Beginner’s Guide: How do I tell if my WordPress website has been hacked?
The fact that your own website has been hacked can be seen from clear signs.
But also in the run-up it can be observed whether attackers are aiming for you. The first signs of this can now be seen in this article.
Attacks can be shown even faster with a WordPress security plugin, which of course also support their defense.
It often starts very sporadically, because certain vulnerabilities are tried out, whether the attacker might already get access. Let's look at them in detail:
Sudden decline in traffic
With a web analytics tool, visitors to your own website can be measured. Probably the best known for this is Google Analytics.
If the number of visitors suddenly collapses, there may be several reasons for this.
- more competitors
- Changes to search engine rankings
- High bounce rates
- infiltrated malware or Trojans
In this article we will first deal only with the effects of smuggled malware or Trojans.
Malware and Trojans can initially behave differently on their own website, so they can
- only user data is collected
- annoying popups are displayed
- the visitor is redirected to another website
- in the worst case, the visitor's computer is also infected
However, search engines and browsers recognize this fact very quickly and immediately display a warning message before such a website is displayed to the visitor.
Google, for example, blocks over 20,000 new malware-infected websites every week and even over 50,000 websites that attract attention with pishing.
Whether your website is also affected by this can be determined very quickly with Google Analytics and also in the Google Search Console.
Incorrect links to the website
One of the most common signs that the website has been infected in some way is when a noticeable number of incorrect links link to your own website.
An example is not necessary at this point, because it is a URL that simply does not exist on your website. Mostly these links come from particularly spammigen web pages.
These links must be checked as soon as possible to see if there are any URLs below which would allow access to your WordPress files or even your WordPress database.
Recommendation: If this is the case, this error should be corrected immediately.
Suddenly another home page
In most cases, attackers want to stay undetected and offer in secret. But there are exceptions.
Some hackers deliberately hijack the home page to place eye-catching content there.
Other hackers even try to extort money from the website operator and remove the report only after an appropriate payment.
Recommendation: In such cases it is advisable to get professional help from a WordPress developer.
Login to WordPress not possible
If a login to the admin of WordPress is not possible, check first if you use a captcha if this was entered correctly.
If everything was correct, the reason is probably that either your user account was changed or even deleted. Try resetting your password first.
If this is not possible, the user must be created via the PhP MyAdmin.
Note, however, that although you now have access again, the cause of the attacker's access may not have been resolved.
Recommendation: In such a case, all passwords must be changed first, both for database access and for FTP to your WordPress.
Suspicious user accounts
First, two factors have to be checked. Is it allowed to register a user in the WordPress settings or not?
Is it allowed?
In this way, these users can be deleted. In addition, however, a captcha should be installed during registration, which must be entered manually before registration.
Is it not allowed?
The page was probably hacked.
Recommendation: Go on the search for the back door and contact the WordPress Community if necessary, but if necessary you can update to the current WordPress version to solve the problem directly.
The website is unusually slow
Attackers never use their own infrastructure, but carry out attacks via hijacked computers.
These are distributed all over the world and can bring your server to its knees by frequent requests to your server.
However, it is also possible that there is a server problem and the website reacts very slowly.
Recommendation: Checking the visitor statistics gives you an idea where the problem might lie. In case of emergency, contact your WordPress hoster who will do a check.
Hijacked Search Results
When monitoring one's own rankings, false titles or meta descriptions in the search engines quickly become apparent.
However, with a close inspection of the website, everything looks the same. This is a clear indication that the website has been hacked.
The attacker uses a back door and has inserted a code that is usually encrypted, which forwards the search engine crawlers to fake content.
Recommendation: If you don't use an SEO plugin, you can easily view and control all indexed pages via the Google search site:meinewebseite.de.
What to do if the website has actually been hacked?
If you don't think you can do it yourself, make sure you get someone who knows. The following procedure is recommended in detail:
- Make sure you back up your website completely.
- Evaluate log files and find the problem.
- Fix a problem or close a security hole
If the problem cannot be completely removed from the backup, it may be possible to restore an older backup.
Keep in mind, however, that content that has been created in the meantime during the various backups may have to be re-integrated manually.