Preventive security measures are great for securing data on your WordPress website. But what if your site has already been hacked? Fortunately, sometimes the fix may be as simple as removing or cleaning the malicious file. Other times, you might need to clean your database or remove hidden backdoors to prevent future hacks.
This post will discuss some of the main signs indicating that your website has been hacked. Then we’ll show you how to clean a hacked WordPress website and provide some tips for tightening security. Let’s get started!
8 Signs That Your Website May Have Been Hacked
Here are eight of the most common signs that your WordPress site has been compromised.
1. You Can’t Log in to Your Site
When you can’t log in to your website, it’s understandable to worry. After all, someone may have stolen your credentials and changed your password:
However, being unable to log in isn’t always a cause for concern. You may have simply mistyped your password or forgotten it.
That’s why it’s always a good idea to try resetting your password first. If this doesn’t work, then your site may have been the victim of an attack, since hackers sometimes remove user accounts or change passwords to block access.
2. Your Website Has Undergone Changes You Didn’t Make
One of the most popular hacking methods involves replacing your homepage with a static page. Therefore, if your website isn’t using your chosen theme, this can indicate that your site has been the target of an attack.
However, there are other, more subtle changes to look out for. For example, new content may have been added, new plugins installed, or discreet links placed in your footer.
Before assuming the worst, we recommend verifying that other people with access to your WordPress website, such as administrators and editors, haven’t made these changes.
3. Your Website Redirects to Another Site
It isn’t always obvious when a hacker has been rooting around in the depths of your website. There are plenty of sneaky tactics attackers can employ to get in and out of your site without leaving behind a trace.
One of these tactics involves using backdoors to access your site, such as scripts or hidden files. Once these have been exploited, hackers can place their malicious redirects on your site, and you’d be none the wiser about this activity. However, if someone tries to visit your site, they’ll be taken to another page (often filled with spam).
This attack can be caused by vulnerabilities on your server. That’s why it’s essential to opt for a quality web host that offers security features such as Web Application Firewalls (WAFs) and Distributed Denial of Service (DDoS) protection. Later in this article, we’ll explain other ways to boost your WordPress website’s security.
4. Browsers Warn Users About Visiting Your Site
If browsers are warning visitors away from your website, this can signal that your site has been compromised:
However, there are other causes of this error that you should check before fearing the worst. These can include problems with code in your plugins and themes, or issues with your SSL certificate.
If you switched themes recently or installed a new plugin, try changing back to an existing theme and deactivating any new plugins. Then, verify that your website is up and running again.
If you’re facing an SSL issue, you can use SSL Checker to verify that your certificate is correctly installed and compatible with browsers. However, if neither method solves the issue, it might be time to explore it a little deeper.
5. Google Warns People About Visiting Your Site
Browsers aren’t the only platforms that can warn visitors away from your website. If you search for your site on Google and find a warning, it has probably been hacked.
This warning is problematic both from a security and Search Engine Optimization (SEO) perspective. If Google considers your site a threat, it may not crawl, index, and rank it favorably within its search results.
6. You Receive Other Warnings About an Unexpected Change
Other platforms, authorities, or tools can also warn you about vulnerabilities and security threats on your WordPress website. For instance, if you have a security plugin installed on your site, you may receive an email or dashboard message alerting you to a protection breach.
Alternatively, your hosting provider may report unusual activity on your account. That’s why it’s worth checking your email inbox frequently and keeping an eye out for any security warnings.
7. You See a Sudden Drop in Traffic
A sudden drop in traffic often has a suspicious cause. This is because hackers often redirect visitors away from your site and towards malicious sources. Therefore, you won’t receive as many users on your actual website.
However, your WordPress site may also have found its way onto Google’s blocklist. In this scenario, Google considers your website suspicious or dangerous, so it will take preventative measures to stop users from visiting it.
8. Your Site Has Become Slow or Unresponsive
If you notice your website becoming frequently unresponsive or suffering much slower loading speeds, this can be worth investigating. For example, DDoS attacks overwhelm your server with fake traffic in an attempt to crash your WordPress website:
Image source: Wikimedia Commons
Typically, your site will go offline during a DDoS attack. It will also be more susceptible to other threats, such as malware, that can slow down your WordPress site.
The Main Causes of Hacked WordPress Websites
If you want to clean a hacked WordPress website, one of the best places to start is to find the cause of the hack. That way, you’re in a better position to apply the right solution.
Here are a few leading causes of hacked WordPress websites!
1. Weak Passwords
Weak passwords are some of the easiest ways for hackers to gain control of your website. You might not give it too much thought when creating a new account, but a “guessable” password can have severe consequences.
For instance, in 2020, the most common passwords found in leaks were “123456” and “password”. Since these credentials are easy to guess, hackers may be able to get into your site more easily.
Repeating passwords can also make your site more vulnerable to hackers. In fact, only 12 percent of people use new credentials when creating an online account.
Creating unique passwords is especially important, since sticking with the default “admin” username for WordPress already provides half of your login details to attackers. Therefore, it’s worth creating both a unique username and password for your website.
When creating new passwords, consider opting for original, complex keys consisting of special characters, numbers, and letters. It can also be helpful to use a password manager such as LastPass to generate strong passwords and store them securely:
On top of that, you can make sure that access to your website is as strict as possible. Only people who need to be administrators or editors should have the associated user permissions.
2. Outdated Plugins and Themes
Any outdated software can make your WordPress site more vulnerable to hacks. One of the easiest ways for attackers to exploit this weakness is cross-site scripting. This attack involves hackers injecting scripts that enable them to send malicious codes to browsers.
Additionally, running outdated versions of WordPress can lead to pharma hacks. This is a popular hacking method where hackers insert rogue code into old versions of WordPress.
Moreover, there are other reasons to frequently update the software on your site. For example, many updates for plugins and themes come with important security updates and bug fixes for common WordPress errors.
You can update plugins, themes, and WordPress core by heading to Dashboard > Updates. You’ll then see a list of any available software versions, along with a confirmation if you’re using the latest version of WordPress:
With this in mind, it’s a good idea to delete unused plugins and update those you’d like to keep. You can enable automatic updates for all WordPress core versions from this page. Alternatively, some web hosts will automatically upgrade all software on your website.
Additionally, when installing new software in the future, it’s always best to check out customer reviews. They can indicate whether a developer is trustworthy.
Another way you can verify the safety of plugins or themes is by looking at the support offered by their developers. Furthermore, you might scan through the documentation to help keep your site secure.
How to Clean a Hacked WordPress Website (In 7 Steps)
Now that you know some of the main causes of WordPress hacks, here are seven easy steps to clean a hacked WordPress site.
Step 1: Review New or Recently Modified Files
The first step to cleaning a hacked WordPress site is to look for any new files that weren’t there before the hack. You can use a security plugin such as Wordfence, which will scan your website for you:
Wordfence is a useful security tool that also provides two-factor authentication and a firewall to strengthen protection for your site.
It’s important to verify that there aren’t any new or modified files in your wp-admin, wp-includes, or root folders. You can do this by accessing your File Manager or using Secure File Transfer Protocol (SFTP).
Find your public_html folder and open it:
Now, look at the Last modified date column on each of your files/folders to quickly determine whether anything has recently been changed. If something new has been added since the hack, we recommend investigating and deleting it.
Step 2: Check Diagnostic Pages
If your site has been hacked, Google will generally blocklist it to prevent it from appearing in search engine rankings. You can check to see whether Google has issued a warning for your site using the Safe Browsing Status Tool:
This tool will give you information about your site related to malicious redirects, spam, and harmful downloads.
Google Search Console is also a useful tool in this scenario. It’s completely free to create an account, and you can use it to view data and reports about your site’s security and performance. If Search Console detects any problems, you will find them in your Security Issues report.
Step 3: Remove or Clean Hacked Files
If there is malicious code in your core WordPress files or plugins, you can find and clean malware in WordPress manually. However, be careful not to overwrite the wp-config.php file or your wp-content folder, since this can break your site.
If you have a saved version of your clean site, you can replace the infected files and folders with those from your backup. Backing up your website is essential for this very situation.
Furthermore, your website can become unresponsive or break completely, even when running typical updates or installing a new plugin. Therefore, backups make recovery quick and easy.
It’s also a good idea to store your backups on a different web server from your website. That way, your backup will remain safe even if the server is attacked.
If you don’t have a backup, you can replace your infected files and folders with fresh copies from a new WordPress installation. For custom files (that aren’t in the official WordPress repository), open them with a text editor like Sublime or Notepad++. Then, remove any suspicious code that you find there.
Suspicious code can be difficult to spot. Hackers will try to hide the functionality of a script by using unintelligible language. Another way to keep the code hidden is by turning off any error reporting.
You’ll want to look out for snippets that look like this:
error_reporting(0); or error_reporting(E_ERROR | E_WARNING | E_PARSE); or ini_set(‘display_errors’, “0”);
Once you remove lines of malicious code like these, test your website to see if it’s still functional and if there are still signs of a hack.
Step 4: Clean Hacked Database Tables
If your database has been hacked, it will also need cleaning. You should already know if your database has been compromised if you use a WordPress security plugin or service like Sucuri. Usually, the plugin will notify you about the hacked site via email.
Otherwise, you can use specialized plugins like NinjaScanner to scan your entire database and check for malicious files, links or content:
However, if you’d prefer to carry out these checks yourself, you can clean hacked database tables by searching for suspicious content in your database. It may come in the form of spammy keywords or unfamiliar links.
Once you’ve identified possible sources, open the table that contains the content and manually remove it. Then, test your site to see if it’s working correctly.
Step 5: Secure User Accounts
If your website has been hacked, you won’t know which passwords have been compromised. Therefore, it’s a good idea to change all of your passwords and ask all users with access to your site to change their login credentials too.
It’s important to cover all bases, so consider changing your WordPress password, SFTP credentials, database password, and the details you use to access your hosting account. Additionally, it’s useful to remove any WordPress admin account that you don’t recognize on your site.
You can do this by heading to Users > All Users and switching to the Administrators tab:
To keep your site as secure as possible, we recommend only having one administrator. If you ever need to grant administrator access to other users, it’s best to revoke this privilege once the task(s) is complete.
You can revise user roles by heading to Users > All Users. Then, click on the user account and scroll down to the Role dropdown box:
Here, you can determine how much control you want WordPress users to have over your website. For instance, Administrators and Editors have more privileges in your WordPress dashboard than Contributors do.
Step 6: Remove Hidden Backdoors
Backdoors are malware left behind by hackers that enable them to gain access to your site without using the standard login procedure. These backdoors are often embedded in files with similar names to WordPress core files, but are in the wrong directories. They can also be injected into files such as wp-config.php.
Some of the suspicious PHP functions (backdoors) to look out for include:
- preg_replace (with/e/)
However, these functions may be used legitimately by some official WordPress plugins. Therefore, it’s a good idea to make a fresh backup of your site and check to ensure that it works properly after removing potential backdoors.
Step 7: Remove Malware Warnings
If Google has blocked your site due to a hack, you’ll need to request a review once you’ve cleaned the malware in WordPress. You can register your website with Google by creating a Google Search Console account.
The method for requesting a review differs based on the type of attack that your site suffered, such as phishing or hacking. We recommend following the steps in this article to find tailored advice for your solution. You might also need to request similar reviews for other search engines if your site was blocklisted elsewhere.
How to Increase WordPress Security Following a Hack (6 Tips)
Website security has probably never felt more important following a hack. That’s why it’s important to put protective measures in place to prevent an attack from happening again. Here are six tips to help you safeguard your WordPress website.
1. Strengthen Your Login Procedures
The best place to start is with a fresh password. As we mentioned earlier, it’s a good idea to cover all the bases, including your hosting account, SFTP credentials, and WordPress login credentials.
You can also prevent unauthorized access to your website by using two-factor authentication. WP 2FA is an excellent tool that enables this functionality:
Users must enter two keys to access your WordPress site. The first key is usually a password. Then, the second key is generated in real-time and sent to an email account, app, or mobile device. Since bots and hackers cannot access the second key, two-factor authentication is a great way to enhance web security.
2. Update and Reset Configuration Settings
A hacker may have changed your WordPress configuration settings during an attack. Therefore, it’s worth resetting your configuration settings to the WordPress defaults.
Fortunately, this process is easy with a WordPress reset plugin. For instance, WP Reset can return your WordPress database to its original settings by deleting customizations and added content:
Once you’ve installed and activated the WordPress plugin, it’s simply a matter of navigating to Tools > WP Reset > Reset. You’ll be prompted to decide which software you’d like to reactivate after the process completes. Then, you’ll need to confirm the procedure by typing “reset” into the box and clicking on Reset WordPress:
It’s also worth updating your website to prevent vulnerabilities in the WordPress software. You can do this by heading to Dashboard > Updates:
Here, you can enable auto-updates and view a list of WordPress plugins or themes that have updates available. For extra peace of mind, we’d recommend removing and replacing potentially suspicious themes and plugins with ones from official sources.
It’s important to create a fresh backup of your website before running any updates. Additionally, it’s helpful to test updates in a staging environment first. That way, if anything goes wrong, your live site will remain unaffected.
To be on the safe side, you might even remove wp-admin and wp-includes using your File Manager or SFTP. Then, you can replace them with new copies from the WordPress repository.
3. Generate New WordPress Keys
If a hacker has a session cookie, they can retain access to your hacked website even when you change your passwords. Therefore, it’s best to reset secret keys. Doing so will force all active users to log out of your site.
You can get new values for your WordPress keys and salts using a secret key generator. Then, update your keys by accessing your wp-config.php file and scrolling down to this section:
Simply replace the WordPress keys and salts with your new values. Remember to save and re-upload the file to complete the changes.
4. Create Backups of Your Website
Backups are extremely handy following an attack on your site, because you can directly swap website files or folders to recover your content more quickly. Plenty of great backup plugins like UpdraftPlus take care of this process for you:
As we discussed earlier, it’s better to store your backups in a different location than your server, since that hardware is also vulnerable to hacks. In fact, using an off-site location is usually the best way to ensure that your backup is stored securely.
It’s also a good idea to test the restoration process to ensure that it works properly. Additionally, if you’re using a plugin to automate backups, make sure you can create backups as frequently as you need them, whether that’s weekly or daily.
5. Scan Your Computer
Since a hacker only needs to infect one of your users’ computers to access your site, it’s important to ask all team members to run scans on their operating systems. We recommend using a reputable anti-virus program such as Malwarebytes or Avast:
Malwarebytes offers a full threat detection service and excels in malware removal. Meanwhile, Avast detects viruses and picks up on other common threats like phishing and ransomware. Plus, many antivirus programs offer free trials to try out the premium features before you commit.
6. Install a Web Application Firewall (WAF)
A web application firewall provides an extra barrier when hackers try to access your site. Additionally, it strengthens your pages against DDoS attacks. It monitors all HTTP traffic to and from your website, automatically filtering and blocking suspicious requests:
Cloudflare and Sucuri are high-quality plugins that enable you to set up a WAF quickly. A WAF is a great preventative measure, since it stops malicious traffic from ever reaching your pages. Meanwhile, it blocks access to your wp-admin folder and your login page. Moreover, some WAF providers also offer caching to help speed up your site.
It’s normal to panic when your website has been hacked. However, you’ll need to stay calm so you can troubleshoot and fix the problem before it causes more damage. Fortunately, this is easy when you know what to look for.
To recap, here are seven steps to fix hacked WordPress sites:
- Review new or recently modified files.
- Check diagnostic pages.
- Remove or clean hacked files.
- Clean hacked database tables.
- Secure user accounts.
- Remove hidden backdoors.
- Remove malware warnings.