Every year, hundreds and thousands of WordPress blogs and websites are being hacked or attacked. Once hackers gain access, they can use your websites for all kinds of malignant activities including the illegitimate ones. Such activities can cause your hosting provider to shut down the site or cause Google to detect that the site is hosting malware, SEO spam, phishing, or cyber attack. Therefore, once you know you are hacked, you need to fix it immediately. This points out to the question, how do I know if my WordPress site is attacked?
- Signs that your WordPress Site is hacked
- 1. Unable to Login
- 2. Defaced Homepage
- 3. Presence of harmful links
- 4. Unknown files and scripts on the server
- 5. Doubtful User accounts
- 6. A decline in website traffic
- 7. Failure to send or receive WordPress emails
- 8. Slow or Unresponsive site
- 9. Hijacked search result
- 10. Pop-ups under the ads
- How to find if the Website is hacked?
- 1. Run Malware scans regularly
- 2. Keep an audit trail to monitor users
- 3. Monitor website traffic
- 4. Check the web server and website control panel
- 5. Check the WordPress files for changes
There are many reasons for your site to get attacked. Insecure hosting, the presence of outdated themes, and plugins are reasons to name a few. At times, it is easy to tell when a site is attacked, especially if the website is mutilated. But most often these hackers do a very good job of concealing their activity. In many cases, it takes weeks for owners to recognize that their website is hacked. In this article, we’ll share the common signs that may help you figure out if your WordPress site is hacked and the ways to check it. The faster you identify a hack attack, the easier it is to recover it and the less damage is done.
Signs that your WordPress Site is hacked
1. Unable to Login
If you are not able to sign in to your WordPress site, then there is a chance that hackers may have removed your admin account from WordPress. Since the account does not exist, you wouldn’t be able to reset your password from the login page.
2. Defaced Homepage
Some hackers may deface your website to declare that it has been hacked. Such hackers usually replace your homepage with their own message.
3. Presence of harmful links
Hackers create a backdoor to your site which gives them access to alter your WordPress files and database without your knowledge. Some of these hacks add links to unsafe websites. Generally, these links are added to the footer of your website, but they really could be anywhere.
4. Unknown files and scripts on the server
Usually, these files are named like WordPress files to hide them openly. Deleting these files immediately will not assure that these files will not return. It is better to use a site scanner plugin like Sucuri, that will alert you when it finds an unknown file on your server.
5. Doubtful User accounts
If your site allows user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete. However, if you don’t delete them properly and notice new user accounts in WordPress, then your site is probably attacked.
6. A decline in website traffic
There are many malware and trojans present there that can hijack your website’s traffic and redirect it to spammy websites. Another reason for the fall in traffic is due to Google’s safe browsing tool, which might be showing warnings to users concerning your website.
7. Failure to send or receive WordPress emails
Most WordPress hosting companies offer free email accounts with your hosting. Many website owners use their host’s mail servers to send WordPress emails. If you fail to send or receive WordPress emails, then there is a chance that your mail server is hacked to send spam emails.
8. Slow or Unresponsive site
All websites on the internet can become victims of irregular denial of service attacks at some point. These attacks use several hacked computers and servers from all over the world using fake IPS. Sometimes they are just sending too many requests to your server, other times they are seriously trying to break into your website. Any such activity will make your website reluctant, unresponsive, and unavailable.
9. Hijacked search result
If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.
10. Pop-ups under the ads
These kinds of hacks aim to make money by hijacking your website’s traffic and showing them their own spam ads for illicit websites. These pop-ups do not appear for logged-in visitors or visitors accessing a website directly. They only appear to the users visiting from search engines.
Also read: Best WordPress Security Plugins
How to find if the Website is hacked?
Now let’s identify the various technical ways you can detect or discover that your site has been hacked.
1. Run Malware scans regularly
Malware scanners like Malcare WordPress Security and Sucuri Website Security Platform scan your website when you use their premium services. They will give you an alert if you are infected. This is the preferred method of discovering a hack because it usually takes very little time between getting infected and discovery.
Anyhow, if you do not have a premium malware and WordPress security service you can begin by scanning your website with free scanners such as Sucuri SiteCheck. This free scanner scans your website for a number of familiar problems such as malware infections, irregular redirects, spam, and various other issues mostly found on hacked websites. In most cases, these free scanners will do the job, although they only scan a defined number of pages.
2. Keep an audit trail to monitor users
The most common indicator of a hacked WordPress website is unusual user activity, such as the creation of new users, current users’ password changes, user role changes, unauthorized new content, and alteration of existing content. It is impractical to keep a record of such undercover activity, especially on a multi-user blog unless you use a WordPress activity log plugin. A plugin such as WP Activity Log is very easy to use – just install it and it regularly keeps track of all the changes that happen on your WordPress website.
3. Monitor website traffic
The traffic of your website is another good sign of a strong hack attack. So, be attentive about the unusual activity in website traffic, such as sharp increases or decreases. For instance, if an old blog post or page that never ranked well quickly becomes very popular for no real reason, there can be chances that it is infected.
You can watch your WordPress site traffic and ranking activity by using tools such as Google Analytics and Google Search Console. If you own a website you should instantly set up Google Search Console if you have not already. It will warn you of problems Google may face when listing your site and will provide you with stats showing your site visits via search.
4. Check the web server and website control panel
Some hack attacks are very complex. Some of them can have an effect on the webserver. For example, the attackers generate users on the server’s operating system if they manage to expand their privileges. Another prevalent server-level fraud they do is a plan to naturally re-infect the website if cleaned. Sometimes they accumulate unlawful torrent downloads or large files outside the webroot. So it is always better to scan the whole operating system.
Run security routine checks repeatedly if you control your own web server. Record all the operating system users, scheduled tasks (Cron jobs), and files so that when something gets modified you are aware of it. There are many commercial and non-commercial tools that can assist you in monitoring the webserver. If you have managed hosting provider, use your provider’s control panel (such as CPanel) to monitor the scheduled tasks (Cron jobs), FTP users, and files.
5. Check the WordPress files for changes
These hackers implant malware on a WordPress website or insert a backdoor by changing the source code of WordPress. So another best way to recognize malicious hack attacks is to scan your WordPress for file changes. The method of scanning your website for new, modified, or deleted, files are known as file integrity monitoring.
When you scan your site for file changes, look for new files in the webroot, modified index.php and functions.php files, new redirect rules, or changes in the .htaccess files to infected domains and similar. If you can, go through your entire file structure for strings such as “base64” to check for encoded code.
Hackers have a multitude of ways to enter your WordPress site and they come up with new ones ever so often. So, you need to take your security measures to protect your website and ensure it’s safe against hack attacks. In this article, we have shared the common ways to check whether your site is attacked or not. Now, if you want to fix a hacked site, please go through our guide on fixing a hacked WordPress website.