Did you know that 34% of all websites on the web are WordPress sites? Because of this, WP accounts for the majority of hacked websites.
WordPress related hacking incidents have been increasing with each passing year, mostly because hackers have easy access to faster, cheaper and better technological facilities.
What’s worse? The damage from hacking is costing businesses around $400 billion per year.
However, WP also possesses the technological prowess to prevent nearly all of these hacks. That’s why it’s crucial to invest in cyber security to save your business from a breach. At the end of the day, a successful hack has the potential to cost millions of dollars.
In this guide, we will talk about:
- How to detect if your WordPress website has been hacked.
- Step by step guide to re-establishing your website after a hack (jump to this section if you know your site has already been hacked).
- Security tips on how to safeguard your WordPress website from future hacks.
Signs That Show Your WordPress Instance Has Been Hacked
It’s crucial to discover quickly if your WordPress website has been hacked. Knowing what to look for will be essential to detection. Most common indicators are:
Sudden Drop in Website Traffic
The biggest indicator that your site may be hacked is if your traffic drops suddenly. This is because in many cases hackers often use the htaccess file to redirect your site to another one.
Keep an eye on your Google Analytics and Google Console. Of the two, Google Search Console shows more accurate results as compared to Google Analytics during attempts of hacking. Mainly because Google Analytics can be manipulated using different tools.
Unusual Activities in Server Logs
Server logs maintain the history of activities a server performs. It is often helpful during an investigation.
If you’re using cPanel, you can find the server logs in the Visitors section of your cPanel.
Different operating systems store access logs at different locations, for example:
- Red Hat / CentOS Linux: /var/log/httpd/access_log
- Debian / Ubuntu Linux: /var/log/apache2/access.log
- FreeBSD Apache: /var/log/httpd-access.log
Security Alerts
Browser security alerts are often a result of three reasons:
- A website promoting malware injected by hacking.
- Google notifying you through Google Search Console when it detects your website has been hacked.
If you get any of these alerts, you may lose your traffic from Google, and hurt your brand reputation.
Google Search Console’s Alert
Google Search Console immediately notifies you if your website gets hacked. It shows which pages have been affected.
Cloud-Based Malware Scanners
Potential vulnerabilities can be found using a variety of tools that thoroughly scan your website, helping you to identify malware. For a quick scan, use Sucuri (as seen below):
That being said, committing to deeper automated scans of your website is critical to early detection of a hack.
Many plugins and tools can be used for this purpose.
For example:
Quttera Web Malware Scanner
After activating this plugin, scan your website internally as well as externally. Here, I scanned my client’s website with an External Scanner, and it showed one suspicious file. We were able to go in there and remove that file without issue.
I did an internal scan as well which yielded no issues or malicious files.
Anti-Malware Security and Brute-Force Firewall
This one is different from Quttera in that it shows you detailed reports like these:
Wordfence
Wordfence goes through and scans each component of your website systematically.
Sucuri Plugin
The Sucuri plugin is the next level scanner. It checks your site in many famous blacklisted databases and highlights infected files as well.
Apart from these, there are many online tools if you want to run a quick check on your website.
Virustotal
It scans your website using more than a hundred antivirus programs.
Sitecheck by Sucuri
Cloaked Link Checker by WebConf
WebConfs’ scanner is a very useful tool that looks for cloaking on your website. Hackers often show one webpage to real users and another to search engine crawlers (this is called cloaking).
Blacklists
Whenever a website gets hacked, various platform security algorithms blacklist the site in an attempt to quarantine it to save innocent users.
Check your site using Google’s Transparency Report. If your site makes it to that list it’s surefire proof that your site has been hacked (and you will stop receiving traffic from Google almost immediately).
Another platform (called SiteGuarding) checks your site on more than a hundred blacklists.
Searching Google’s Index
Search your site on Google using the “site” search engine operator. It looks something like this:
If you see any titles in a language other than your website’s native language it means your site has been hacked.
Scanning PHP Functions
Viruses typically attack scripts using the following PHP functions:
- Base64_decode
- Rot13
- Eval
- Strrev
- Gzinflate
The functions may look similar to the code:
$O_O0O_O0_0=urldecode(“%6E1%7A%62%2F%6D%615%5C%76%740%6928%2D%70 %78%75%71%79%2A6%6C%72%6B%64%679%5F%65%68%63%73%77%6F4%2B%6637%6A”); $OO0_0OO0__=$O_O0O_O0_026.$O_O0O_O0_06.$O_O0O_O0_010.$O_O0O_O0_030
To find the infected PHP functions, you need PHP knowledge. If you don’t have that, you can always find the infected PHP functions by searching your website’s sitemap for unknown URLs. Hackers typically optimize the sitemap in order to have hacked pages get indexed faster (so that it can infect more users through search engines). So if you find unknown URLs, you can be sure your site has been hacked.
Spider Your Website
Now you need to crawl your website using a software that crawls like Google Bots, to detect any harmful pages that the hacker might have created.
Such tools will scrutinize your sitemap, and any additional pages that your site has generated. You can delete the infected pages immediately.
I’d recommend you use Deepcrawl and Screaming Frog.
Deepcrawl provides a 14-day free trial without having to put in credit card details, enough time to look for potential threats on your site.
Once the crawl is completed, go to HTTP & HTTPS section and click pages. It’ll show all the pages.
You need to look for the title and URL. If you see anything that’s off, you can be sure it’s a hack.
Steps to Fix a Hacked WordPress Blog
If your WP website has been hacked Do Not Panic! You may end up making hasty decisions which could put your site in an even worse position than before.
Activate Maintenance Mode
Take a deep breath, and put your site in active maintenance mode. This will save your brand reputation and prevent the deindexing of your site from Google.
It’ll show your visitors a friendly message instead of a hacked page. Moreover, your search engine ranking will not be affected.
Use a plugin to show your visitors maintenance mode, I recommend Maintenance Mode by SeedProd; it is trusted by a million users.
Simply install the plugin and go to Settings. Upload your logo, write headlines and the message you want your visitors to see.
It will show a message similar to the one below.
If you’re unable to log into WordPress simply create the maintenance message using cPanel. Go to File Manager, find htaccess file. If you have only one domain in your hosting account, then it’s probably in the public_html folder.
Click the file, and edit it.
Copy the whole text written inside of htaccess, and save it somewhere safe. Once that is done, delete the text written there, and replace it with this:
RewriteEngine On
RewriteBase /
RewriteCond %REMOTE_ADDR !^123.456.789.123
RewriteCond %REQUEST_URI !^/maintenance.html$
RewriteRule ^(.*)$ https://example.com/maintenance.html [R=307,L]
Note: Make sure you replace example.com with your domain name. This htaccess will redirect all your blog’s pages to maintenance.html.
But wait, you don’t have the maintenance.html file, right?
You can search different maintenance HTML templates online. Just make sure the file name is maintenance.html, otherwise it won’t work.
Once downloaded, upload the file to the root directory of your website using the cPanel File Manager.
Once that is done it will automatically redirect your website to the maintenance.html page just like this:
Want to edit the template? Go to W3 schools to edit this template. Don’t forget to click Run.
After you’ve edited it, save it in the maintenance.html file.
Note: Most hackers also infect htaccess file to redirect your site to another page.
Regular Backups
This is more of a preventative measure, but regularly backing up your website can save you all the headache that comes with a hack as you can simply roll the site back to an earlier date before the hack occurred. Additionally, backups can save your site in case something else goes wrong, like rogue plugins or any other misconfiguration or overload.
Backups can be created in two ways, via the cPanel or plugins.
Here’s how you can do it using cPanel.
Go to cPanel. Find WordPress under 1 Click App Installer. It may be located in a different location depending on your hosting.
Click the Backup Icon; it will create a backup of your entire site.
Want to retrieve it? Click the Download icon, and then press the Upload icon.
Additionally, you can use different plugins to create, update and store backups regularly, such as the All in One Migration and Updraft.
Here is how Updraft’s plugin works.
Install the plugin and select the Backup Now option.
It will then ask which files should be included in the backup.
When you’re done, you can Restore it easily.
Reset Your Passwords
It seems quite obvious, but so many people rarely change their passwords. In the case of a hack event you must change the passwords for the following accounts:
- Hosting.
- Domain registry.
- All WordPress users.
- All associated email accounts.
If the same password is being used for any other service, don’t forget to change it there too.
Use the Owned Passwords tool to see if your password has been compromised. For example, if you enter “123456”, it shows this password has been used more than 23 million times.
I recommend using Lastpass, or any other password manager that can create a strong password. I’ve been using this tool for 4 years, and have saved passwords of more than 900 sites.
You can use Lastpass to generate powerful passwords that a supercomputer would take years to decode through a brute-force attack.
Remove Suspicious Users
Hackers create users to make changes on your website. Look at your user section to see any suspicious user.
Remove Unknown Files
This is one of the least talked about hacks on the web. Hackers change the scripts on your site and no antivirus has the feature to compare the modified files with the original ones.
Scooter Software’s Beyond Compare program can identify those changes that hackers have made to your files. This is done by comparing the modified versions of the files with the versions that existed when your website was working.
It shows all the changes applied to scripts (line by line), and in a folder.
But first you need to download the original plugins, themes, and core files of WordPress in order to do the compare.
Download the latest WordPress, and unzip it.
Then download the WordPress folder of your website from cPanel or FTP.
After that, you can compare the files. They might show up color-coded. Red means it has been modified.
In addition to that, you can compare your files in a folder.
Files shown in purple are the new files. Have your dev delete the purple files.
Remove Unknown Code
Hackers usually infect the scripts of files with the functions listed below:
- base64
- str_rot13
- gzuncompress
- eval
- exec
- system
- assert
- stripslashes
- preg_replace (with /e/)
- move_uploaded_file
PHP knowledge is a prerequisite to being able to locate a detrimental string.
If you want to find those functions you have to install a plugin called String Locator.
Write the functions I just in the bulleted list above.
When you click on the file, it takes you to the exact line.
Once identified, you can have your dev remove that line of code.
Reinstall WordPress Core
If the damage is widespread and deep, you may need to reinstall the WordPress core files. The important part is doing this without affecting:
Be sure to have your dev do this for you as a reinstall can sometimes “break” your site if some plugins don’t play nice with the new core. This typically requires a quick patch (which is minor work for a dev).
Go to Dashboard>Updates. Click Reinstall Now.
Reinstall htaccess File
One possible hack is that your htaccess file has been manipulated. In this scenario you need to delete the htaccess file and replace it with the default htaccess that you can download from here.
It looks like this:
Once you’ve done that reinstall the core files of WordPress as well as your themes and plugins.
Delete Unknown URLs
Remember when we talked about using your website’s sitemap (and crawling your site with a spider) to identify unknown URLs?
Copy the unknown URLs that hackers have created and remove them from your website (leave them as 404’d since any sort of redirection will carry associated negativity back to your main pages).
Resubmit Your Sitemap to Google
Once you’ve completed the above mentioned steps (as well as removed the infected files and pages) you need to remove the sitemap from Google Search Console.
After that, you must resubmit it again.
Remove Other Language Pages from Google Results
You need to make a list of the pages shown in Google results that you want to remove.
Go to https://www.google.com/webmasters/tools/url-removal to remove suspicious URLs.
It’ll remove the search results from Google’s index immediately.
Request a Review in Google’s Search Console
You’ve submitted the sitemap? Now you have to request a review from Google via the Search Console. Once submitted, you’ll have to wait for a response from Google.
If Google tells you that your site is still hacked, you need to investigate the issue more deeply. If not, it’s all clear. Congratulations!
Security Tips to Protect Your Website from being Hacked
There’s a lot you can do to protect your website, and make it less vulnerable to attacks.
Secure Hosting
People rush in to buy cheap hosting which often ends up being hacked sooner or later. Cheap hosting is one of the top reasons WP sites get hacked.
At the end of the day, most hacking attempts are directed at websites that are typically poorly constructed or use cheap hosting services.
Such websites can be easily tracked with reverse engineering. There are softwares like Hacked Target that can trace back every website that uses the same type of hosting to hack similar websites.
Having reliable and secure hosting will eliminate half the potential for your site to get hacked. I personally recommend AWS. Not only do they have the most secure and up to date environments, but they utilize a CDN which helps with page load speed (a key element to on-page SEO).
Updated Plugins and Themes
According to another research study, vulnerable plugins are the number one reason for hacks. It seems obvious, yet people often neglect updating their plugins and themes, which results in their blogs getting hacked.
Having the most up to date plugins help avoid vulnerabilities and bugs which makes it harder for a hacker to attack or penetrate your site.
Worried an update will mess up your site? Always create a backup before updating, and always have your dev do the update.
Additionally, nulled themes (i.e. bootleg themes) and plugins allow hacking. Beware when you take help from a freelancer. He may get a nulled theme that might put your site at risk in the future.
Regular Backups
As I mentioned earlier in the article, create frequent backups of your website (preferably every day). If it gets hacked it will only takes a few minutes to recover your site.
Use Two-Factor Authentication (2FA)
When you use 2FA, even the hacker that steals your credentials can’t sign in until you provide a specific code.
Install Google Authenticator by MiniOrange.
You need to configure Google Authenticator by installing the app on your smartphone first and connecting it with your blog.
Activity Logs
As mentioned earlier, activity logs are a helpful way to investigate potential issues as every activity is recorded.
Install WP Security Audit Log to view all activities that take place on your blog.
Once activated, click Audit Log. It’ll show every activity, even the smallest one that took place on your WordPress blog.
Final Words
As WordPress websites continue to take dominant market share on the web, hackers will always be inclined to target them. However, one can easily prevent hacks, as well as fix their sites after a hacking event.
Here is a summary of steps you should take to remove malware from your hacked WordPress:
- Activate maintenance mode.
- Create a backup.
- Reset all passwords.
- Remove suspicious users.
- Remove unknown files.
- Remove unknown code.
- Reinstall WP core.
- Reinstall htaccess file.
- Delete unknown URLs.
- Resubmit sitemap to Google.
- Remove other language pages from Google results.
- Request a manual review of your website by Google.
Do you have an interesting WordPress hacking story? Tell us about it in the comments section below!
