How to Tell if Your WordPress is Hacked

By Robert Abela on August 29th, 2013 in WordPress Security Readings

Hundreds of thousands of WordPress blogs and websites get hacked every year. In 2012 more than 117,000 WordPress sites were hacked according to a WordPress security infographic. This leads to a question we are typically asked from our customers; how do I know if my WordPress is hacked?

How can I Find Out if My WordPress Website is Hacked?

Sometimes it is very easy to find out, especially if a website is defaced. But most of the time hackers do a very good job at hiding their malicious activity and sometimes it takes weeks, months and even years for a business or WordPress administrator to realize that their WordPress website was hacked. In this WordPress security article we will give you some pointers on how to identify if your WordPress website or blog is hacked. If you follow these few tips, and check your website frequently you will immediately identify when your website falls a victim of a malicious hack attack. And the sooner you realise your WordPress is hacked, the easier and cheaper it will be to recover and the less damage is done.

Keep a WordPress Audit Trail Monitor To Monitor WordPress Users and Under the Hood Activity

A good indicator of a hacked WordPress website is unusual user activity, such as creation of new users, existing users’ password changes, user role changes, generation of new unapproved content, modification of existing content etc. Such under the hood WordPress activity is impossible to track especially on a multi-user blog unless you have a plugin such as WP Security Audit Log WordPress security plugin. This WordPress plugin is very easy to use, just install it and it will automatically keep track of all WordPress activity and changes in an audit trail.

Frequent Malware Scans

Use the free version of Sucuri SiteCheck to scan your website against a number of known problems to determine if it has been hacked. The Sucuri SiteCheck looks for malware infections, spam, irregular redirects and several other typical security issues in a number of main pages on your website. You can also use the plugin Anti-Malware and Brute-Force Security by Eli though this plugin is targetted towards advanced users, hence if you are not a seasoned WordPress user don’t use this plugin. In most cases the free Sucuri SiteCheck will do the job because even though they only scan a limited number of pages. Typically hackers infect a website’s main page and other popular pages. It is very uncommon to infect a page which is very difficult to reach, i.e. that beats the whole purpose of easily distributing malware.

Note: Sucuri also have a paid version of their service which includes frequent automated scans.

Monitor WordPress Files For Changes

When malicious hackers hack into a WordPress site or any other type of website to inject it with malware, they typically modify the source code of the web application to include their own malicious source code. Therefore another way to identify a malicious hack attack is to monitor your WordPress files by checking if new files have been added to your website, or if some existing files have been removed or modified.

Look for new files in the upload directory and web root, modified index.php and functions.php files, redirect rules in .htaccess files to infected domains etc. Search your entire file structure for strings such as “base64” to check for encoded code. There are several plugins available that can help you keep track of all file changes. An alternate recommended practice is to do a frequent WordPress security audit.

Monitor WordPress Site Activity and Traffic

The traffic of your website can also be another major indicator your WordPress website has been hacked. Unusual activity typically in the form of spikes in traffic and an unusual amount of spam are a good indicator. For example if you have an old blog post or page that never ranked well and suddenly it becomes very popular for no apparent reason, it might be infected. If you have a website which caters mostly for the European market and suddenly there is a burst of traffic from other non European countries, that as well can be an indication that there is something wrong with your website.

Therefore it is important to watch closely your WordPress site traffic and ranking activity by using tools such as Google Analytics and Google Web Master Tools. As a general rule of thumb, a sharp increase in traffic, especially traffic from foreign countries your website does not cater for tends to be the best indicator of a hacked WordPress website or blog.

Notifications in Google Webmaster Tools and Browsers             

There are several other benefits to adding your website to Google Webmaster Tools. Apart from improving your SEO, when using Google Webmaster Tools it will monitor your website for malware and other types of website infections and report back to you. If your website is hacked and infected, a warning sign like the below will show up when visitors try to visit your website. This is a clear and definite indication that your WordPress website is hacked.

Google safe browsing alert in browser

You can also check if Google identified malware or any other type of malicious code on your website by accessing the below URL from your browser; http://www.google.com/safebrowsing/diagnostic?site=wpwhitesecurity.com

Note: replace www.wpwhitesecurity.com with your own domain.

Check the Web Server and CPanel

Hack attacks can be very sophisticated and some can also have an impact on the web server. For example if malicious hackers manage to exploit a web server vulnerability or escalate permissions, they might create users on the web server operating system, or FTP server. Another common attack is to schedule an automated task on the web server so the website is automatically re-infected if cleaned. If the hacked website is used as a file storage for illegal torrent downloads, large files might be saved somewhere outside the web root on the server, so search for them.

If you manage your own web server run frequent routine checks to ensure that you know about all the operating system users, scheduled tasks (cron jobs) and files on your it. There are also several commercial and non-commercial tools available which can help you monitor your web server. If you have a hosted or commercial solution you can use CPanel to monitor the scheduled tasks (cron jobs), ftp users and files.

Check the Log Files

Last but not least, check the log files. In this article we recommended several WordPress security and monitoring plugins such as WP Security Audit Log which will help you keep your WordPress secure, but unless you check the events they generate, you cannot track malicious activity and identify a malicious hack attack. Log files are a gold mine of information and form them you can find out exactly what is happening on your web server and website. Log files and audit trails contain a wealth information and they are not there to just consume hard disk space. Use them to your advantage.

Keeping your WordPress Hacker Free

Follow the above procedures to ensure you identify a WordPress hack should it happen on your website. The earlier you can identify an attack the less damage is done, and the cheaper and easier it is to recover your website and business reputation. Of course the best approach is to avoid being hacked and you can do so by hiring WordPress security professionals to do a security audit of your WordPress, keep an audit trail of everything that is happening on your WordPress and most importantly of all, keep yourself informed on WordPress security by following WordPress security blogs such as this one. You can also follow WP Security Bloggers, which is a central source of WordPress security news.

WordPress Hosting, Firewall and Backup

WP White Security is hosted on A2 Hosting, protected with BBQ:Block Bad Queries Firewall and backed up with BlogVault online WordPress backup service

5 comments

Jim 29/08/2013

The WordFence plugin has similar scanning functionality like Sucuri. I would also recommend looking into the Bullet Proof Security plugin.

WP White Security Administrator 05/09/2013

Hi Jim,

There are several WordPress security plugins that do a very good job. I personally prefer and would recommend though to do most of the tasks done by a plugin manually (since they are one off tasks) and then use an online service to scan for malware. The reasons can be many, for example a malicious user can disable the plugin once the website is hacked, therefore you won’t get notified of the intrusion and infection.

I’ve tried a bunch of the security plugins and they’ve got a lot of useful features. However, I typically don’t like to have them active as they seem to take from system resources. A lightweight plugin or two to restrict brute force attacks is the way I go. And then the other plugins are activated now and again to do deeper scans.

Robert Abela 03/01/2014

Hi Mario,

Thanks for your feedback. Strictly speaking one does not need any “brute force” protection plugin. To protect your website from brute force attack all you need is a strong username and password. Of course you can add additional layers, such as HTTP authentication etc but that is just additional layers of security. You can read more about WordPress Brute Force protection from the article Protect your WordPress from Mass WordPress Brute Force Attacks

best steroids for Decathlon 09/10/2014

This was really informative. Your site is very helpful.
Thanks for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *