If you’re a WordPress site owner, then you know that security is always a top concern. Unfortunately, WordPress sites are often targeted by hackers, and it’s important to know what to do if your site is hacked. In this post, we’ll walk you through the steps to take if your WordPress site has been compromised. We’ll help you determine if your website has been hacked, troubleshoot the problem, and make your WordPress site more secure.
Don’t wait until it’s too late – follow these steps today!
When it happens to you that your WordPress website stops working properly, it’s easy to panic. In this post, I’ll help you find out if your website has been hacked, guide you through troubleshooting steps, and help you make it more secure.
Finally, I’ll give you some tips to prevent your WordPress site from being hacked again in the future.
Ready? Take a deep breath and let’s get started π
WordPress Hacked: Signs your WordPress site is compromised or under attack
Your WordPress site is not behaving as it should. But how do you know that the problem is due to a hack? Let’s take a look at some of the signs that your site has been hacked:
- You can’t log in.
- Your website has changed without you doing anything (e.g. the homepage has been replaced with a static page or new content has been added).
- Your page redirects to another page.
- If you or other users try to access your website, you will receive a warning in your browser.
- When you search for your website, Google will warn you that it may have been hacked.
- You received a notification of a breach or an unexpected change from your security plugin.
- Your hosting provider has warned you about unusual activity on your account.
Let’s take a look at each of these points.
You can’t log in
If you are unable to log into your website, it may be a sign that your website has been hacked. However, it’s more likely that you just forgot your password. So before you assume you’ve been hacked, try resetting your password. If you can’t, that’s a warning. Even if you can, you might still have been hacked and need to investigate this a little more.
Hackers sometimes remove users or change user passwords to prevent access. If you can’t reset your password, your user account may have been removed, which is a sign of hacking.
You can also check if other users can log in. If you are the only one who can’t log into your WordPress site, it may mean that your user account has been specifically targeted. But if other users can’t log in either, it’s likely that the hackers have changed the WordPress password, which we’ll talk about next.
Your website has changed
One form of hacking is to replace the home page with a static page. If your website looks completely different and doesn’t use your template, it has probably been hacked.
The changes can be more subtle, such as adding unwanted content or links to unwanted websites. If your footer is full of links that you didn’t add, and especially if those links are hidden or in tiny font size, you might have been hacked as well.
Before assuming you’ve been hacked, ask other site admins or editors to make sure they didn’t accidentally make the changes.
If your theme isn’t from a reputable source and you recently updated it, it could be the hacker. WordPress themes and plugins can contain malicious code that gives the hacker access to your WordPress site. If you’re not sure whether your theme or plugin is safe, check with the developer or remove it from your WordPress site.
Your website will be redirected
Sometimes hackers add a script that redirects people to another website when they visit yours. This will likely be a website that you don’t want your users to be redirected to.
This happened to me when I was managing a school’s website and I was redirected to a dating site. As you can imagine, my client wasn’t happy and had to drop everything else I was doing and fix it right away. It turned out to be an insecurity on the server and not on my site, which is a reason to only use quality hosting. I switched hosting providers asap and fixed the hack almost immediately.
If you’re being redirected to another website, it’s a sign that your WordPress site has been hacked.
Browser Warnings
If your browser warns that your website is compromised, it could be a sign that your website has been hacked. It could also be code in a theme or plugin that you need to remove or an issue with domains or SSL.
If you see a warning in your browser, it’s worth investigating to see if your WordPress site has been hacked.
Follow the instructions in your browser to help you diagnose the problem.
Search Engine Warnings
If you search for your website and it’s been hacked, Google may display a warning. This could mean that the sitemap has been hacked, which would affect the way Google crawls your site. Or it may be a bigger problem: you need to make the following diagnosis to find out exactly what happened.
Why do WordPress sites get hacked?
There are many reasons why WordPress sites get hacked, but here is an overview of the most common causes.
Insecure passwords
This is one of the most common causes of hacking. The most used password in the world is “password”. Strong passwords are required not only for your WordPress admin account but for all your users and all aspects of your site, including FTP and hosting.
WordPress sites are popular targets for hackers because they are easy to find and attack. WordPress is used by millions of websites and is the most popular content management system (CMS) in the world.
WordPress is open-source, which means that anyone can contribute code to WordPress and make it better. But it also means that anyone can find vulnerabilities in WordPress and exploit them.
Outdated software
Plugins and themes, as well as WordPress itself, are subject to security updates that need to be applied to your site. If you don’t keep your templates, plugins, and versions of WordPress up to date, you’re making your site vulnerable.
WordPress sites that are not updated are an easy target for hackers.
Unsafe code
Plugins and themes that are not from reputable sources can cause vulnerabilities on your website. If you are using free WordPress themes or plugins, install them from the official theme directory.
When purchasing premium themes and plugins, be sure to check the provider’s reputation and seek recommendations from people and sources you trust. Never install nulled plugins, i.e. premium plugins from free websites designed to cause harm or gather information.
How is WordPress Hacked?
If you want to learn more about how WordPress sites get hacked (and you don’t want to go to the steps to take if your own site has been hacked), here are the top ways hackers use to get into your site reach:
- Backdoors β these bypass the usual methods of accessing your website, e.g. via scripts or hidden files. An example was the Tim Thumb vulnerability in 2013.
- Pharma Hacks β an exploit used to inject rogue code into outdated versions of WordPress.
- Brute force login attempts – when hackers use automation to exploit weak passwords and gain access to your website.
- Malicious redirects β when backdoors are used to add malicious redirects to your website.
- Cross-Site Scripting (XSS) β the most common vulnerability in WordPress plugins, these inject scripts that allow a hacker to send malicious code to the user’s browser.
- Denial of Service (DoS) β when errors or bugs in a website’s code are used to overwhelm a website so that it no longer works.
If you run an eCommerce site, be sure to check out our in-depth guide to e-commerce fraud prevention.
These all sound pretty scary, but there are steps you can take to protect your WordPress site from them. First, let’s go through the steps you need to take if your website gets hacked.
WordPress Site Hacked: What To Do (Step-by-Step Guide)
Step 1: Don’t Panic
I know the worst thing to say to someone who is panicking is “don’t panic”. But you need a clear head if you want to be able to diagnose and solve the problem.
If you can’t think straight, just put your site on maintenance mode and leave it for a few hours until you feel calmer. Again, that sounds easier said than done, but it’s crucial here.
Step 2: Put your website into maintenance mode
You don’t want visitors to find your site in its compromised state, nor do you want them to see what your site will look like while you fix it.
So put them in maintenance mode if you can.
If you can’t log in to your WordPress site right now, you won’t be able to, but come back and do it as soon as you can.
A plugin like Coming Soon Page & Maintenance Mode allows you to put your website into maintenance mode, making it look like it’s under scheduled maintenance instead of being fixed after a hack.
Once you’ve done that, you can relax a little knowing that people can’t see what’s going on.
You can configure the plugin to add a logo and customize the colors, or you can just enter a short explanatory text and leave it at that.
Now you can see your broken side, but other people can’t.
Step 3: Use a malware removal service
To save you the trouble of all the steps below, you can purchase a Malware Removal Service for a one-time fee of $350-$550.
You can always contact the Datacrypt team and book your malware removal service. Datacrypt’s team of experts will then take care of removing unwanted code and programs from your website.
If you don’t want to or can’t do this, read on to learn more about how to fix your hacked website.
Did you know that Datacrypt has its own malware and virus removal service? Check it out and get your website fixed today!
Step 4: Reset Passwords
Since you don’t know what password was used to gain access to your website, it’s important to change them all to prevent the hacker from using them again. This isnβt just limited to your WordPress password: reset your SFTP password, database password, and password with your hosting provider as well.
You must ensure that other admin users reset their passwords as well.
Step 5: Update Plugins and Themes
The next step is to make sure all your plugins and themes are up to date. Go to Dashboard > Updates on your site and update anything that is out of date.
You should do this before attempting other fixes because if a plugin or theme makes your site vulnerable, further fixes you make can be undone by the vulnerability. So make sure everything is up to date before proceeding.
Step 6: Remove user
If admin accounts have been added to your WordPress site that you don’t recognize, it’s time to remove them. Before you do this, check with any authorized admins to make sure they haven’t changed your account details.
Go to the Users screen in your WordPress admin and click the Admin link above the list of users. If there are users there who shouldn’t be present, check the box next to yours and then select Delete from the Bulk Actions drop-down list.
Step 7: Remove unwanted files
To find out if there are files in your WordPress installation that shouldn’t be installed, you need to install a security plugin like WordFence, which will scan your website and tell you if there are files there that shouldn’t be there or not use a security service like Sucuri.
Step 8: Clean up your sitemap and resubmit it to Google
One cause of a webpage being marked red by search engines may be that your sitemap.xml file has been hacked. In one case we identified at Kinsta, a sitemap had been infected with broken links and extraneous characters.
You can regenerate your sitemap with your SEO plugin, but you also need to tell Google that the page has already been cleaned. Add your site to Google Search Console and submit a sitemap report to Google to let them know they need to search the site. This does not guarantee that your page will be crawled immediately and can take up to two weeks. There’s nothing you can do to speed this up, so you’ll need to be patient.
Step 9: Reinstall plugins and themes
If your site is still having issues, you’ll need to reinstall any plugins and themes that you haven’t updated yet. Disable and delete them from your themes (here’s how to safely delete a WordPress theme) and plugins pages and reinstall them. If you haven’t already put your site on maintenance mode, do that first!
If you’ve purchased a plugin or theme from a plugin or theme provider and you’re not sure how secure it is, now is the time to consider whether you should continue using it. If you downloaded a free theme/plugin from somewhere other than the WordPress plugin or theme directories, do not reinstall it. Install it from the theme or plugins directory instead, or buy the legitimate version. If you can’t afford it, replace it with a free theme/plugin from the theme or plugin directory that does the same or a similar job.
If that doesn’t fix the issue, check the support pages for all of your themes and plugins. Other users may experience problems, in which case you should uninstall this theme or plugin until the vulnerability is fixed.
Step 10: Reinstalling the WordPress core
If all else fails, you’ll need to reinstall WordPress yourself. If the files in the WordPress core have been compromised, you will need to replace them with a clean WordPress installation.
Upload a clean set of WordPress files to your site via SFTP, making sure to overwrite the old ones. It’s a good idea to backup your wp-config.php and .htaccess files first in case they get overwritten (although they shouldn’t be).
If you used an auto-installer to install WordPress, do not use that again as it would overwrite your database and you will lose your content. Use SFTP instead to just upload the files.
Step 11: Clean up your database
If your database has been hacked, you must remove that as well. It’s a good idea to clean your database, as a clean database has less stale data and takes up less space, making your site faster.
How do you know if your database has been hacked? If you’re using a security plugin or service, running a scan will tell you if the database has been compromised (or if you’ve been sent a notification). Alternatively, you can also use a plugin like NinjaScanner that scans your database. With the WP-Optimize plugin, you can clean up your database and optimize it for the future.
How to prevent WordPress site from being hacked
So you’ve cleaned up your site and reset your passwords, making it a little more secure than before.
But there’s more you can do to prevent future hacks and prevent the same thing from happening again.
Make sure all passwords are secure
If you haven’t already, make sure to reset all passwords for your site, not just your WordPress admin password, and that you’re using strong passwords.
You can force users to use strong passwords with a security plugin.
You can also add two-factor authentication to your website to make it harder for hackers to create an account.
Keep your website up to date
It is important to keep your website up to date. Anytime your theme, plugins, or WordPress itself is updated, you should run that update as it often includes security patches.
You can enable automatic updates either by editing your wp-config.php file or by installing a plugin that will do this for you. If you’d rather not do that because you want to test updates first, a security plugin will notify you when you need to update.
If you update your website, make sure you do it right, back up, and test updates on a staging server if you have one. Many hosting providers such as Bluehost offer an automatic update of your website. Check your hosting provider’s settings to see if the setting is already enabled or if you need to enable this option manually.
Do not install unsafe plugins or themes
If you install WordPress plugins in the future, make sure they have been tested with your version of WordPress and that you are downloading them from a reputable source.
Always install free plugins and templates from the theme and plugin directory: don’t be fooled into getting them from third parties. If you buy premium themes or plugins, check the plugin provider’s reputation and ask for recommendations.
Clean up your WordPress installation
If you have any templates or plugins installed but not activated, delete them. If you have any files or old WordPress installations in your hosting environment that you are not using, it’s time to remove them. Also, delete any databases you are not using.
If you have old, unused WordPress installations on your server, they are particularly vulnerable as you probably won’t keep them up to date.
Install SSL on your website
SSL adds a layer of security to your website and is free. If your hosting provider doesn’t offer free SSL, you can use the SSL Zen plugin to add free Let’s Encrypt SSL.
Avoid cheap hosting
Cheap hosting means you’ll be sharing server space with hundreds of other clients. Not only will this slow down your site, but it will also increase the chances that one of these other sites will bring insecurity to the server.
Cheap hosting providers are likely to not reliably monitor server security or help you if your website has been hacked. A quality hosting provider will give you a hack-free guarantee and work hard to keep your site secure.
We recommend using the hosting company Bluehost. Bluehost’s prices aren’t breaking the bank, but are still safe.
Setting up a firewall
You can configure a firewall for your website using a security plugin or a service like Cloudflare or Sucuri. This will add an extra barrier for hackers and reduce the chances of hacks and DDoS attacks on your website.
Install a security plugin
If you install a security plugin on your website, it will notify you of any suspicious activity. This can include unauthorized logins or adding files that shouldn’t exist. We have had very good experiences with the WordPress plugin WordFence. This plugin offers a very high level of protection against hackers, malware, and viruses.
Again, refer to the plugin’s warning to find out what the problem is.
Install a backup tool
It can always happen that your website or database gets damaged. It can also happen that your website is attacked by hackers.
Therefore, you should take appropriate measures beforehand to have a backup in the event of an attack or damage so that your website or database can be easily restored.
A very good plugin is UpDraftPlus. This tool is free and offers very good protection and automatically creates backups of your website and database. (The free version of UpDraftPlus is sufficient for most WordPress websites)
A backup tool for WordPress is a must for every website operator!
Summary
Having your website hacked is an unpleasant experience. It means your website is unavailable to users, which could impact your business. This means you have to act quickly, which affects your other activity.
Here is a summary of the steps to take if your website is hacked:
- Reset passwords.
- Update plugins and themes.
- Remove users that shouldn’t exist.
- Remove unwanted files.
- Clean up your sitemap.
- Reinstall plugins and themes as well as the WordPress core.
- Clean up your database if necessary.
And remember, if you follow the steps above to avoid hacks, you won’t have to do any of that again in the future: it pays to keep your site as secure as possible.
Do you still need help from us to restore your website? No problem, Datacrypt offers a professional malware and virus removal service for WordPress websites. >>Read More Here<<