7 Signs Your WordPress Site Has Been Hacked
Site Has Been Hacked – One of the most frustrating and stressful situations you could ever run into as a WordPress site owner is finding out that your site has been hacked. One minute your site is humming along, bringing in traffic and, hopefully, revenue. And then, next thing you know, you discover something is very wrong with your WordPress site.
Unfortunately, the reality that your WordPress site could be hacked needs to be dealt with as efficiently and effectively as possible to make sure it never happens. Because if you find yourself facing a hacked website, you’ll probably be asking yourself why your site, in particular, was the target of a malicious attack and how to get it back as quickly as possible.
WordPress hacks come in many forms, shapes, and sizes. This means, as WordPress site owners, it’s important to know all of the common reasons why WordPress sites can be successfully hacked. In this guide, we’ll discuss the common reasons WordPress sites get hacked along with simple steps you can take to secure your site.
7 Signs Your WordPress Site Has Been Hacked
Not all hacks have the same goal, so the signs of a website compromise will depend on the attacker’s motive. Here are 7 different symptoms you need to look out for when you are monitoring the health of your site.
1. Your Homepage is Different
Changes to your homepage seem like an obvious sign. But how many times do you actually run a thorough check on your homepage? I know I typically go straight to my login URL and not my home URL. From there, I log in, update my site or edit a post. After I finish what I came to do, I often leave without looking at my website’s home page.
The primary goal of some hacks is to troll a website or gain notoriety. So they only change your homepage to something they find funny or to leave a hacked by calling card.
If you do notice a change to your homepage, you can restore your website quickly and easily using a backup file made with a trusted WordPress backup plugin such as BackupBuddy.
2. Your Website Performance Has Dropped
Your site may feel sluggish when it has an infection. You can experience slowdowns on your website if you are experiencing brute force attacks or if there is a malicious script using your server resources for cryptocurrency mining. Similarly, a DDoS (or denial of service attack) happens when a network of IPs simultaneously sends requests to your website in an attempt to cause it to crash.
If your site is running slowly, check the server access logs for an unexpected number of requests. You can also use a web application firewall like the one provided by Sucuri to help protect your website against a DDoS attack.
Just note that a drop in performance doesn’t necessarily mean someone hacked your site. You may just need some tips on how to speed up a WordPress site.The iThemes Security plugin’s WordPress Malware Scan feature will help to identify suspicious scripts.
3. Your Website Contains Malicious or Spam Popups Ads
There is a good chance a hacker has compromised your website if your visitors see popups that redirect them to a malicious website. The goal of this type of attack is to drive traffic away from your site to the attacker’s site so they can target users with spam or click fraud for Pay Per Click advertising.
The most frustrating thing about this type of hack is you may not be able to see the popups. A popup hack can be designed to not show for logged-in users, which decreases the odds of website owners seeing them. So even when the site owner logs out, the popups will never display.
Your view of the popups can also be limited if you use an adblocker extension in your browser. For example, a customer reported a popup hack and shared screenshots and a video of the popups. After I spent hours running through their website, I was not able to recreate anything they were reporting. I was convinced that their personal computer had been hacked and not the website. Finally, it dawned on me why I wasn’t able to see the popups. I had installed an adblocker extension on my browser. As soon as I disabled the ad blocker extension, I was able to see popups everywhere. I share this embarrassing story to hopefully save you from running into the same mistake.
A WordPress security plugin such as the iThemes Security plugin allows you to keep an eye on your website’s security logs for file changes, logins, and changes made by users.
4. You Notice a Decrease in Website Traffic
If you log into your Google Analytics account and you notice a steep decline in website traffic, your WordPress site could be hacked. Drop-in site traffic deserves an investigation. There could be a malicious script on your site that is redirecting visitors away from your site or Google could already by blacklisting your website as a malicious site.
The first thing you want to look for is your website’s outbound traffic. By tracking your website with Google Analytics, , you will need to configure your site to track the traffic leaving your site. The easiest way to monitor outbound traffic on your WordPress site is to use a WordPress Google Analytics plugin. A good Google Analytics plugin will allow you to track specific activity with a click of a button. If you find your website has already been blacklisted by Google, follow these steps for how to remove the Google blacklist warning.
5. Unexpected File Changes
If files on your website have been changed, added, or removed, it could be a sign that your site has been compromised. That’s why it is essential to have a notification system in place to alert you of website file changes. You can investigate any unexpected changes by comparing the changed file to a version in a recent backup. The iThemes Security Pro File Change Scan feature will notify you of any changes made to your site.
Using a WordPress security plugin like iThemes Security can help you track file changes. Because of the number of notifications this setting can generate, you can exclude files and directories in the File Change Detection settings. It is okay to exclude directories that you know are going to be regularly updated. Backup and cache files are a perfect example of this and excluding them will reduce the number of notifications you will receive.
6. Unexpected New Users
If your website has any unexpected registrations of new admin users, that’s another sign your WordPress site has been hacked. Through an exploit of a compromised user, an attacker can create a new admin user. With their new admin privileges, the hacker is ready to cause some major damage to your site.
In November of 2018, we had several reports of new admin users being created on customer websites. Hackers used a vulnerability in the WP GDPR Compliance plugin (vulnerability patched in version 1.4.3) to create new admin users on WordPress sites running the plugin. The plugin exploits allowed unauthorized users to modify the user registration to change the default new-user role from a subscriber to an admin. Unfortunately, this wasn’t the only vulnerability and you can’t just remove the new users the attacker created and patch the plugin.
If you had WP GDPR Compliance and WooCommerce installed, your site might have been injected with malicious code. The attackers were able to use the WooCommerce plugin background installer to insert a backdoor installer in the database. If your site has a backdoor installed, you should contact a hack repair specialist. Another option is to use a backup file to roll back to a copy of your website prior to the breach using a previous backup.
7. Admin Users Removed
If you are unable to log into your WordPress site, even after a password reset, it may be a serious sign of infection.
When the Gentoo Github repo got hacked the first thing the attacker did was delete all admin users. So how did this hacker even get into their Github account? A Gentoo admin user’s password was discovered on a different site. I am guessing that the username and password were discovered either through scraping or a database dump. Even though the admin’s password for their Gentoo Github account was different than the one used on the compromised account, it was very similar. So this would be like me using iAmAwesome2017 as a password on one account and iAmAwesome2019 on another site. So the hackers were able to figure out the password with a little effort. As we can see, you should use a unique password for every account. A simple variation in your passwords isn’t enough. Using LastPass, you can generate and securely store strong, unique passwords for every site.
You can also enable the Trusted Devices feature in iThemes Security Pro to restrict admin capabilities for logins from untrusted devices. If an attacker successfully logs in to your site as an existing admin user–either by a brute force attack or if the user’s credentials were part of a database dump–they will not have full admin capabilities.
That was all from 7 Signs Your WordPress Site Has Been Hacked.