Every year, hundreds of thousands of WordPress blogs and websites are hacked. This leads to the question, how do I know if my WordPress site is hacked?
How do I tell if my WordPress site is hacked?
Sometimes it is very easy to tell, especially if a website is defaced. But most of the time malicious hackers do a very good job at hiding their activity. In many cases it takes weeks for a businesses to realize their website is hacked. Sometimes it takes months or years!
Follow these tips to check if your website is hacked or if you suspect it is hacked. The sooner you identify a hack attack, the easier it is recover it and the less damage is done.
Keep an audit trail to monitor users & under the hood activity on WordPress
A good indicator of a hacked WordPress website is unusual user activity, such as creation of new users, existing users’ password changes, user role changes, unapproved new content and modification of existing content. It is impossible to track such under the hood WordPress activity, especially on a multi-user blog unless you use a WordPress activity log plugin. A plugin such as WP Activity Log is very easy to use – just install it and it automatically keeps track of all the changes that happen on your WordPress website.
Run frequent malware scans
However, if you do not have a premium malware and WordPress security service you can start by scanning your website with their free Sucuri SiteCheck. This free scanner scans your website for a number of known problems such as malware infections, spam, irregular redirects and several other issues typically found on hacked websites. In most cases the free Sucuri SiteCheck will do the job, even though they only scan a limited number of pages.
Monitor WordPress files for changes
Malicious hackers inject malware on a WordPress website, or embed a backdoor by modifying the source code of the web application (WordPress). So another great way to identify malicious hack attacks is to scan your WordPress for file changes. The process of scanning your website for new, deleted or modified files is called file file integrity monitoring (and scanning).
When you scan your site for file changes look for new files in the web root, modified index.php and functions.php files, new redirect rules or changes in the .htaccess files to infected domains and similar. If you can, search your entire file structure for strings such as “base64” to check for encoded code.
Monitor website traffic
The traffic of your website is another good indicator of a successful hack attack. Keep an eye out for unusual activity in website traffic, such as sharp increases or decreases. For example if an old blog post or page that never ranked well suddenly becomes very popular for no apparent reason, it might be infected. If your WordPress site caters for the European market, and suddenly there is a burst of traffic from non European countries, that as well can be an indication that something is wrong with your website.
You can watch closely your WordPress site traffic and ranking activity by using tools such as Google Analytics and Google Search Console.
Notifications in Google Search Console and web browsers
There are several benefits to adding your website to the Google Search Console. One of them is it monitors your website for malware and other types of infections. The Google Search Console alerts you via email if it identifies a malware infection on the website. Google also displays the below warning sign to visitors who are trying to visit your website.
You can also check if Google identified malware or any other type of malicious code on your website from the Safe Browsing site status.
Check the web server and website control panel
Some hack attacks are very sophisticated. Some of them can also have an impact on the web server. For example, the attackers create users on the server’s operating system if they manage to escalate the privileges. Another common server level thing they do is a schedule to automatically re-infect the website if cleaned. Sometimes they store illegal torrent downloads or large files outside the web root. So it is a good idea to scan the whole operating system.
Run frequent security routine checks if you manage your own web server. Document all the operating system users, scheduled tasks (cron jobs) and files so when something changes you know of it. There are several commercial and non-commercial tools that can help you monitor your web server. If you have a managed solution use your provider’s control panel (such as CPanel) to monitor the scheduled tasks (cron jobs), ftp users and files.
Check all the log files
Last but not least, review all the logs. We have already mentioned the WordPress activity logs, however there are many other log files WordPress site admins should check. Log files contain a wealth of information if you know what to look for and where. From the log files you can find out exactly what has happened on your web server and WordPress site.
Keeping your WordPress Hacker Free
Identifying an attack early means less damage. It also means it is easier and it will cost less to fix. However, follow the below security best practices so your WordPress site does not get hacked in the first place:
- keeping a activity log and use it for your WordPress Intrusion Detection System (IDS),
- Use a security service such as Sucuri or Malcare,
- Scanning your WordPress site for file changes to identify developers’ left-over files,
- Implementing strong password policies in WordPress.
Also, keep yourself informed by following WP Security Bloggers, which is a central source of WordPress security news.