A hacked WordPress site causes panic. It’s one of the most frustrating experiences a site owner can face. In this post, I will help you with how to detect whether a WordPress site is hacked or not along with steps to clean your site.
There will be a few tips, in the end, to prevent your WordPress site from being hacked in the future.
How to identify if your WordPress site is hacked?
When your site is hacked it will start behaving as it should not. Generally, a WordPress site can behave strangely without getting hacked. These issues are mainly related to internal settings and plugins causing errors.
For example, your caching plugin can break your site’s layout, misconfiguration of the SEO plugin can result in 403 errors, a white screen because of code conflicts, and many more. But these are not necessarily the signs that a site got hacked.
Let’s take a look at some signs you should be careful with that could be indicating your site is hacked.
- First and foremost, you can’t log in to your site.
- You haven’t done anything to your site recently but you can identify some changes. (It can be your homepage is replaced by a new page or added new content)
- The browser gives you a warning when you try to visit your site.
- Google gives a warning that this site might be hacked.
- Your site is redirecting visitors to other sites.
- Your hosting provider has informed you about unusual activity.
- If you are using a security plugin then you might receive a warning from it as well.
Now let’s look at these events in brief:
1. You can’t log in
Sometimes you can’t log in to your WordPress admin dashboard because of a wrong password or because you have changed your login URL previously. While this is a potential warning of your site is hacked you should not be too quick to consider it. Rather try to reset the password and see if that will resolve your login problem.
If you can’t reset your password that can be a warning sign. Although, being able to reset the admin password doesn’t prove that your site is safe or not hacked. You will have to examine more to identify such potential threats.
The reason why you may not be able to log in once your site is hacked is the hacker either changed your password or removed the user from WordPress. Sometimes they can replace the default login address i.e /wp-admin with something else. If so the site will give a 404 error when you try to visit this address.
2. Your site is changed
If you notice that your site looks different whether it’s the homepage or your website theme without your acknowledgment then it can be a huge sign that someone has accessed your site without permission.
These kinds of changes don’t have to be something that can be spotted easily. Little changes like adding suspicious content, links to spammy or bad sites, and hidden links mean your site could have been hacked.
However, changes like theme or frontpage layout can be caused accidentally when you are updating your theme, activating a pre-built design for your site. I would rather recommend using themes from trustworthy & reputable sources.
3. Browser warns the visitors the site may not be secure
Check your site on visitor’s mode and if you get a warning that the site is not safe it could be a likely warning that your site has been hacked. This can also happen due to a plugin or themes issue with SSL.
In this case, try removing/deactivating the plugins to check whether that resolves the issue as well as check your domain SSL status. If that doesn’t help you should be careful and follow the advice given with the browser warning to diagnose the issue.
4. Search engine’s site hacked warning
Another way to know your site is hacked is through the warning on Google’s search result. Google will display a warning message “the site may be hacked” on SERP under your site or page URL. If you are getting this kind of result lately, then there is a possibility that your sitemap is hacked.
A hacked sitemap or 403 error can prevent Google from crawling the website or at least it will affect the way Google crawled a site. It can be more than just a sitemap hack. You will need to diagnose and find out the origin of this problem.
5. The site is redirecting to external pages
If your site is redirecting to pages or sites that are not related to your contents, contain spammy or adult ads that could be a sign your site has been hacked.
Hackers will probably add scripts or redirect rules which will take the visitors to other sites as soon as they visit yours. This can raise a serious caution in visitors’ minds while they are being taken to the pages they are not keen to visit.
Such behavior not only harms your site reputation but also you will notice a significant downfall in every positive thing on your site, whether that be your daily visits, user engagement, revenue, etc.
6. Warning from your security plugin
Security plugins like Wordfence constantly track the activity on your site. You should have a robust security plugin that protects your site and keeps you informed of all kinds of suspicious activities so that you know what is going on in the backend.
If you have a security plugin then it should notify you about recent unusual activities or if someone is trying to access your site. Once you get informed about such threats regardless if the site is hacked or someone is trying to do so, you can take necessary precautions to protect your site.
Nevertheless, a warning email from your security plugin means bad activities are going on behind and might be a crucial sign of your site being hacked.
7. Warning on your hosting panel
A reputed hosting service has inbuilt tools to monitor your website activities and report if illegal actions are recorded. You will also find a virus scanner to scan your website files for infected files providing backdoor access to the hackers.
Make sure you use a reputed hosting service and keep a close eye on the hosting’s site activity log. If you find any warning in there it could be a sign that someone is hiddenly working on your site.
Now you know the behaviors that warn about a site that has been potentially hacked, let’s find out what you need to do to fix your hacked site and get it back to the ideal state.
WordPress site hacked: What should I do next?
Once you confirm your site is hacked, you will need to take the following steps to clean your site and get it back to its ideal state. You might not have to follow all the steps mentioned below as you might be able to fix your site at any stage of the following.
Step 1: Don’t panic
As I mentioned above a hacked site is the worst thing a webmaster can face, but the first key to progressing towards a solution is to stay calm. You do not need to be frightened in such a situation, instead maintain a clear mind to help yourself to proceed into the diagnosis part.
Since the site is still visible to the audience, to reduce the damage and bad impact consider putting the site into maintenance mode and relax a little bit. You can simply use a WordPress maintenance mode plugin to do that, or if you use Cloudflare then activate the under attack/development mode.
Steps to active maintenance mode in WordPress:
- Log in to your WordPress dashboard (if the site is accessible)
- Go to plugins > add a new plugin.
- Install a maintenance mode plugin.
- Activate the plugin and set the maintenance mode to at least 24 hours.
Once the visitors can’t see what’s going on behind your site, you can take your steps one by one carefully. If you can’t access your site then browse it as a visitor mode to see whether the contents such as posts and images are appearing properly or not. If yes, you need to do a backup job from your cPanel or hosting dashboard. We will go to this step later in this article.
Step 2: Reset the password
Again this step requires the ability to access your site after being hacked. If you can access then it’s important to change the password of all user accounts since you don’t know which account is being used to access your site. If you have multiple users working on your site ask all of them to reset their passwords.
Once the user passwords are modified, next change your hosting password, database password as well as SFTP password.
Step 3: Remove users
If you find any user account on your WordPress site that you do not acknowledge it’s important to remove such accounts. Such accounts could be used by hackers to access your site and perform illegal activities.
You can either remove them right away or confirm with your co-administrators whether they have recently changed their account details or not before finally deleting suspicious accounts.
To remove a user from your WordPress site:
- On the WordPress dashboard expand users.
- Then click on all users.
- Check if you can find any user account under admin access that is out of your acknowledgment.
- To remove a user hover on the user row and click on the delete option.
Step 4: Update plugins and themes
After removing suspicious users next you need to make sure that all the themes and plugins are up to date. Themes and plugins updates are frequently released by the developers to fix security issues and improve protection.
If you are using any plugin that is outdated or not compatible with your WordPress version try to get rid of such plugins if alternative and updated plugins are available.
This step is really important because in case your site is misbehaving because of an outdated plugin or theme then you will be able to resolve your issue by installing the latest updates or an alternative.
Updating a plugin in WordPress is pretty simple. All you have to open the installed plugins page and update the plugins in bulk or one by one. As for themes, go to Appearance > themes and update your currently installed themes.
Another recommendation, do not to keep hold of unnecessary themes unless you are planning to use them in the future. Although, the necessity of doing so is low in priority and entirely depends on your consideration.
Step 5: Reinstall plugins and themes
Apart from updating the plugins & themes, you can check your site status by uninstalling the active plugins and themes. Updating a theme or plugin still can hold bad codes into it that didn’t catch the developer’s attention.
If you are unsure about whether a plugin & theme is causing this problem or being the backdoor access provider then you should debug them at this point. Make sure to uninstall the plugins first and then see the site’s status. If deactivating/uninstalling the plugins bring your site back to an idle state then activate or reinstall the plugins one by one. Check your site’s status after every plugin activation. This way you can find out which plugin might act as a threat to your site. The same procedure applies to the theme diagnosis too.
Step 6: Remove unwanted files
To find out if there’s any file in your WordPress installation that shouldn’t be present install a security plugin like WordFence or use your hosting site scanner. This kind of tool will scan all the files in your hosting directory and inform you about any potentially infected files.
Run a scan and if you notice any such files in the scan result remove that file from your directory. It makes more sense to have a backup of your site before removing the file as well as analyze the file which you are about to remove to replace it with a fresher copy later.
Step 7: Clean out the database
Doesn’t necessarily a way for the hacker to access the site but consider cleaning the database to remove unwanted or bloat entries. This will not only make your database take lesser space but also remove unnecessary rows and related data making your site load faster.
Step 8: Reinstall WordPress
This step is necessary when you can’t access your site to make the changes we have discussed earlier. Make sure your site has the contents and no prior damage has been made to the structure of the site before processing these steps.
First, you need to take a backup of your database and wp-content folder using your cPanel or FTP client. Once you do that, go ahead and reinstall WordPress using the inbuilt installer.
When WordPress installation is complete, now upload the backup contents into your new WordPress installation and configure or import the database backup into the new WP installation.
After that load your site and try accessing your site. In case the issue occurred because of a damaged WordPress installation then it should be solved now. Instead, use the database editor tool to find and fix your user account access. Once you do that you should be able to access your site in the usual way.
Wrapping it up:
Having your website hacked means your site is losing user attraction as well as control over it. This could bring a severe impact on your business. So getting it fixed as soon as possible is important.
I believe the above steps will help you to head in the right direction during such a bad situation. Let us know if you find this article helpful and do not forget to mention any steps you think should be mentioned so that it becomes more resourceful for the readers.
Looking forward to the next… cheers.