How to know your Wordpress site is hacked and how to fix it | Date Published: 2019-10-10 11:01:48

Wordpress is one of the most user-friendly content management systems. In 2019, at the time of writing this, it is powering over 30% of all websites in the world. One of the main things that make Wordpress dear to its users is that there is a vast amount of free as well as premium plugins available (over 50,000) for this platform. A person with no coding knowledge can still customize their websites using free themes, visual builders and plugins. There is virtually a plugin for any small feature that you want to add. But with this versatility comes huge security concerns. Many of these plugins are maintained by third-party developers. Some of these plugins may have vulnerabilities or security loopholes. There are also cases when plugins have been sold by original developers and these were bought by hackers who deliberately put backdoors in them.

You could prevent your site from being hacked by installing a security plugin such as Wordfence. You should also ensure that your hosting company has taken proper security measures such as hardening the server using a web application firewall (WAF).

If you are hosting it yourself using a cloud service provider, then you should do the hardening yourself. You could use containerization technologies such as docker to enhance security. However, if the code that you have written on your website has vulnerabilities such as a faulty theme or plugin, then all the above security measures could still be futile.

Symptoms of a hack

How do you recognize that your website is hacked? The answer is to look for the following symptoms.

  1. Links, posts, articles, users or meta data that you did not add to the website.

    Presence of malicious or spam posts are a sure indication of hack. You might also see malicious users that you did not create. Some of these are hard to detect, eg: meta information such as title, meta description. You might see those when listing your pages on Google and they badly affect your SEO.

  2. Malicious redirects.

    The main page or any other internal page could redirect to another website either on load or few seconds after load.

  3. Malware or spam popups.

    You see any malicious pop up that you did not add.

  4. Encoded on encrypted text anywhere on the website.

    These could be visible in the front end or hidden. You may be able to see these when viewing souce code only.

  5. Unknown files in the Wordpress core.

    If you are familiar with the wordpress directory structure and the names of wordpess core files, you may be able to spot them just by browsing through the folders. Or else you can use a scanner such as Wordfence, which will report presence of malicious files in the core. You can also check timestamps of files to see which ones were recently created.

  6. Unusual spike in traffic or bandwidth usage.

    You may see that your webserver access logs are unusually big within a short period.

  7. Google Webmaster tools email alert.

    Google is pretty good at detecting malicious activity, so if you have received an alert you should take it seriously even if everything seems fine on the surface. You may need to dig deep to find the source of the hack.

  8. Your domain name or IP address is blacklisted by McAfee, Bullguard or ISP.

  9. Security scanners such a Succuri, detect a malware.

  10. Unusual JavaScript in source code (such as a crypto coin miner).

  11. Cleverly hidden content in the database (Pharma Hack).

    This one is hard to detect. The malicious content is not visible on the website or backend because it is hidden in plugins and database.

    One example is the notorious pharma hack, where your website has posts about banned or illegal drugs. Basically, your website is used to promote those banned pharma items such viagra, cialis, levitra. Your website shows up on search for these items, however clicking on the links will take the users to the illegal website. This type of hack is only visible to search engines such as google and bing. You may see malicious get requests in your webserver logs (Eg: Apache access logs)

How to fix

So, your site was hacked, now what?

My first advice would be to calm down, because it makes you think better. If possible, take the website down and check the files offline until you clean up.

It is a traumatising experience when your website gets hacked, because it causes blacklisting and is detrimental to SEO. However, with proper measures you can bounceback from an attack. Even if you had a temporary drop in your rankings, you would be able to recover within few weeks and the bad experience will soon be a distant memory.

Open Tech Guides |