting environment
  • Major WordPress core updates and compatibility issues
  • A bloated plugin inflating your database
  • Image files that are too large
  • Caching issues

However, if none of this applies to your site, then a drop in performance might indicate that the site is infected or under a DDoS attack.

3. Files with weird names and content are listed in your site directory



PHP files with names such as file25.php’, or what looks like gibberish code, is a major sign that your site has been compromised. Although hackers are more diligent nowadays and try to name the malicious files so they can pass as a plugin or theme file, it is not uncommon to find PHP files with weird names. Another red flag is seeing all these files having the same modification date which differs from one of your WordPress core files.

4. Your Email list grew huge overnight



Some website owners don’t secure their WordPress registration forms. This allows spam bots to register as subscribers and post spam contents right on their sites.

Spam is bad enough on its own, but excess spam indicates an attempt by someone to create an admin user by exploiting plugin vulnerabilities. A 0-day vulnerability has recently been uncovered in the Easy WP SMTP plugin that allowed hackers to register as subscribers but grant themselves admin privileges. And once someone has admin privileges on your site, they can do whatever they like.

5. Admin login details have been changed

If you try to log into your WordPress site and can’t, you should be worried.



When this happens, it usually means a hacker has already gained access to your site and has locked you out by removing your admin user so that they can have total control over the site.

How to Fix a Hacked WordPress Site

In order for any hack to work, malicious files must be placed in your WordPress directory. It can be anywhere: WordPress core, plugin and theme files and the “wp-content/uploads” directory. Depending on the hack, malware code might be hidden in the database as well.

In order to properly remove malware from your site you have to follow these 5 steps:

1. Scan for File Content Differences

There are a lot of WordPress security plugins and online services which will search all WordPress core files, 3rd party themes and plugins, and the posts and comments tables of your database for suspicious entries and unusual filenames. This will help you isolate the rogue hacked and malware files and delete them.

2. Delete the Rogue Hacked and Malware Files

After you have isolated the malware files using a security plugin (or by searching manually) you should delete them. If the files are residing in a directory of a free plugin (like Akismet), then it’s best to delete the entire plugin directory and just download and upload a fresh install. All plugin settings are saved separately in the database, therefore, all of your settings will be preserved.

3. Check the .htaccess File (and Regenerate If Needed)

The .htaccess file can contain redirects to malicious sites, therefore this is a good place to check. If you are seeing any suspicious code, you can just delete it and regenerate it by going to Settings > Permalinks in the WordPress dashboard and clicking Save. You must regenerate the .htaccess file because all pages (except the home page) will return a 404 error if you don’t. This is how the default WordPress .htaccess file looks like.

4. Remove Malicious Code from the WordPress Database

This step will involve using SQL queries and the phpMyAdmin Search tab to find suspicious database entries and delete them. You can find the phpMyAdmin database tool inside your hosting panel, if you’re having trouble locating it then we suggest to ask your hosting provider support for help.

5. Utilize Google Search Console

Google Search Console (previously Google Webmaster Tools) is a great asset. It can be used to diagnose suspicious activity and lift penalties imposed by Google after you’ve been hacked and blacklisted.



Google Search Console will notify you when your site is hacked. This will help you initiate a timely response and clean your site as soon as possible. It will also help you with re-indexing your site after it is cleaned to get it back in Google search results. In time, this will help you restore your SEO rankings.

How to Protect Your WordPress Site from Hackers

Now that you have read (or even worse, experienced) how malware affects your site and SEO rankings, and you want to prevent it from happening to you, here are five steps to fortify your WordPress site:

1. Protect the Login Page



One of the first steps in preventing unauthorized access to your site is limiting the number of login attempts. Changing your WordPress login URL is a good idea as well.

2. Secure Your Files and Database



Next, set the appropriate permissions for files and directories on your server, disallow file editing, and change the database prefix. You can do all of this by using a proper WordPress security plugin.

3. Regularly Update Your Themes, Plugins, and WordPress Core Files



It’s important you always keep software updated. Outdated software is the leading cause of security breaches for WordPress sites.

4. Apply Restrictions for Bots, Certain IPs, and Countries

Blocking bots can help maintain your site performance and prevent spam-bots from hitting your site. Unless you are running a big enterprise site, you don’t need to block them all. You can block some IPs and countries.

5. Monitor Your Site



Always monitor your website for suspicious activity, or use an audit and scanner plugin to help. Many reliable plugins will notify you when there are any changes to your files and database.

Congratulations! You made it this far. So…now what?

WordPress Malware Infections can be tricky. Hackers don’t want people knowing that their sites have been hacked and are being used to profit someone else so they make sure to hide their malware really deep so you can’t notice them.

Unless you are experienced in WordPress file and database management, it’s possible that you’ll overlook some malicious files. If these backdoors remain on your site, hackers will easily hack it again and again. They will also hack all other sites hosted under the same hosting account. Then you’re back to square one or worst.

That’s why it may be a good idea to properly maintain your WordPress website by keeping daily backups and run any pending updates, especially the ones which were published in order to fix WordPress exploits and vulnerabilities. If you don’t have the time or the expertise to run those tasks then we strongly suggest seeking help from a WordPress Support and Maintenance service which can maintain and secure your WordPress site and for a small monthly fee.

The post Did your WordPress site get hacked? Find out what to do next! appeared first on WordPress Support Services by BitofWP.

Top comments (0)