How to know your Wordpress site is hacked and how to fix it

by Remy Pereira on 10th October 2019

Wordpress is one of the most user-friendly content management systems. In 2019, at the time of writing this, it is powering over 30% of all websites in the world. One of the main things that make Wordpress dear to its users is that there is a vast amount of free as well as premium plugins available (over 50,000) for this platform. A person with no coding knowledge can still customize their websites using free themes, visual builders and plugins. There is virtually a plugin for any small feature that you want to add. But with this versatility comes huge security concerns. Many of these plugins are maintained by third-party developers. Some of these plugins may have vulnerabilities or security loopholes. There are also cases when plugins have been sold by original developers and these were bought by hackers who deliberately put backdoors in them.

You could prevent your site from being hacked by installing a security plugin such as Wordfence. You should also ensure that your hosting company has taken proper security measures such as hardening the server using a web application firewall (WAF).

If you are hosting it yourself using a cloud service provider, then you should do the hardening yourself. You could use containerization technologies such as docker to enhance security. However, if the code that you have written on your website has vulnerabilities such as a faulty theme or plugin, then all the above security measures could still be futile.

Symptoms of a hack

How do you recognize that your website is hacked? The answer is to look for the following symptoms.

  1. Links, posts, articles, users or meta data that you did not add to the website.

    Presence of malicious or spam posts are a sure indication of hack. You might also see malicious users that you did not create. Some of these are hard to detect, eg: meta information such as title, meta description. You might see those when listing your pages on Google and they badly affect your SEO.

  2. Malicious redirects.

    The main page or any other internal page could redirect to another website either on load or few seconds after load.

  3. Malware or spam popups.

    You see any malicious pop up that you did not add.

  4. Encoded on encrypted text anywhere on the website.

    These could be visible in the front end or hidden. You may be able to see these when viewing souce code only.

  5. Unknown files in the Wordpress core.

    If you are familiar with the wordpress directory structure and the names of wordpess core files, you may be able to spot them just by browsing through the folders. Or else you can use a scanner such as Wordfence, which will report presence of malicious files in the core. You can also check timestamps of files to see which ones were recently created.

  6. Unusual spike in traffic or bandwidth usage.

    You may see that your webserver access logs are unusually big within a short period.

  7. Google Webmaster tools email alert.

    Google is pretty good at detecting malicious activity, so if you have received an alert you should take it seriously even if everything seems fine on the surface. You may need to dig deep to find the source of the hack.

  8. Your domain name or IP address is blacklisted by McAfee, Bullguard or ISP.

  9. Security scanners such a Succuri, detect a malware.

  10. Unusual JavaScript in source code (such as a crypto coin miner).

  11. Cleverly hidden content in the database (Pharma Hack).

    This one is hard to detect. The malicious content is not visible on the website or backend because it is hidden in plugins and database.

    One example is the notorious pharma hack, where your website has posts about banned or illegal drugs. Basically, your website is used to promote those banned pharma items such viagra, cialis, levitra. Your website shows up on search for these items, however clicking on the links will take the users to the illegal website. This type of hack is only visible to search engines such as google and bing. You may see malicious get requests in your webserver logs (Eg: Apache access logs)

How to fix

So, your site was hacked, now what?

My first advice would be to calm down, because it makes you think better. If possible, take the website down and check the files offline until you clean up.

  • Step 1: Take the website offline temporarily until you identify the source of hack. You can use an IP based restriction to allow you to access the website while displaying a maintenance message for everyone else.

  • Step 2: Scan the website files for malicious code. You can use a security plugin to do an automatic scan. These plugins can detect malicious patterns in code. If you are tech savvy you can manually scan for certain indications of a hack. Keywords such as keywords such as eval() and base64_decode() can indicate hack.

  • Step 3: Remove any files reported as infected from an automated scan or those that you think are suspicious.

  • Step 4: Remove any suspicious users. Change passwords for all legit users and remember to use strong passwords and hard to guess usernames.

  • Step 5: Remove any malicious posts, pages or metadata.

  • Step 6: Check the database (Eg: wp_posts table) for malicious words in post content such as illegal drug names (if you know them from access logs or google listing) and what offensive links or keywords are hidden in your posts. You may use SQL queries on the database if you can identify the words related to those hidden contents.

  • Step 7: Remove any suspicious plugins. Usually the ones with good reputation are maintained regularly with security updates. If a plugin seems to be abandoned or the number of installs is very low, then it could be a suspect.

  • Step 8: Restore the wordpress core files from a fresh copy of Wordpress, ie, contents of directories wp-admin, wp-includes and the wp-* files in the root directory.

  • Step 9: Change your database username and password. Make sure the passwords are strong.

  • Step 10: If you already haven't done so, install a wordpress security plugin such as Wordfence.

  • Step 11: Tighten file and folder permissions. If you have the ownership of your server then you can run commands to change directory permission to 755 and file permissions to 644. You can check this via CPanel or FTP.

  • Step 12: Change passwords of FTP/SFTP users. Make sure passwords are strong.

  • Step 13: If you are hosting with a hosting company, enquire with them what options are available to tighten security. If you are self hosting, check your firewall rules, implement server hardening techniques, use a web application firewall (WAF).

  • Step 14: Make your site live again, but continue to monitor your website in the following weeks with regular security scans and check your Google listings for anything unusual.

  • Step 15: If you are sure you have cleaned your website, you can ask your website to be removed from blacklists. You will have to contact the blacklisting companies and explain to them that you have cleaned up the website. They will review your website and if all is fine, your reputation will be restored.

It is a traumatising experience when your website gets hacked, because it causes blacklisting and is detrimental to SEO. However, with proper measures you can bounceback from an attack. Even if you had a temporary drop in your rankings, you would be able to recover within few weeks and the bad experience will soon be a distant memory.

Post a comment


Nothing the first to share wisdom.