Let’s have a look at what the indicators are that we should look out for that might suggest we have a hacked WordPress website.
There are many sure signs that will inform you that your site has been hacked and tampered with but there are also some more subtle, that can cause the hack to go undetected for longer.
Here I will explain in detail, some of the indicators to look out for that show your WordPress website, either is, or may have been hacked.
1. A defaced or obviously compromised homepage
The most obvious and visible sign that your site has been hacked is the homepage of the site being defaced. While most hackers will want their activities to remain unknown for as long a time as possible, some will make the hack obvious.
So, if the intention is usually to go undetected, you might wonder why some hackers want to make their message know. They sometimes can be what are know as Hacktivists or Grey Hat hackers. The hacktivist is motivated to spread religious, social, political messages etc, while the Grey Hat hacker may want you to know that you are hacked and will be happy to inform you that to have the hack reversed you need to pay them.
Plus they could also just be practicing on your site at random. Although, usually the hacker’s motivation is money, exposure or the use of your servers resources to continue their work.
2. Bad/spammy links on your website
Spam link injection remains one of the prevalent signs that suggests a hacked site. The hackers may have found a way of gaining access to your website (a back door) in order to alter your WordPress database and files.
Once inside they can create links to spammy sites, as that’s usually the intention. These links can be anywhere on your site and can be hard to find. And even if you do find and delete the links, it’s not necessarily the end of the problem.
The back door is the real issue here and you need to find it or go back to a time before the hack and restore your files and database to that date. This is why it’s crucial to have your site backed up on a regular basis, and preferably off site on a different server.
3. Presence of unknown files and scripts on your server
If you know what you are looking for(and not many do), or you are using a Security Plugin(which you should be) you may be aware of modified or suspicious new files. If you are using a good security plugin such as Wordfence or Sucuri for WordPress you will receive a notification of the presence of a these kind of files or scripts contained within new files on your server. Most likely, these suspicious files are named to look like WordPress files in order to conceal their identity.
Prevention is always better than cure and picking up the existence of these offenders early is always better than leaving your site unprotected. That is why it is crucial to have security monitoring in place at all times.
I have seen it before where where I was asked to retrieve a hacked where the owner was unable to login to WordPress and was seeing errors displayed on the front end that showed some files were missing and some corrupt. (remember sign No. 4 above)
There was no security plugin installed and this ended up being how the website owner discovered there was something awry. I was able to get in via ftp and upload the files that should have been part of a WordPress installation as well as replace the corrupt files with a correct version of the file and it got me back in to WordPress.
This can be helpful to allow me to investigate the situation and we can have some success here, but it never beats prevention and backups. The solution here was a complete new install of WordPress on a different server. The hacked site was on a shared server(usually cheaper hosting), and we needed to back some control.
Ok. let’s jump out and explain how unsafe a Shared Server is. To do this I will compare it to a row of old terraced houses without the presence of firewalls between the houses to stop fire spreading for one attic to the next. Well, this absence would also allow a thief to move freely between houses, should he have access to any single one of the houses in the terrace.
Think about it, no matter how secure your doors and windows are, your house would only be as safe as the least safe house in the row. And you would have no control over how safe it was.
4. Inability to login to your site
If you have suddenly become unable to login to WordPress, then either you are looking at a malfunction within WordPress that can be triggered by events such as incompatibility between plugins after update, corrupt files, etc, but it could also mean that a hacker has deleted your administrator account on your WordPress install.
If this happens you won’t be able to do a password reset, because the account you are trying to reset the password on no longer exists. You could create user account again via CPanel and phpMyAdmin, to let you back into WordPress, but it would only be a band aid and not the full fix.
The full fix is to have the site completely cleaned or restored to a date prior to the attack.
5. Drastic drop in website traffic
Your WordPress site might have been hacked if the reports from your Google Analytics account show a sharp decline in traffic. Trojans, malware and redirect scripts can be used to divert your site’s traffic to some websites renowned for spamming. Sometimes the reason why these re-directs can go undetected is that they do not redirect logged in users, and you may be logged into the website when you are on it and not be redirected, even though your visitors will be.
You may also be experiencing a drastic decline in traffic because the safe browsing tool of Google may be sending danger signals to your website visitors and scare them away. Google identifies over 10,000 phishing and malware sites every day and you don’t want to be one of them.
This is the major reason why all bloggers and entrepreneur website owners should be proactive about their WordPress security. Utilize the safe browsing tool of Google to check the safety report of your website.
6. Dodgy looking user accounts turning up out of the blue
If you see user accounts that you did not create and did not give permission for anyone else to create, and in particular if they are accounts with an administrator role, then you need to act immediately.
Sometimes a website that allows subscribers to register on the site can see lots of added accounts with subscriber rights. These subscriber type accounts would not create the same cause for alarm and the website owner just needs to tighten up on spam to stop this.
If you are seeing new unknown administrator accounts present, it’s a different story, and you have been hacked.
7. Emails are bouncing
If you find that your emails are not sending or people report to you that they cannot send you an email then this may be a sign that your website has been hacked.
The free mail server that comes with most web hosting can be very tempting, mainly because it is free, we always advise against it. We recommend using Office 365 or Google Mail to send from your website domain name. Apart from the drawbacks of lesser functionality and no synchronization between devices using the same email account, we also tell site owners of the danger of their site being hacked and the web server used to send spam emails that can get their domain name blacklisted.
I remember a few years back I bought an extra IP address for a VPS(virtual private server) I was renting to host approx 60 websites. A few days later a colleague told me that a domain name on my server was bouncing emails. When I ran a Spam check for the new IP address I discovered it had been black listed.
I had actually inherited the problem. Whatever activity had caused the IP address to be black listed had occurred when someone else owned it. I immediately rang up the hosting company that I was hiring the vps from and reported the situation. They apologized and moved all my web accounts to another vps with a different IP address straight away. If you are blacklisted you can contact the spam listing services and explain, but it can take a while and in the meantime every website on the blacklisted server is in the same boat.
8. Your website shows up in a search for undesirable keywords
You will definitely be the last to know about this on. Sometimes when we search for a website, we see in the results that there are what is known as sitelinks below that show some of the other pages on our website as well as our homepage. This can be very good for brand reputation as it has us taking up more of the search result page than what is just a typical single listing. This is fine when it is what we want visitors to see, but if the results have been hijacked it’s a whole different story.
And what’s even worse is that when we know about it and want to take corrective action, it can be a month or more for Google to pick up on the changes as their spider usually comes crawling about every 30 days to our website to check for changes.