hacked wordpress | The Blog Pros

April 29, 2022

12 Signs Your WordPress Site Is Hacked (And How to Fix It)

We are often asked, how do I check if my WordPress site has been hacked?

There are some common telltale signs that may help you figure out if your WordPress is hacked or compromised.

In this article, we’ll share some of the most common signs that your WordPress site is hacked and what you can do to clean it up.

Signs to look for when your WordPress website is hacked

1. Sudden Drop in Website Traffic

If you look at your analytics reports and see a sudden drop in traffic, even though Google Analytics is set up properly, then this could be a sign that your WordPress site is hacked.

A sudden drop in traffic can be caused by different factors.

For instance, malware on your website may be redirecting non-logged-in visitors to spam websites.

Another possible reason for the sudden drop in traffic could be that Google’s safe browsing tool is showing warnings to users regarding your website.

Each day, Google blacklists around 10,000 websites for malware and around thousands more for phishing. That’s why every website owner needs to pay serious attention to their WordPress security.

You can check your website using Google’s safe browsing tool to see your safety report.

2. Bad Links Added to Your Website

Data injection is one of the most common signs of a hacked WordPress. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they could be anywhere. Deleting the links doesn’t guarantee that they won’t come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Website’s Homepage is Defaced

This is probably the most obvious one as it is clearly visible on the homepage of your website.

Most hacking attempts do not deface your site’s homepage because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some may even try to extort money from site owners.

4. You are Unable to Login into WordPress

login error username not registered on site

If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you would not be able to reset your password from the login page.

There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how the hackers got into your website.

5. Suspicious User Accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and still seeing new user accounts in WordPress, then your site is probably hacked.

Usually the suspicious account will have the administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

To find the files, you need to connect to your WordPress site using an FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named similarly to WordPress files so that they can hide in plain sight. To recognize them yourself, you will need to audit the file and directory structure. However, deleting these files will not guarantee that they won’t return.

7. Your Website is Often Slow or Unresponsive

All websites on the internet can become the target of random denial of service or DDoS attacks. These attacks use several hacked computers and servers from all over the world using fake IP addresses.

Sometimes they are just sending too many requests to your server, while other times they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You can check your server logs to see which IPs are making too many requests and block them, but that may not fix the problem if there are too many or if the hackers change IP addresses.

It is also possible that your WordPress site is just slow and not hacked. In that case, you should follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under Statistics.

These server logs can help you understand what’s going on when your WordPress site is under attack.

They also contain all the IP addresses used to access your website, so you can block suspicious IP addresses.

They will also indicate server errors that you may not see inside your WordPress dashboard and may be causing your website to crash or be unresponsive.

9. Failure to Send or Receive WordPress Emails

Hacked servers are commonly used for sending spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or receive WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron jobs to run scheduled tasks on your server without you knowing it.

To learn more about cron jobs, see our guide on how to view and control WordPress cron jobs.

11. Hijacked Search Results

If the search results from your website show incorrect titles or meta descriptions, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description.

The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads.

These popups do not appear for logged in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop-under ads open in a new window and remain unnoticeable by users.

13. Core WordPress Files Are Changed

If your core WordPress files are changed or modified in some way, then that’s an important sign that your WordPress site is hacked.

Hackers may simply modify a core WordPress file and place their own code inside it. They may also create files with names similar to WordPress core files.

The easiest way to track those files is by installing a WordPress security plugin that monitors the health of your core WordPress files. You can also manually check your WordPress folders to look for any suspicious files or scripts.

14. Users Are Randomly Redirected to Unknown Websites

If your website is redirecting visitors to an unknown website, then that’s another important sign that your website may be hacked.

This hack often goes unnoticed as it does not redirect logged-in users. It may also not redirect visitors accessing the website directly by typing the address in their browser.

These types of hacks are often caused by a backdoor or malware installed on your website.

Securing and Fixing Your Hacked WordPress Site

Cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you let experts clean up your website.

We use Sucuri to protect all our websites. See how Sucuri helped us block 450,000 WordPress attacks in 3 months.

It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

If you want to clean up your site on your own, then take a look at our beginner’s guide on fixing a hacked WordPress site.

Keeping Your WordPress Website Secure from Future Attacks

Once your website is clean, you can make secure it by making it extremely difficult for hackers to gain access to your website.

Securing a WordPress website involves adding layers of protection around your website. For instance, using strong passwords with 2-step verification can protect your WordPress admin area from unauthorized logins.

Similarly, you can block access to important WordPress files to protect them or set WordPress files and folder permissions correctly.

For more details, see our ultimate WordPress security guide which will walk you through all the steps you should take to make your WordPress site secure.

We hope this article helped you learn the signs to look for in a hacked WordPress site.

You may also want to see our guide on how to get a free SSL certificate, or our expert comparison of the best business phone services for small business.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Signs Your WordPress Site Is Hacked (And How to Fix It) first appeared on WPBeginner.

March 15, 2022

How to Find a Backdoor in a Hacked WordPress Site and Fix It

Has your WordPress website been hacked?

Hackers will often install a backdoor to make sure they can get back in even after you secure your website. Unless you can remove that backdoor, there’s no stopping them.

In this article, we’ll show you how to find a backdoor in a hacked WordPress site and fix it.

How to Tell if Your Website Has Been Hacked

If you are running a WordPress website, then you need to take security seriously. That’s because websites are attacked an average of 44 times every day.

You can learn best practices to keep your site safe in our ultimate WordPress security guide.

But what if your site has already been hacked?

Some signs your WordPress site has been hacked include a drop in website traffic or performance, added bad links or unknown files, a defaced home page, an inability to log in, suspicious new user accounts, and more.

Cleaning up a hacked website can be incredibly painful and difficult. We take you through the process step by step in our beginner’s guide to fixing your hacked WordPress site. You should also make sure you scan your site for any malware that the hackers left.

And don’t forget to close the backdoor.

A smart hacker knows that you’ll eventually clean up your website. The first thing they might do is install a backdoor, so they can sneak back in after you secure the front door to your WordPress website.

What Is a Backdoor?

A backdoor is code added to a website that allows a hacker to access the server while remaining undetected, and bypassing the normal login. It allows a hacker to regain access even after you find and remove the exploited plugin or vulnerability to your website.

Backdoors are the next step of a hack after the user has broken in. You can learn how they may have done that in our guide on how WordPress sites get hacked and how to prevent it.

Backdoors often survive WordPress upgrades. That means your site will remain vulnerable until you find and fix every backdoor.

How Do Backdoors Work?

Some backdoors are simply hidden admin usernames. They let the hacker log in as normal by typing a username and password. Because the username is hidden, you’re not even aware that someone else has access to your website.

More complex backdoors can allow the hacker to execute PHP code. They manually send the code to your website using their web browser.

Others have a full fledged user interface that allows them to send emails as your WordPress hosting server, execute SQL database queries, and much more.

Some hackers will leave more than one backdoor file. After they upload one, they will add another to ensure their access.

Where Are Backdoors Hidden?

In every case we’ve found, the backdoor was disguised to look like a WordPress file. The code for backdoors on a WordPress site are most commonly stored in the following locations:

A WordPress theme, but probably not the the one you’re currently using. Code in a theme is not overwritten when you update WordPress, so it’s a good place to put a backdoor. That’s why we recommend deleting all inactive themes.
WordPress plugins are another good place to hide a backdoor. Like themes, they’re not overwritten by WordPress updates, and many users are reluctant to upgrade plugins.
The uploads folder may contain hundreds or thousands of media files, so it’s another good place to hide a backdoor. Bloggers almost never check its contents because they just upload an image and then use it in a post.
The wp-config.php file contains sensitive information used to configure WordPress. It’s one of the most highly targeted files by hackers.
The wp-includes folder contains PHP files required for WordPress to run properly. It’s another place that we find backdoors because most website owners don’t check to see what the folder contains.

Examples of Backdoors We’ve Found

Here are some examples of where hackers have uploaded backdoors. In one site we cleaned up, the backdoor was in the wp-includes folder. The file was called wp-user.php, which looks innocent enough, but that file doesn’t actually exist in a normal WordPress installation.

In another instance, we found a PHP file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. What’s strange is that the hacker put it in the uploads folder instead of the plugins folder.

We’ve also found backdoors that don’t use the .php file extension. One example was a file named wp-content.old.tmp, and we’ve also found backdoors in files with a .zip extension.

As you can see, hackers can take very creative approaches when hiding a backdoor.

In most cases, the files were encoded with Base64 code that can perform all sorts of operations. For example, they can add spam links, add additional pages, redirect the main site to spammy pages, and more.

With that being said, let’s take a look at how to find a backdoor in a hacked WordPress site and fix it.

How to Find a Backdoor in a Hacked WordPress Site and Fix It

Now you know what a backdoor is and where it might be hidden. The difficult part is finding it! After that, cleaning it up is as easy as deleting the file or code.

1. Scan for Potentially Malicious Code

The easiest way to scan your website for backdoors and vulnerabilities is with a WordPress malware scanner plugin. We recommend Securi because it helped us block 450,000 WordPress attacks in 3 months, including 29,690 backdoor related attacks.

They offer a free Sucuri Security plugin for WordPress that lets you scan your website for common threats and harden your WordPress security. The paid version includes a server side scanner that runs once each day and looks for backdoors and other security issues.

Learn more in our guide on how to scan your WordPress site for potentially malicious code.

2. Delete Your Plugins Folder

Searching through your plugin folders looking for suspicious files and code is time consuming. And because hackers are so sneaky, there’s no guarantee you will find a backdoor.

The best thing you can do is delete your plugins directory, and then reinstall your plugins from scratch. This is the only way to know for sure that there are no backdoors in your plugins.

You can access your plugins directory using an FTP client or your WordPress host’s file manager. If you haven’t used FTP before, then you may want to see our guide on how to use FTP to upload files to WordPress.

You will need to use the software to navigate to your website’s wp-content folder. Once there, you should right click on the plugins folder and select ‘Delete’.

3. Delete Your Themes Folder

In the same way, instead of spending time searching for a backdoor among your theme files, it’s better just to delete them.

After you delete your plugin folder, simply highlight the themes folder and delete it in the same way.

You don’t know whether there was a backdoor in that folder, but if there was, it’s gone now. You just saved time and you eliminated an extra point of attack.

Now you can reinstall any themes that you need.

4. Search the Uploads Folder for PHP Files

Next, you should take a look through the uploads folder and make sure that there are no PHP files inside.

There is no good reason for a PHP file to be in this folder because it’s designed to store media files such as images. If you find a PHP file there, then it should be deleted.

Like the plugins and themes folders, you’ll find the uploads folder in the wp-content folder. Inside the folder you will find multiple folders for each year and month you have uploaded files. You will need to check each folder for PHP files.

Some FTP clients offer tools that will search the folder recursively. For example, if you use FileZilla, then you can right click the folder and select ‘Add files to queue’. Any files found in any subdirectories of the folder will be added to the queue in the bottom pane.

Make Sure There Are No PHP Files in the Uploads Folder

You can now scroll through the list looking for files with the .php extension.

Alternatively, advanced users who are familiar with SSH can write the following command:

find uploads -name "*.php" -print

5. Delete the .htaccess File

Some hackers may add redirect codes to your .htaccess file that will send your visitors to a different website.

Using an FTP client or file manager, simply delete the file from your website’s root directory, and it will be recreated automatically.

If for some reason it isn’t recreated, then you should go to Settings » Permalinks in your WordPress admin panel. Clicking the ‘Save Changes’ button will save a new .htaccess file.

Recreate the .htaccess File if Necessary

6. Check the wp-config.php File

The wp-config.php file is a core WordPress file that contains information that allows WordPress to communicate with the database, the security keys for your WordPress installation, and developer options.

The file is found in your website’s root folder. You can view the file’s contents by selecting the Open or Edit options in your FTP client.

Look for Anything Out of Place in the wp-config.php File

Now you should look at the contents of the file carefully to see if there is anything that looks out of place. It might be helpful to compare the file with the default wp-config-sample.php file which is located in the same folder.

You should delete any code that you’re certain doesn’t belong.

7. Restore a Website Backup

If you have been making regular backups of your website and are still concerned that your website isn’t completely clean, then restoring a backup is a good solution.

You will need to completely delete your website and then restore a backup that was taken before your website was hacked. This isn’t an option for everyone, but it will leave you 100% confident that your site is safe.

For more information, see our beginner’s guide on how to restore WordPress from backup.

How to Prevent Hacks in the Future?

Now that you’ve cleaned up your website, it’s time to improve your site’s security to prevent hacks in the future. It doesn’t pay to be cheap or apathetic when it comes to website security.

1. Regularly Backup Your Website

If you don’t already make regular backups of your website, then today is the day to start.

WordPress does not come with a built-in backup solution. However, there are several great WordPress backup plugins which allow you to automatically backup and restore your WordPress website.

UpdraftPlus is one of the best WordPress backup plugins. It allows you to setup automatic backup schedules and will help you restore your WordPress site if something bad happens.

Learn more in our guide on how to backup and restore your WordPress site with UpdraftPlus.

2. Install a Security Plugin

You can’t possibly monitor everything that goes on your website when you’re busy working on your business. That’s why we recommend you use a security plugin like Sucuri.

We recommend Sucuri because they’re good at what they do. Major publications like CNN, USA Today, PC World, TechCrunch, The Next Web, and others agree. Plus, we rely on it ourselves to keep WPBeginner secure.

3. Make WordPress Login More Secure

It’s also important that you make your WordPress login more secure. The best way to start is to enforce the use of strong passwords when users create an account on your website. We also recommend you start using a password manager utility like 1Password.

The next thing you should do is add two-factor authentication. This will protect your website against stolen passwords and brute force attacks. It means that even if a hacker knows your username and password, they still won’t be able to log in to your website.

Finally, you should limit login attempts in WordPress. WordPress allows users to enter passwords as many times as they want. Locking a user out after five failed login attempts will significantly reduce a hacker’s chance of working out your login details.

4. Protect Your WordPress Admin Area

Protecting the admin area from unauthorized access allows you to block many common security threats. We have a long list of tips on how you can keep WordPress admin safe.

For example, you can password protect the wp-admin directory. This adds another layer of protection to the most important entry point to your website.

You can also limit access to the admin area to the IP addresses used by your team. This is another way to lock out hackers who discover your username and password.

5. Disable Theme and Plugin Editors

Did you know that WordPress comes with a built-in theme and plugin editor? This plain text editor allows you to edit your theme and plugin files directly from the WordPress dashboard.

While this is helpful, it can lead potential security issues. For example, if a hacker breaks into your WordPress admin area, then they can use the built-in editor to gain access to all your WordPress data.

After that, they will be able to distribute malware or launch DDoS attacks from your WordPress website.

To improve WordPress security, we recommend removing the built-in file editors completely.

6. Disable PHP Execution in Certain WordPress Folders

By default, PHP scripts can be run in any folder on your website. You can make your website more secure by disabling PHP execution in folders that don’t need it.

For example, WordPress never needs to run code stored in your uploads folder. If you disable PHP execution for that folder, then a hacker won’t be able to run a backdoor even if they successfully uploaded one there.

7. Keep Your Website Up to Date

Every new version of WordPress is safer than the previous one. Whenever a security vulnerability is reported, the core WordPress team works diligently to release an update that fixes the issue.

This means that if you are not keeping WordPress up to date, then you are using software with known security vulnerabilities. Hackers can search for websites running the older version and use the vulnerabilty to gain access.

That’s why you should always use the latest version of WordPress.

Don’t just keep WordPress up to date. You need to make sure that you also keep your WordPress plugins and themes current.

We hope this tutorial helped you learn how to find and fix a backdoor in a hacked WordPress website. You may also want to learn how to move WordPress from HTTP to HTTPS, or check out our list of WordPress errors and how to fix them.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post How to Find a Backdoor in a Hacked WordPress Site and Fix It first appeared on WPBeginner.