Hacked site? If your WordPress site is hacked – you will most likely be breaded. In this post we will help you understand why the site was hacked, what to do to clean it and secure it in the future.
Are you ready? Let’s start!
Hacked WordPress site: signs that your site is risky
Your WordPress site is not “behaving” properly. But how do you know if the problem is due to a hack? Let’s look at some of the signs of a hacked site:
- You cannot enroll in the administration
- The site has changed without your intervention (for example, opens a static page or added new content)
- The site redirects to another site
- When you or someone else tries to access it, a warning message appears
- When you search for it in Google – it gives information that it may be the subject of a hacker attack
- You have received a message from your security extension about potentially malicious code
- Your hosting provider has informed you about unusual account activity
Let’s look at them in more detail.
You cannot log in
If you can’t log in to the administration, this could be a sign that the site has been hacked. But you may have forgotten your password. Try to restore it. If you can’t – this is a warning sign. Even if you succeed – do more research, just in case.
One form of hacking is to replace the home page with a static one. If your site looks completely different and doesn’t use your theme, it’s probably hacked.
The changes may be more difficult to notice. For example, the footer should be full of links that you did not add.
The site redirects
Sometimes hackers will add code that redirects users to another site when they open yours.
If your browser warns you that the site has been compromised – this is a sign that it may have been hacked. It could also be due to code in the thread or an extension that you need to remove, or a problem with the domain or SSL certificate.
Ask a specialist for advice when you have such a message in your browser to fix the problem.
Search engine alerts
When you search for your site, if it is hacked – Google may display a warning message. The sitemap may have been hacked, which will change the way Google displays your site when searched. All this can lead to big problems and you should start investigating the case as soon as possible.
Why are sites hacked?
1. Insecure passwords
This is one of the most common reasons for hacking. The most commonly used password in the world is “password”. Secure passwords are a must not only for your account, but for all users.
2. Software with obsolete files
Extensions and themes, as well as WordPress itself, are subject to updates that need to be applied. If you do not update them – you make your site vulnerable.
3. Insecure code
Plugins and themes that are not from a trusted source can make the site unsustainable.
How to hack a WordPress site?
Here are the main ways:
- Back doors – they bypass the normal methods of accessing the site, through codes and hidden files.
- Pharma hacks – insert malicious code into non-updated versions of WordPress.
- Brute-force login attempts – when hackers use automated methods to expose weak passwords and access the site.
- Malicious redirects – when the back doors are used to add malicious redirects to the site.
- Cross-site scripting (XSS) – the most popular instability of WordPress extensions, they insert codes, which then allow the hacker to send malicious code to the user’s browser.
- Denial of Service (DoS) – when errors or bugs in the code of a site are used to overload it and no longer function.
These all look scary, but there are steps you can take to protect your site. But, let’s first talk about what to do when your site is hacked.
Hacked WordPress site: What to do (step-by-step guide)
Step 1 for dealing with a hacked site: Don’t pan out
We know that the worst thing that can be said to a person in a panic is not to panic. But you have to think soberly if you want to diagnose and solve the problem.
If you can’t think normally – put the site in maintenance mode and leave it for a few hours until you calm down. Which, again, sounds easier than it does. But it is very important.
Step 2: Put the site in maintenance mode
You don’t want users to open the site in a compromised way, but you also don’t want them to see what it looks like while you’re fixing it.
Therefore, if possible, put it in maintenance mode.
If you cannot register with the administration, this will not be possible. But do it as soon as you can.
Extension like Coming Soon Page & Maintenance Mode will allow you to do just that.
Step 3: Change the passwords
Once you don’t know which password was used to access the site – it’s important to change them all to prevent the hacker from using them again. This does not only apply to the password to the administration. Change the SFTP password, the database password and your hosting account.
You need to make sure that other administrators (if any) will also change their passwords.
Step 4: Update extensions and themes
The next step is to make sure that all extensions and themes are updated. Go to the Update Dashboard in the administration of your site and update everything that has outdated files.
You need to do this before anything else, because if an extension or theme makes the site vulnerable – anything else you do may be in vain.
Step 5: Remove users
If the site has added admin profiles that you do not recognize – it’s time to remove them. Before doing so, contact any administrators you have granted access to verify that they have not changed their names in the panel.
Go to Users and click on the Administrator link. If there are users who should not be there – highlight them and select “Delete”.
Step 6: Remove unnecessary files
To find out if there are files that shouldn’t be there – install a security extension such as WordFence . It will scan the site and tell you if there are any files that shouldn’t be there.
Step 7: Clean up the Sitemap and resubmit it to Google
One of the reasons you are marked with a red flag in the search engines is because sitemap.xml may be hacked. You can regenerate the map from your SEO extension, but you also need to tell Google that you have cleaned the site. Add your site to Google Search Console and send the maps to the site to tell him to crawl them. This does not guarantee that the site will be crawled immediately and can take up to two weeks. But there is no way to speed up the process and you have to be patient.
Step 8: Reinstall extensions and themes
If your site still has problems, you need to reinstall extensions and themes that haven’t been updated. Disable them and delete them from themes and extensions. Reinstall them. If you have not yet put the site in maintenance mode – do it first!
If you bought an extension or theme from a developer and you’re not sure how secure it is – now it’s time to consider whether to use it yet. If you downloaded an extension or theme outside of the WordPress directory – do not install it again. Install it from the WordPress directory. If you can’t afford a paid extension, replace it with a free one that does the job.
Step 9: Reinstall the WordPress kernel
If all else fails – you need to reinstall WordPress itself. If a kernel file has been compromised – you need to replace it with a clean installation.
Upload a clean WordPress to your hosting account, making sure you overwrite the files. It is a good idea to download the wp-config.php and .htaccess files in advance. Just in case.
If you used an automatic WordPress installer – do not use it again, because it will overwrite the database and you will lose your content. Only upload files via FTP.
Step 10: Clean the database
If the database has been hacked, you need to clean it. The cleaned database also makes the site faster.
How to find out if the base is hacked? If you are using a security extension – running a scan will tell you if the database is compromised. You can also use an extension like NinjaScanner .
How to protect your site from hacking?
You have already cleaned the site and changed the passwords and it is more secure than before.
But you can do more to protect it from future attacks.
1. Make sure all passwords are secure
If you have not already done so – make sure that all passwords associated with the site (not just the administration) are changed to strong ones.
You can also use two-factor authentication to make it more difficult for hackers.
2. Keep the site updated
It is important to keep the site up to date. When there are updates for an extension or theme – use them. Updates often also contain security patches.
3. Do not install insecure themes and extensions
When installing extensions in the future – make sure they are tested for your version, and that they are downloaded from a trusted source.
Always install free extensions and themes from the WordPress directory. If you buy such – make sure of the reputation of the developer.
4. Clean the WordPress installation
If you have themes and extensions that you do not use or have been disabled – delete them. If you have files or old WordPress installations on your hosting account – it’s time to remove them. Also delete databases that you do not use.
5. Install SSL on the site
SSL will add a level of security to the site and is free.
6. Configure the Firewall
A security extension or service like Sucuri will allow you to set up a Firewall on your site. This will add an additional barrier and reduce the chance of DOS attacks.
8. Install a security extension
If you install a security extension – you will be informed of any suspicious activity. This may include unauthorized logins or add-ons that should not be there.
Site summary for dealing with hacked site
A hacked site is an unpleasant experience. Means that the site is not accessible to users, which can affect your business. And it also means that you need to take immediate action, which will affect your other activities.
But following our instructions – you should go through the process easier. Everything is fixable!