A hacked WordPress site causes panic. It’s one of the most frustrating experiences a site owner can face. This post will help you detect whether a WordPress site is hacked or not, along with steps to clean your site.
There will be a few tips, in the end, to prevent your WordPress site from being hacked in the future.
How To Identify if Your WordPress Website Is Hacked?
When your website is hacked, it will start behaving as it should not. Generally, a WordPress site can behave strangely without getting hacked. These issues are mainly related to internal settings and plugins causing errors.
For example, your caching plugins can break your site’s layout, misconfiguration of SEO plugins can result in a 403 error, a white screen because of code conflicts, and many more.
But these are not necessarily the signs that a site got hacked.
Let’s take a look at some signs you should be careful with indicating your website is hacked.
- First and foremost, you can’t log in to your site.
- You haven’t done anything to your site recently, but you can identify some changes. (It can be your homepage is replaced by a new page or added new content)
- The browser gives you a warning when you try to visit your site.
- Google gives a warning that this site might be hacked.
- Your site is redirecting visitors to other sites.
- Your hosting provider has informed you about unusual activity.
- If you are using a security plugin, then you might receive a warning from it as well.
Now let’s look at these events in brief:
You Can’t Log In
Sometimes you can’t log in to your WordPress admin dashboard because of a wrong password, or you have changed your login URL previously.
While this is a potential warning that your website is hacked, you should not be too quick to consider it. Instead, try to reset the password and see if that will resolve your login problem.
If you can’t reset your password, that can be a warning sign. However, resetting the admin password doesn’t prove that your site is safe or not hacked. You will have to examine more to identify such potential threats.
You may not be able to log in once your website is hacked because the hacker either changed your password or removed the user from WordPress. Sometimes they can replace the default login address, i.e.,/wp-admin, with something else. If so, the site will give a 404 error when you try to visit this address.
Your Site Is Changed
If you notice that your site looks different, whether it’s the homepage or your website theme, without your acknowledgment, it can be a huge sign that someone has accessed your site without permission.
These kinds of changes don’t have to be something that can be spotted easily. Minor changes like adding suspicious content, links to spammy or bad sites, and hidden links mean your website is hacked.
However, changes like theme or frontpage layout can be caused accidentally when updating your theme or activating a pre-built design for your site. So I would instead recommend using themes from trustworthy sources such as the WordPress theme repository.
Browser Warn the Visitors the Site May Not Be Secure
Check your site on visitor’s mode, and if you get a warning that the site is not safe, it could be a likely warning that your website is hacked. It can also happen due to a plugin or theme issue with SSL.
In this case, try removing/deactivating the plugins to check whether that resolves the issue, as well as check your domain SSL status. If that doesn’t help, you should be careful and follow the browser warning’s advice to diagnose the issue.
Search Engine’s Site Hacked Warning
Another way to know your website is hacked is through the warning on Google’s search results. Google will display a warning message “the site may be hacked” on SERP under your site or page URL. If you are getting this kind of result lately, then there is a possibility that your sitemap is hacked.
A hacked sitemap or 403 error can prevent Google from crawling the website, or at least it will affect the way Google crawled a site. It can be more than just a sitemap hack. You will need to diagnose and find out the origin of this problem.
The Site Is Redirecting to External Pages
If your site redirects to pages or sites unrelated to your content containing spammy or adult ads, that could be a sign your website is hacked.
Hackers can add scripts or redirect rules which will take the visitors to other sites as soon as they visit yours. It can raise severe caution in visitors’ minds while being taken to the pages they are not keen to visit.
Such behavior harms your site reputation, and you will notice a significant downfall about every positive thing on your site, whether that be your daily visits, user engagement, revenue, etc.
Warning From Your Security Plugin
Security plugins like Wordfence constantly track the activity on your site. Therefore, you should have a robust security plugin that protects your site and keeps you informed of all kinds of suspicious activities to know what is going on in the backend.
If you have a security plugin, it should notify you about recent unusual activities or if someone is trying to access your site. Once you get informed about such threats, regardless of whether the website is hacked or someone is trying to do so, you can take the necessary precautions to protect your site.
Nevertheless, a warning email from your security plugin means bad activities are going on behind you and might be a crucial sign of your site being hacked.
Warning on Your Hosting Panel
A reputed hosting service has inbuilt tools to monitor your website activities and report if illegal actions are recorded. You will also find a virus scanner to scan your website files for infected files providing backdoor access to hackers.
Ensure you use a reputed hosting service and keep a close eye on the hosting site activity log. If you find any warning in there, it could be a sign that someone is hiddenly working on your site.
Now you know the behaviors that warn about a site that has been potentially hacked, let’s find out what you need to do to fix your hacked site and get it back to the ideal state.
WordPress Site Hacked: What Should I Do Next?
Once you confirm your website is hacked, you will need to take the following steps to clean your site and get it back to its ideal state. You might not have to follow all the steps mentioned below, as you might be able to fix your site at any stage of the following.
Step 1: Don’t Panic
As I mentioned above, a hacked site is the worst thing a webmaster can face, but the first key to progressing toward a solution is to stay calm. You do not need to be frightened in such a situation; instead, maintain a clear mind to help yourself to proceed into the diagnosis part.
Since the site is still visible to the audience, consider putting the site into maintenance mode and relaxing a little bit to reduce the damage and bad impact. You can use a WordPress maintenance mode plugin to do that or use Cloudflare to activate the under-attack/development mode.
Steps to active maintenance mode in WordPress:
- Log in to your WordPress dashboard (if the site is accessible)
- Go to Plugins > Add a new plugin.
- Install a maintenance mode plugin.
- Activate the plugin and set the maintenance mode to at least 24 hours.
Once the visitors can’t see what’s going on behind your site, you can take your steps one by one carefully.
If you can’t access your site, then browse it as a visitor mode to see whether the contents, such as posts and images are appearing correctly or not. If yes, you need to do a backup job from your cPanel or hosting dashboard. We will go to this step later in this article.
Step 2: Reset Your Password
Again this step requires the ability to access your site after the website is hacked. If you can access it, it’s important to change all user accounts’ passwords since you don’t know which account is being used to access your site.
You can use the free plugin – Emergency Password Reset to do that.
Also, if you have multiple users working on your site, ask all of them to reset their passwords.
Once the user passwords are modified, change your hosting password, database password, and SFTP password.
Step 3: Remove Users
If you find any user account on your WordPress site, you do not acknowledge it’s essential to remove such accounts. It is because hackers could use such accounts to access your site and perform illegal activities.
You can either remove them right away or confirm with your co-administrators whether they have recently changed their account details or not before finally deleting suspicious accounts.
How to remove a user from your WordPress site:
- On the WordPress dashboard, expand users.
- Then click on all users.
- Check if you can find any user account under admin access that is out of your acknowledgment.
- To remove a user, hover on the user row and click on the delete option.
Step 4: Update Plugins and Themes
After removing suspicious users, you need to make sure that all the themes and plugins are up to date. The developers frequently release themes and plugin updates to fix security issues and improve protection.
If you are using an outdated plugin or not compatible with your WordPress version, try to eliminate such plugins if alternative and updated plugins are available.
This step is essential because if your site is misbehaving because of an outdated plugin or theme, you will resolve your issue by installing the latest updates or an alternative.
Updating a plugin in WordPress is pretty simple. All you have to do is open the installed plugins page and update the plugins in bulk or one by one. As for themes, go to Appearance > Themes and update your currently installed themes.
Another recommendation is not to keep hold of unnecessary themes unless you plan to use them in the future. Although, the necessity of doing so is low in priority and entirely depends on your consideration.
Step 5: Reinstall Plugins and Themes
Besides updating the plugins and themes, you can check your site status by uninstalling the active plugins and themes. Unfortunately, updating a theme or plugin still can hold bad codes into it that didn’t catch the developer’s attention.
If you are unsure whether a plugin or theme is causing this problem or being the backdoor access provider, you should debug them. Make sure to uninstall the plugins first and then see the site’s status.
If deactivating/uninstalling the plugins bring your site back to an idle state, then activate or reinstall the plugins one by one. Check your site’s status after every plugin activation.
This way, you can find out which plugin might act as a threat to your site. But, of course, the same procedure applies to the theme diagnosis too.
Step 6: Remove Unwanted Files
To find out if there’s any file in your WordPress installation that shouldn’t be present, install a security plugin like All In One WP Security & Firewall or use your hosting site scanner. This kind of tool will scan all the files in your hosting directory and inform you about any potentially infected files.
Run a scan, and if you notice any such files in the scan result, remove that file from your directory. It makes more sense to have a backup of your site before removing the file and analyzing the file you are about to remove to replace it with a fresher copy later.
Step 7: Clean Out the Database
It doesn’t necessarily mean the hacker can access the site but consider cleaning the database to remove unwanted or bloat entries. It will make your database take less space and remove unnecessary rows and related data, making your site load faster.
Step 8: Reinstall WordPress
This step is necessary when you can’t access your site to make the changes we discussed earlier. Ensure your site has the contents and no prior damage has been done to the site’s structure before processing these steps.
First, you need to backup your database and wp-content folder using your cPanel or FTP client. Once you do that, go ahead and reinstall WordPress using the inbuilt installer.
When the WordPress installation is complete, upload the backup contents into your new WordPress installation and configure or import the database backup into the new WP installation.
After that, load your site and try accessing your site. In case the issue occurred because of a damaged WordPress installation, then it should be solved now.
If not, use the database editor tool to find and fix your user account access. Once you do that, you should be able to access your site in the usual way.
Having your website hacked means your site is losing user attraction as well as control over it. It could bring a severe impact on your business. So getting it fixed as soon as possible is essential.
I believe the above steps will help you head in the right direction during such a bad situation.
Let us know if you find this article helpful, and do not forget to mention any steps you think should be mentioned so that it becomes more resourceful for the readers.