WordPress sites are notorious for getting hacked. There’s a popular misconception that WordPress is faulty and easy to hack. The truth is, WordPress is the most popular CMS powering close to 40% of all sites on the web. As such, we can expect that hackers will target it most often, statistically.
Regardless of the fact that naysayers are wrong, the threat is real. You might be experiencing some issues or noticing weird things on your site and you are suspecting that it might be compromised. While it is sometimes easy to spot a WordPress site hacked, sometimes the malware might not be that obvious.
Here’s a list of signs that if present then it may mean your WordPress site has been hacked.
This is one of the most obvious signs showing that someone has hacked your site. This is what hackers do to make a name for themselves. In most cases, boasting is not the hacker’s main intention. What they want to do is make a profit off of your traffic. But in some cases, they’ll just do it for fun and notoriety.
Regardless of the intention, this still means that someone has control over your site. Defacement will have a negative impact on your reputation, resulting in a drop in traffic and, naturally, the loss of revenue.
Malicious redirects can come in many forms. Sometimes, hackers will insert links on the pages, other times they will insert scripts that redirect your visitors as soon as they try to load the site. Depending on the script, redirects might happen to those who use mobile devices and not redirect others.
Although it can be difficult to spot, in most cases it is really simple to replicate. Just visit your WordPress hacked site while logged out and see if your site is redirecting you somewhere else. If you land on a different page, it is likely that you’ll see a popup stating that your computer is infected with malware. Also, the popup will have an option to download malware-removal software which is actually malware itself, in disguise.
Depending on how experienced with the web your visitors are, some might fall prey to a hacker if they download any software from the page they are redirected to. This is why it is important to deal with this promptly.
If you are using Google Analytics, you might notice a sudden drop in traffic stats. This is a result of malware redirecting your visitors to spammy sites. Furthermore, if your site is marked as not safe on Google or even blacklisted, then it should be clear why people are avoiding your site.
This is a tricky symptom. Sometimes, it can happen that we are absolutely sure what the password was and start thinking that someone has changed it. I’ve been there. I forgot I’ve put an upper-case letter here and a dot there, a special character at the end and so on.
However, if you are absolutely certain what your password should be, you haven’t changed it, and no one else had access to change your password, this might mean that someone has hi-jacked your admin account. Also, this means that hackers will be able to create additional admin users, change the layout of the site and do a lot more damage if this isn’t dealt with properly and promptly.
If you notice that there’s an admin user that you cannot recall adding, this is a big warning sign. Again, it can happen that we forgot that we granted admin privileges to a new team member, but if you are certain that’s not the case, you are looking at a hacker’s admin user.
But, suspicious admin users are not the only ones you should be concerned with. If you are using an outdated plugin that has a vulnerability, admin can create countless numbers of subscribers and grant them admin privileges. In that sense, that user is equal to the super-admin and can do whatever they please.
This is one of those uncertain signs. People tend to pack their sites with dozens of plugins, some of which are notorious for straining the server resources, so this might not be a reliable sign that someone hacked your site.
However, if you didn’t make any changes and your site becomes slow and unresponsive overnight, you might be a victim of a so-called DDoS attack. DDoS stands for ‘Distributed Denial of Service’. Basically, this type of attack uses a network of computers with fake IPs that make countless requests to your server. After the attackers flood the server with enough requests, it will start glitching and become unresponsive at the end.
Many WordPress admins use contact forms to interact with their visitors. Often, forms will send email notifications from the site using the default mail server. Hackers often hack the sites with the intent to use mail servers for spam. If you notice that you are not receiving emails generated on your site, call your hosting provider. If they tell you that they’ve blocked you because of spam and you are sure you didn’t violate daily email limits, this is a cause for concern.
Sometimes hosting providers run daily or weekly malware scans so, in this case, they will contact you right away and let you know that your WordPress site has been hacked and suspended from their service.
If you haven’t already done this after reading the steps above, now is a good time. Access your server using FTP (or File Manager if available) and check your WordPress root directory.
Depending on how sophisticated the hack is, you might not see anything strange if you don’t dig deep enough. You should start by checking the following files:
If you see some code that looks like a cipher or something similar, that means that someone has altered these files. Sometimes, hackers will try to mask files by giving them names similar to ones that are normally found in a WordPress installation or a WordPress plugin or theme.
Often, files that have generic names like admin.class.php, admin.old.php or might be malware files. These files need to be removed in order to remove the hack. This is often not enough because this means there’s a backdoor which hackers use to upload or alter files on your site. They can simply re-add the files after you remove them and continue where they’ve left off.
This is actually one of the strongest signs of a hacked WordPress site so you need to start the cleanup procedure asap.
One of the most sophisticated hacks is hi-jacking search results. What does this mean? This is a type of hack that targets search engines. When someone types your domain name on Google or other search engines, they will get search results containing your home page and all other indexed pages.
This is a so-called SEO hack. This hack will insert a link to a spammy site, online pharmacy or another undesirable page among the list of legitimate pages on your site. Some of the most common WordPress Spam Hacks are the Japanese Keyword Hack and the Pharma Hack.
It is quite easy to check what your search results look like regardless of how good your Google ranking is. Go to Google and type ‘site:yourdomain.com’ in the search bar. It goes without saying that you should replace ‘yourdomain.com’ with your actual domain name.
The search results should only display pages from your site. If you notice that there are some pages that offer pharmaceutical products or anything else that has nothing to do with your site, this means that you are a victim of the SEO hack.
The biggest issue here is that this hack is generally invisible to you or your visitors. It can take months before you or someone else discovers it. It can be very difficult to remove permanently because most often it will be cleverly concealed inside your files and database.
This might be something that a Professional Malware Removal Service should handle for you.
I’ve saved this one for last because this is not always a sign that someone hacked your site. Often times, a white screen of death will be a result of a failed plugin, theme or core update, plugin/theme conflicts or something similar.
However, if you are seeing a white screen of death when trying to access wp-admin, then it might as well mean that there’s malware on site. Malware scripts can contain code that prevents error display, so instead of seeing a list of errors, you will just see a blank page.