When your WordPress website is hacked, a million things go through your mind. What did the hackers find, change and steal? Who else is in danger — are your employees, partners or customers at risk now too? And how did the hackers get into your site in the first place?
Before you can take the next steps, you have to stay calm. The truth is that hacks do happen, regardless of how well-protected you believe your site is. The good news is that this is a common occurrence and there are established to-dos to start tackling right away.
Also, sometimes websites go a little bonkers — it doesn’t mean you’ve been hacked. A misbehaving website, malfunctioning update or odd comment on a blog post are not surefire signs that your site’s been hacked. You’ll want to dig deeper to make sure you know what you’re dealing with before you try to solve the wrong problem.
How To Tell if Your WordPress Website has Actually Been Hacked
Here are the signs that you’re dealing with a bonafide hack — hopefully, you can say “no” to everything on this list. (And if not? We’ve got lots more help for you.)
- You’re unable to log in to your WordPress website.
- You’ve noticed a severe drop in traffic.
- There are website changes that you haven’t made.
- Your website is redirecting to a different site.
- When anyone tries to access the website or even search for it in Google, a warning shows.
- The server logs show unusual activity.
- Your security plugin or hosting provider has notified you that there’s been a breach or unusual activity.
Let’s get into some of these a bit more.
Can’t Log In to Website
The most common reason why someone can’t access their website isn’t a hack — it’s because they forgot their password (or think they know it but actually don’t). Reset your password to see if that’s the problem.
Now, if you can’t reset your password, that could point to a potential hack. Hackers will often remove a user or change their password to keep them from accessing the site. If you’re not able to reset your password, it could be because someone removed your user account. Usernames that contain the following are particularly easy to hack:
Also, if you are able to reset your password but you notice other red flags that we’ve listed, you could still be the victim of a hack, so read on.
Drop in Traffic
When a high-performing website stops seeing an influx of traffic for no known reason, it’s possible it’s been hacked. Redirected traffic, a decreased user experience or Google blacklisting your site can cause traffic to plummet.
Unrecognized Website Changes
Often, hackers will change your website in big and obvious or tiny and hard-to-catch ways. It could be as clear as the home page being overwhelmed by ads or the theme being totally different. Or, it could be as difficult to find as teeny links hidden in the footer. It’s also common for the added content to be of an illegal nature.
Often, this type of added, unexpected content doesn’t fit with the design scheme or take presentation into consideration. That means that there may be a black ad over a black part of the website, keeping a lot of it concealed.
You can also see if any pages have been added to your site by doing a Google search for site:yoursite.com (replacing yoursite.com with your actual URL). Skim through the results to see if there’s anything you don’t recognize.
Before you assume this is the work of a hacker, check with the rest of your team to find out if any admins or editors made the change. Even an outlandish change could have been a complete accident.
Website Redirects Somewhere Else
It’s common for hackers to add a script to your website that redirects visitors elsewhere, like a dating site or something untoward. You may not notice this yourself, as some hackers will only show the redirects to non-administrators, so it will look normal to you. But if you’re getting feedback from visitors that they’re being sent to another site, listen up.
Browser or Google Warnings
Yes, a browser warning that says your site’s been compromised could point to your WordPress being hacked … or it could mean that there’s code in a plugin or theme that has to be removed. There could also be a domain or SSL problem, which your host can probably help you figure out. The browser warning may provide you with some info that you can use to start troubleshooting the problem.
A Google warning is similar, though more straightforward – it’ll probably say, “This site may be hacked.” This can happen when a website sitemap is hacked, which impacts how Google crawls the site. Like with a browser warning, you have to take whatever info you’re given to start diagnosing the problem.
If you’re still hearing from users that your site is flagged, it could be that they’re getting a notice from their anti-virus product. Even if Google whitelists you again, you’ll have to follow the instructions for the anti-virus products to take you off their list of dangerous websites.
Unusual Activity in Server Logs
If you’re worried that you’ve been hacked, log in to your cPanel via your hosting provider. There are two types of logs to look at:
- Access Logs: Who accessed your WordPress site and through which IP.
- Error Logs: Errors that occurred when your WordPress system files were modified.
Look for any unusual activity. If you find IP addresses that shouldn’t have access to your site, block them.
Understanding Why and How WordPress Websites Get Hacked
There are a number of reasons why WordPress is hacked. The top three are:
- Insecure Passwords: Every user of your site, along with your FTP and hosting accounts, needs a highly secure password.
- Out-of-Date Software: Plugins, themes and your WordPress installation need to be updated regularly, whenever a new version is out. Without updates, you leave vulnerabilities for hackers to take advantage of.
- Insecure Code: Low-quality WordPress plugins and themes can put your site at risk.
There are several savvy methods hackers use, and the techniques are improving all the time. As sites get safer, hackers get smarter and more creative. Here are just a few of the main routes that are taken to hack WordPress:
- Backdoors: A backdoor hack bypasses all the traditional ways of getting into your site. The hacker may find a way in through hidden files or scripts.
- Brute-Force Login Attempts: Automation is used to figure out your password and get into your site. The weaker the password, the easier it is to crack.
- Cross-Site Scripting (XSS): This is a vulnerability that’s often found in plugins. Scripts are injected that let a hacker send malicious code to the user’s browser.
- Denial of Service (DoS): If there’s a bug or error in the website code, the hacker can use those to overwhelm a site until it breaks.
- Malicious Redirects: A backdoor is used to redirect your site.
- Pharma Hacks: Rogue code is inserted into an out-of-date WordPress version.
10 Steps To Recover a WordPress Website That’s Been Hacked
If you’ve been hacked, do the following as soon as you can. Try to stay calm as you go through this list — panicking will only make it harder to work efficiently, and you could miss important steps along the way.
Put Your Site in Maintenance Mode
If you’re able to access your website and log in, put it in maintenance mode. (We have an in-depth article about maintenance mode here.) You want to do this even if there’s nothing obvious that users will see when visiting your site. As you’re working on it, maintenance mode protects their devices and information, as well as keeps it under wraps that you’re dealing with a hack.
Find Your Backup
You’re going to contact your hosting provider in the next step, but sometimes, when a host finds out you’ve been hacked, they delete the site immediately to prevent further problems. That’s why you need backups of your site and database first.
If your backups are stored on the same server as your website, they’re likely gone once you’ve been hacked. However, consider checking these spots in case you have one saved there as well:
- Your Backup Plugin: If you are using one of the many available WordPress backup plugins, there’s probably a backup stored in the provider’s cloud service.
- Your Cloud Account: See if you’ve manually saved a website backup to your cloud service, like Dropbox or Google Drive.
- The Hosting Provider: It’s possible that the hosting provider you use has a backup of your site that you can still access.
Contact Your Host
Depending on the type of hosting package you have, your provider may be able to take the reins and handle a hack for you. Early on, contact your host to (a) let them know your WordPress website has been hacked and (b) find out what help they offer. If you’re not able to gain any access to your site at all, you may need the host’s help to get anywhere.
Reset WordPress Passwords
You won’t know which password was hacked, so it’s safest to change all of them ASAP. While you’re at it, reset any and all passwords associated with your WordPress, like your database, host and SFTP passwords. Also, contact admin-level users right away and have them change their passwords as well. Moving forward, aim to change your WordPress login every couple of months or so.
Make sure your WordPress installation, plugins and themes are all up to date. Doing this early on means that you may patch a vulnerability that the hackers initially got through. If you wait too long to do this step, you could go through the trouble of fixing your site only to have it hacked again through the same outdated plugin or theme.
On top of updating your plugins and themes, do the following:
- Deactivate and delete anything you don’t use.
- Are you worried that one of them is from an unreliable vendor? Deactivate and delete it.
- Remove and reinstall any that you think may be giving you trouble. Or, better yet, remove the plugin or theme and then replace it with something else from the official directory.
- Check the support pages for the themes and plugins you have installed. There may be recent comments from people who are having the same issue.
If you want to delete plugins from your SFTP instead of the WordPress dashboard, you can. Make sure that you delete the entire directory for the plugin, not individual files. You’ll look for wp-content/plugins/[plugin name] and delete the entire directory and everything in it.
You can do the same for unused themes by going to wp-content/plugins/[plugin name]. Keep in mind that if you’re using a child theme, you probably have two directories to retain so that your theme stays intact.
Remove Unnecessary Admin Accounts
Check through all of the site’s admin accounts and get rid of any that you don’t recognize or that are no longer relevant. For those who still need access to your site but aren’t admins, change their access level. Also, it’s a good idea to check with admins to find out if they changed their account details before you delete an account that’s actually legitimate.
Remove Files That Shouldn’t Be There
You’ll probably need a security plugin for this step. Running a site scan should alert you to files that are there but shouldn’t be. We’ve rounded up the six best WordPress security plugins for your site.
Clean and Resubmit Your Sitemap
If your sitemap’s been hacked, it could have malicious links or foreign characters in it. Your SEO plugin should let you regenerate a fresh, clean sitemap. You’ll then have to submit that to Google via the Google Search Console. Let Google know that your site has to be crawled again.
This can take up to two weeks, so know that the search warning may not be cleared until then. To check if your site’s back in good standing, you can go to this URL: http://www.google.com/safebrowsing/diagnostic?site=http://yourwebsite.com/
Reinstall WordPress Core
When nothing else seems to work, the only way to repair your site when WordPress was hacked is to reinstall it entirely. You can do this through the admin dashboard or through your file manager. We explain how to do this in our article about fixing the 500 Internal Server Error on your WordPress website.
Clean Out the Database
Lastly, clean out your database. Your security plugin should be able to tell you if the database was compromised, and it may also be able to clean it out and optimize it.
How To Prevent Getting Hacked in the Future
We know you never want to go through this again. Here’s what you can do to prevent your WordPress site from being hacked in the future.
Set Secure Passwords and Two-Factor Authentication
If you haven’t done this already — or if you did but you rushed because you were panicking — make sure that all of the passwords for your site are strong. Then, add two-factor authentication to your site, which will make it tougher for a hacker to create a false account.
Use a Security Plugin or Service
We’ve mentioned this so many times already that you’re bound to know by now that you need a security plugin for your site. The biggest benefit to this type of plugin is that it will alert you if there’s an issue so that you can take preventative steps before it gets out of hand.
Need even more protection? There are security services that will monitor your site for you and fix any issues that arise. And if you are hacked again in the future, they’ll handle all of the troubleshooting steps for you.
Keep Your Website Up to Date
Everything on your site should be up to date, from the WordPress version to any plugins and themes you have installed. Updates usually have security patches, so leaving them out of date means that hackers can easily find their way in. If you’re not in your site regularly to perform maintenance, use an auto-updater to handle it for you.
Use SSL On Your Website
SSL is standard with most hosting packages, and it adds another layer of security to your site. Check with your host to see if SSL is included. If it’s not, you can install a dedicated SSL plugin, or check if your security plugin includes it.
Use a Firewall
A firewall acts as a bouncer between your site and the rest of the world, blocking anything dangerous before it has the chance to cause a problem. You can use a security plugin or service, but first check with your host to see what type of firewall protection you already have.
Be Careful With What You Install
Only install plugins and themes that come from reputable sources — the official WordPress directory is your best bet. And even then, make sure that what you’re choosing has been tested with your version of WordPress. Avoid plugins and themes from third-party sites. If you must get one from somewhere other than the WordPress directory, research to find out if the vendor has a good reputation.
Clean Your WordPress Installation
Anything that’s hanging around that you don’t need anywhere should be deleted, including:
- Files that you no longer use
- Plugins that are inactive or active but unused
- Themes that are inactive that you won’t use again
- Old WordPress installations
- Unused databases
Old WordPress installations are especially vulnerable. Often, your backups are kept in a subdirectory of your site. So while your main website may be secure, a hacker can get in through those old installations.
Try to walk through this cleanup routine regularly, like every three months, to keep your website more protected against getting hacked.
When your WordPress website has been hacked, your site often isn’t available to your visitors, which could impact everything from your brand’s reputation to your income. Acting quickly and smartly is necessary to get your site back in working order. Then, the next most pressing matter is how to keep your site healthy and hack-free moving forward.
Luckily, many of the maintenance suggestions we’ve covered are no-brainers. You probably already know that stronger passwords and up-to-date plugins mean a healthier site, just to name a couple best practices. By following the advice in this article, you have a better chance of fixing your WordPress site after it’s been hacked and avoiding the same headache in the future.
Check out our article about how to conduct a WordPress security audit.