WordPress powers a major percentage of websites. As a result, this has made WordPress sites targets of attack by hackers. A hacked WordPress website can cause severe loss for site owners if it is not properly addressed.
Despite the potential for loss, a WordPress hacked site is not the end of the road for your WordPress website.
In this post, we will show you all the steps to recover your hacked WordPress website.
- How do I know if my WordPress Website has been Hacked?
- 1. Search Engines Blacklist your Site
- 2. Your Website is Disabled by your Host
- 3. Website Users Report that their AntiVirus is Flagging your Site
- 4. Unusual Activities on the Website
- 5. Your Website is Flagged for Distributing Malware
- 6. Sudden Drop in Website Traffic
- 7. You can’t Log In to your WordPress
- 8. When you are Contacted that your Site is Hacked
- Steps to Take if you Suspect a WordPress Site has Been Hacked?
- Step 1: Stay Calm. Don’t Panic
- Step 2: Document the Incident
- Step 3: Check if you Access your WordPress Dashboard
- Step 4: Reset WordPress Admin Users
- Step 5: Clean FTP Accounts
- Step 6: Reinstall WordPress Core
- Step 7: Scan and Secure your Website
- Step 8: Update Plugins and Themes
- Step 9: Seek Professional WordPress Help
How Do I Know if My WordPress Website Has Been Hacked?
How can you differentiate between a hack and WordPress errors? Below we have compiled some common tips to help you know your WordPress site has been hacked.
1. Search Engines Blacklist Your Site
Search engines like Google and Bing have advanced malware scanners that can easily detect if a site gets hacked.
Google and Bing have crawlers that regularly scan websites. Google Search Console usually receives reports about malicious sites.
If you have access to your Google Console account, Google will send you a notification whenever it flags your domain or pages.
2. Your Website Is Disabled by Your Host
Your web host can also disable your website when there are unusual activities on your account.
Most times your hosting provider will provide you with details on the reasons for disabling your account.
However, a WordPress hack is the major cause of this. You should communicate and demand more information from your hosting provider to get full details.
3. Website Users Report That Their Antivirus Is Flagging Your Site
Most website users have an antivirus on their devices. Oftentimes, these antivirus and safety tools scan and then flag unsafe sites.
If your users report that their antivirus is flagging your site, it indicates that your WordPress site may have been hacked.
4. Unusual Activities on the Website May Indicate WordPress Hacked Case
If you notice unfamiliar plugins being installed, multiple login attempts, and the presence of spam pages, it indicates that your website may be hacked.
Additional warning signs include the creation of odd FTP access and sign-ups from unusual locations.
5. Your Website Is Flagged for Distributing Malware
Whenever browsers notice an unusual activity on your website, they will flag it.
Google’s malware scanner regularly checks millions of URLs every day to blacklist bad URLs. If you have doubts about your site’s status, you can easily check the Google Safe Browsing tool here.
6. Sudden Drop in Website Traffic
A sudden drop in your website’s views is a definite indicator that something is wrong.
If you observe an unusual traffic pattern on your website, it may suggest that your site has been hacked. Sudden decreases in website traffic don’t occur without cause.
7. You Can’t Log in to Your WordPress
A hacked website prevents you from logging into your dashboard. This is probably because the hacker tempered your wp config php files.
If you are unable to log in even after inputting the correct password, your WordPress is hacked. Also goes for when you can’t reset your password.
8. When You Are Contacted That Your Site Is Hacked
When hackers themselves contact you to inform you that your WordPress is hacked, the evidence becomes even more apparent.
Often, these hackers reach out to website owners, demanding payment in exchange for restoring access to the site.
Steps to Take if You Suspect a WordPress Site Has Been Hacked
You have now established that your WordPress website has been hacked. But what action do you need to take to recover your site?
Below are some steps to take to recover a hacked WordPress website.
Step 1: Stay Calm. Don’t Panic
A WordPress hacked can be a frustrating experience for website owners. However, despite the temptation to panic, staying calm is the best response.
It is important to note that website hacking is a common occurrence. It is an incident that can happen to even the most secured websites. Therefore, your website is not an exception.
Step 2: Document the Incident
The next step to take is to perform an assessment of the situation to understand the issue. Documenting is helpful because it helps you come up with relevant information that will help you recover your website.
Documentation includes investigating when the issues started, and the last changes you made on your website. It also includes taking note of all the themes and plugins installed before the issue occurred.
Documenting the issue creates an incident report sheet that you can use to solve the issue later. You can also share the report if you choose to use the services of Professional WordPress Experts to recover your website.
Step 3: Check if You Access Your WordPress Dashboard
In some WordPress Hacking, users reported not being able to log in to their WordPress dashboard. This can happen if the hacker has access to your core WordPress file.
Therefore, the next important step is to check if you can still log in to your WordPress Admin.
In the case we investigated, the hacker compromised the WordPress core. This allowed the hacker to compromise user accounts.
Warning: Your case may be critical if you can’t access your WordPress admin dashboard.
This means that the hacker has access to your WordPress root files. In this case, it is better to hire a Professional WordPress Expert from Fixrunner to avoid loss.
Step 4: Reset WordPress Admin Users
If you cannot access your WordPress dashboard, you need to reset all access to your WordPress dashboard.
Chances are high that the hacker added new admin accounts to your WordPress.
Since you can’t access your WordPress admin dashboard, you need to reset access from the WordPress core.
The first step is to log in to your web host. The process is almost similar for most popular hosts.
Next, locate your active hosting plan and click on Manage.
You will see a dashboard similar to the screenshot below. This is where you can access your WordPress root and make changes. Locate cPanel from the menu and click on it.
Side Note: Cpanel is a server management platform that makes it easier to manage servers with a graphical user interface instead of using command lines.
On the cPanel page, click on phpMyAdmin under Databases.
You will see your WordPress MySQL database. The name varies for different sites. But it often contains _wp. Click on it.
Click on wpnw_users.
Manage Users on phpMyadmin
Next, you will see a list of users on your WordPress website. You can manage users from here.
In the case we investigated, the hacker got access to the database and added two new users as shown in the screenshot below.
Therefore, the next step is to delete users added by the hacker. To do that, select the accounts and click on Delete.
Click Yes to continue.
You have now deleted the hacker’s account. However, it is not over. You need to reset your user details.
This will enable you to gain access to your WordPress dashboard since the hacker has changed your password and email.
To do that, click on Edit.
Next, enter a new password under the user_pass tab. You will see an encrypted text. Don’t worry. Just clear it and enter a new password. Ensure you enter a very strong password.
After that, enter your username and email.
Next, scroll down and click on Go to save.
You have now successfully removed hacker user accounts and have also regained access to your WordPress. You can return to your WordPress admin and attempt to login.
Step 5: Clean FTP Accounts
File transfer protocol (FTP) is a medium that allows website owners and managers to access their website files on a local machine.
FTP is a protocol that enables users to transfer files between computers over the internet. It is commonly used to install new updates, delete files, and customize WordPress files.
However, hackers use FTP to gain illegal access to WordPress websites. FTP is possible on local devices thanks to clients such as FileZilla and Cyberduck.
To check if a hacker has created additional FTP access to your website, follow the steps below.
Click on FTP Accounts from your cPanel dashboard.
In the case submitted to us, the hacker created a new FTP account in addition to the existing one. This allowed the hacker to add malicious code to WordPress from his computer.
To resolve this issue, we had to delete the FTP account.
Click on Delete to remove the WordPress hacked FTP account.
Next, you need to change your FTP passwords. Click on Change Password to do that.
Step 6: Reinstall WordPress Core
You have removed the WordPress hacked user account. However, you need to check your WordPress installation files to ensure the hacker did not compromise them.
In many of the cases we have received, the WordPress hackers usually upload scripts to the WordPress root folder. This allows them to remotely make changes to WordPress websites.
You can access your WordPress files right from your web host dashboard using the File Manager tool. You can also access them using FTP clients such as FileZilla and Cyberduck. Check our beginner’s guide to using FTP here.
For this tutorial, we will access our WordPress core from the File Manager on our web host.
From the cPanel, click on File Manager under Files.
From the file manager, click on public_html to view your WordPress files.
You can delete files, make edits, and upload new files to your WordPress from the file manager.
In the case we handled, we noticed some compromised files in our WordPress.
For example, the ‘WP-Configurations’ file highlighted below is not part of the WordPress standard installation.
How do we clean a compromised WordPress core?
Manually searching for compromised files and deleting them will be time-consuming. That time will be better spent implementing measures to increase eCommerce sales.
Therefore, the solution here is to reinstall WordPress on this website. Check out our detailed guide on how to reinstall WordPress.
Step 7: Scan and Secure your Website
You have now removed all threats on your website. The next step is to scan your website for vulnerabilities WordPress hackers may exploit.
Website scanning helps you to detect malware, malicious URLs, and infections. A standard scanning tool also checks your server and monitors your site’s online reputation.
There are many WordPress security scanning plugins that can help you scan your website. Popular WordPress scanners include WordFence, Sucuri, Virustotal, Sitecheck, and Malcare.
How to Scan and Secure Your Site With the Wordfence Plugin
WordFence is the most popular security scanner for WordFence. To use WordFence to scan your website, follow the steps below.
First, log in to your WordPress Dashboard and navigate to Plugins >> Add New.
Next, search for ‘WordFence’. When it appears on the search result, click on Install Now.
Ensure you click on Activate after installing the plugin.
Next, you need to add a license to use WordFence. Click on Get Your WordFence License to proceed.
Click on Get a Free License.
The free option does not come with real-time protection. However, you can get access to monthly security updates and malware protection.
Click on the ‘I’m OK waiting 30 days for protection from new threats’ to proceed with the free plan.
Next, enter your email to get a link to your inbox. Click the link to activate a free WordFence on your website.
You have now activated a WordFence license on your WordPress website.
To scan your WordPress website, locate WordFence from your WordPress dashboard.
After that, click on Scan.
Next, click on Start New Scan to begin the scan.
You will get a report about your site after the scan. The WordFence plugin will generate a detailed report of your site.
For example, in our report, we have some outdated plugins which the hackers may have exploited.
Side Note: Installing WordFence automatically activates security protection on your WordPress.
Read our detailed guide on how to protect your WordPress website from hackers using DDOS attacks here.
Step 8: Update Plugins and Themes – WordPress Hacked
The WordFence scan showed that our website has many outdated themes and plugins.
To update our plugins, navigate to Plugins >> Installed Plugins. Next, tick all the plugins, select Update under bulk actions, and click on Apply.
We have now updated our plugins.
Next, we need to delete unused plugins. To do that, select the plugins, choose Deactivate under bulk actions, and hit Apply.
How to Update your WordPress Theme
To update your WordPress theme navigate to Appearance >> Themes from your WordPress dashboard.
Next, click on Update now to update your theme.
You have now successfully updated your WordPress theme.
Step 9: Seek Professional WordPress Help for Your Hacked WordPress Site
You have tried all the fixes above. However, your WordPress hacked site is still inaccessible. If that is the case, you must seek Professional WordPress Support.
A hacked WordPress website is a serious issue that can cause loss to your online business.
It is recommended to hire a WordPress expert for incidents that require major changes to the WordPress core.
FixRunner provides professional WordPress assistance that can help you regain access to your site.
We also provide ongoing support for WordPress websites for small and large businesses. We have different pricing options that appeal to everyone.
FAQs – WordPress Website Hacked
Can My WordPress Be Hacked?
WordPress is a popular content management system. However, it is also a popular target for hackers. Hackers can gain access to your WordPress root, causing potential hacks on WordPress websites.
Outdated WordPress files and leaks of sensitive details can contribute to this vulnerability. Additionally, a hack on your web host can also lead to the compromise of your WordPress site.
Why is My WordPress Website Hacked?
Using insecure passwords can lead to hackers gaining access to your WordPress website and performing malicious activities.
Additionally, an insecure web host can also be a factor in the potential hacking of your WordPress site.
Conclusion – WordPress Hacked
To sum up, a hacked WordPress website is a frustrating incident that can cause damage to your business and reputation.
This article identified common signs that indicate your WordPress website has been hacked and offered steps to address the issue.
Recovering a WordPress hacked site can be daunting and stressful. However, this article has provided you with all the information you need to regain access to your WordPress hacked site.