My WordPress website is hacked What should I do?

Your WordPress website is hacked? What should you do? Well, that’s unfortunate to hear, but fortunately, there’s some things to do in order to identify the hack, clean it up, and help prevent the issue from recurring.

What happens when your website is hacked?

So, when your website is hacked, a few things might happen:

• Your site could redirect to another site.

• Your site could have a code or database error.

• Your site could have malicious or spam links within the content area.

• Your site’s search results could be altered.

• Your site could run on the sluggish-side.

• You could have trouble logging into your WordPress website.

• Your browser could display a warning page instead of your site.

Your site could redirect to another site.

Some hacks place a small piece of malicious code on your site’s theme files or your database, that make the site redirect to another one, that is usually designed to either place a virus on your computer or will steal sensitive information like credit card numbers or passwords.

Your site could have a code or database error or show some type of hacker tag.

Sometimes hacks don’t do their job, or they do enough to put your website down, or display some type of error. Another is that the hacker can tag your site by adding a “hacked by” message.

Your site could have malicious or spam links within the content area.

This type of hack is done with the purpose of purely spamming the website visitor with unrelated links. Most of the links are to bogus websites that try to steal your information. These are often not seen right away because they often are designed to fit with the content, and in some cases, some of the links are even hidden.

Your site’s search results could be altered.

Some hackings are cleverly done so well that you won’t know until you do a search for your site, or if one of your website visitors have told you about it. These types of hacks are usually known as pharma hacks, and lead people to off-site scam links that say they are selling prescription drugs.

Your site could run on the sluggish-side.

If your site is super slow or not loading, it may not be that the host is down, it may be that bots are attacking your site. This is known as a DDoS, or denial of service hack method, where thousands of bots are programmed to attack your site until it becomes unresponsive. A lot of time the hack is directed to doing a brute force attack on your WordPress login page.

You could have trouble logging into your WordPress website.

If you don’t create a strong password for your WordPress website, it’s more than possible that you could one day try to log in, and find yourself locked out.

Your browser could display a warning page instead of your site.

Depending on how long your site has been hacked, and when search engines like Google have identified if you’ve been hacked, they may issue some type of alert. It could be in the form of your browser showing some type of screen with warning text that the site may contain malware, or the search engine result can be labeled with a “site may be hacked” message.

Why did you get hacked?

Unless you’re some mainstream organization that got targeted by hacker groups, most hackings are randomly performed. Often they are done with bots that were coded and scheduled to either shut other sites down, or intrude and leave malicious code behind.

WordPress is the number one content management system in the world, with over 43.3% of all the websites online in 2022. Because it’s so popular, there’s a lot of hackers out there that want to take advantage of that, no matter who you are.

Some people happen to experience being hacked several times, and it’s often due to poor passwords for your web host, FTP, and WordPress. The other big reason for hackings is outdated software. That’s why when you secure your WordPress site, you should make sure your passwords are strong, and that you’ve updated your website’s core installation, themes, and plugins.

How to determine if your WordPress site is hacked?

Here are some ways to tell if your site has been hacked.

• If your site is down, check to see if it’s really down using a proxy site.

• Do an online malware scan?

• Ask your web host to do a malware scan.

• Do a WordPress malware scan.

If your site is down, check to see if it’s really down using a proxy site.

If your site is down, before reaching out to your web host, try checking at a proxy site like Is It Down Right Now? In some cases the site may be down due to a database issue, but not necessarily offline.

You may want to log into your site’s PHP database and make sure the site URL and home links are the correct ones.

If your site is going down often, and it’s not because of malware, you might want to look for a reliable web host. Make sure to check your web host dashboard or cPanel, to verify if you’re overusing your hosting resources, as those could be an indicator that you may even need to upgrade your package.

Do an online malware scan?

There are plenty of reputable malware scanners and they are all free, even if they have some advertisements for their malware cleanup services. You can check online scanners like Sucuri SiteCheck, Qutterra Malware Scanner, and Virus Total. These types of scanners can do a brief overview of what’s going on.

Please note that some hacks won’t always be picked up by the free online malware scanners. Some JavaScript malware site redirects are commonly missed, but it's usually because there are always new versions of this hack always popping up.

Ask your web host to do a malware scan.

Your web host can provide you with a malware scan. Sometimes you may have to ask them to scan the site for you, or there’s an area for you to initiate your own malware scan.

Like online malware scans, sometimes the scanner that your web host provides, may not catch every malicious infection known with WordPress.

Do a WordPress malware scan.

Do a deep malware scan using a WordPress plugin. This may require you to disable your plugins or chosen theme briefly, in order to get into WordPress and use a good malware scanning plugin like GOTMLS.

Is WordPress secure?

Yes, at its core, as long as you keep WordPress up-to-date with its latest version, your site is secure. Now, when you put plugins and themes on top of WordPress, most of the popular plugins and themes are secure. However, with how technology evolves, there’s always going to be some code vulnerability. In most cases, in order to keep your site as secure as possible, you merely need to update your plugins and themes.

Sure, performing regular site maintenance, just to update your entire site might seem tedious, but it's an insurance against possible malicious code injections, and the extra effort to clean and secure the site after a hacking.

Lastly, on top of making sure WordPress, your plugins and themes, are all updated, make sure when choosing them, that they are from reputable developers. Don’t download from places that sell nulled themes or plugins, because in some cases, they may contain malicious code, or the end user won’t be able to update them properly in the future.

Cases where your site is just down, and not hacked.

• Theme or plugin conflict.

• Routine server maintenance.

Theme or plugin conflict.

If your site has no malware issues, you may have a simple theme or plugin conflict. You will need to slowly deactivate each plugin until the problem goes away. Usually when the problem or error is gone while doing a conflict check, that means the plugin or theme, mostly decently deactivated, was more than likely the cause. In some cases, you may need to choose an alternative plugin or fix the issue with a code or see if there’s an update that resolves the problem.

Routine server maintenance.

In rare cases, your hosting will be down for maintenance. This doesn’t necessarily mean you’ve been hacked, but that the web host needs to perform some actions on the server to either upgrade hardware or software, in order to keep their end secure. Usually your web host will inform you of any routine server maintenance, and whether to expect any downtime.

How to clean up a hacked WordPress site?

Once you’ve determined that your site is hacked, you will need to clean your WordPress site. If you’ve used the GOTMLS plugin, also known as Anti-Malware Security and Brute-Force Firewall, it will produce a list of files or database tables that are infected. You could try using Wordfence, but some larger websites may time out during the malware scan.

Before going forward, make sure to back up your WordPress site. In fact, if you had backed your site up days before the hack, you may want to use that backup on a test site, and redo a scan. If that version is clean, then use that to restore your site. As a note, Verpex includes two daily backups as part of its hosting for WordPress!

You might look to remove code like in the image above. GOTMLS highlights what is malicious code so you can either remove the entire file, or part of the code. It may be best to just replace all plugins with fresh new files to save time from picking out the code from each and every single infected file. Some hacks can be found in thousands of files.

In fact, you should also replace your WordPress core installation files with fresh ones, and rebuild your site’s wp-config.php file so it’s also fresh. Make sure to change the password to the database too.

Please note that if looking at malicious code is a pain to deal with, you might want to hire someone who is familiar with cleaning hacked websites.

Once the malicious code is gone, you’ll want to add a security plugin to help close any possible vulnerabilities, and that provides a regular scan, like the Shield Security plugin.

In Summary

If you’re reading this article, and your WordPress site is hacked. The first thing to do is not panic. It really isn’t the end of the world. Your site can be cleaned and secure, whether you do it, or you hire someone to do it for you. However, once your site has been cleaned, make sure to put a site maintenance schedule in place where you’re regularly updating your site.

Frequently Asked Questions