What to Do if Your WordPress Website Is Hacked

/0 Comments/in /by

What to Do if Your WordPress Website Is Hacked

WordPress powers a major percentage of websites. As a result, this has made WordPress sites targets of attack by hackers. A hacked WordPress website can cause severe loss for site owners if it is not properly addressed.

Despite the potential for loss, a WordPress hacked site is not the end of the road for your WordPress website. 

In this post, we will show you all the steps to recover your hacked WordPress website. 

Content:

How Do I Know if My WordPress Website Has Been Hacked?

How can you differentiate between a hack and WordPress errors? Below we have compiled some common tips to help you know your WordPress site has been hacked.

1. Search Engines Blacklist Your Site

Search engines like Google and Bing have advanced malware scanners that can easily detect if a site gets hacked. 

Google and Bing have crawlers that regularly scan websites. Google Search Console usually receives reports about malicious sites.

If you have access to your Google Console account, Google will send you a notification whenever it flags your domain or pages.

2. Your Website Is Disabled by Your Host

Your web host can also disable your website when there are unusual activities on your account. 

Most times your hosting provider will provide you with details on the reasons for disabling your account.

However, a WordPress hack is the major cause of this. You should communicate and demand more information from your hosting provider to get full details. 

3. Website Users Report That Their Antivirus Is Flagging Your Site

Most website users have an antivirus on their devices. Oftentimes, these antivirus and safety tools scan and then flag unsafe sites. 

If your users report that their antivirus is flagging your site, it indicates that your WordPress site may have been hacked.

4. Unusual Activities on the Website May Indicate WordPress Hacked Case

If you notice unfamiliar plugins being installed, multiple login attempts, and the presence of spam pages, it indicates that your website may be hacked.

Additional warning signs include the creation of odd FTP access and sign-ups from unusual locations.

5. Your Website Is Flagged for Distributing Malware

Whenever browsers notice an unusual activity on your website, they will flag it

Google’s malware scanner regularly checks millions of URLs every day to blacklist bad URLs. If you have doubts about your site’s status, you can easily check the Google Safe Browsing tool here. 

6. Sudden Drop in Website Traffic

A sudden drop in your website’s views is a definite indicator that something is wrong.

If you observe an unusual traffic pattern on your website, it may suggest that your site has been hacked. Sudden decreases in website traffic don’t occur without cause.

7. You Can’t Log in to Your WordPress

A hacked website prevents you from logging into your dashboard. This is probably because the hacker tempered your wp config php files. 

If you are unable to log in even after inputting the correct password, your WordPress is hacked. Also goes for when you can’t reset your password.

8. When You Are Contacted That Your Site Is Hacked

When hackers themselves contact you to inform you that your WordPress is hacked, the evidence becomes even more apparent.

Often, these hackers reach out to website owners, demanding payment in exchange for restoring access to the site.

Steps to Take if You Suspect a WordPress Site Has Been Hacked

You have now established that your WordPress website has been hacked. But what action do you need to take to recover your site?

Below are some steps to take to recover a hacked WordPress website. 

Step 1: Stay Calm. Don’t Panic

A WordPress hacked can be a frustrating experience for website owners. However, despite the temptation to panic, staying calm is the best response.  

It is important to note that website hacking is a common occurrence. It is an incident that can happen to even the most secured websites. Therefore, your website is not an exception.  

Step 2: Document the Incident

The next step to take is to perform an assessment of the situation to understand the issue. Documenting is helpful because it helps you come up with relevant information that will help you recover your website. 

Documentation includes investigating when the issues started, and the last changes you made on your website. It also includes taking note of all the themes and plugins installed before the issue occurred. 

Documenting the issue creates an incident report sheet that you can use to solve the issue later. You can also share the report if you choose to use the services of Professional WordPress Experts to recover your website. 

Step 3: Check if You Access Your WordPress Dashboard

In some WordPress Hacking, users reported not being able to log in to their WordPress dashboard. This can happen if the hacker has access to your core WordPress file

Therefore, the next important step is to check if you can still log in to your WordPress Admin. 

In the case we investigated, the hacker compromised the WordPress core. This allowed the hacker to compromise user accounts

Cant Log in to WordPress - WordPress Hacked

Warning: Your case may be critical if you can’t access your WordPress admin dashboard. 

This means that the hacker has access to your WordPress root files. In this case, it is better to hire a Professional WordPress Expert from Fixrunner to avoid loss. 

Step 4: Reset WordPress Admin Users

If you cannot access your WordPress dashboard, you need to reset all access to your WordPress dashboard. 

Chances are high that the hacker added new admin accounts to your WordPress. 

Since you can’t access your WordPress admin dashboard, you need to reset access from the WordPress core. 

The first step is to log in to your web host. The process is almost similar for most popular hosts.

 Next, locate your active hosting plan and click on Manage. 

Manage Web host - WordPress Hacked

You will see a dashboard similar to the screenshot below. This is where you can access your WordPress root and make changes. Locate cPanel from the menu and click on it. 

cPanel - WordPress hacked

Side Note: Cpanel is a server management platform that makes it easier to manage servers with a graphical user interface instead of using command lines. 

On the cPanel page, click on phpMyAdmin under Databases. 

PHPMYADMIN

You will see your WordPress MySQL database. The name varies for different sites. But it often contains _wp. Click on it.

wordpress hacked

Click on wpnw_users.

wp users - WordPress Hacked

Manage Users on phpMyadmin

Next, you will see a list of users on your WordPress website. You can manage users from here. 

In the case we investigated, the hacker got access to the database and added two new users as shown in the screenshot below.

phpmyadmin users - WordPress hacked

Therefore, the next step is to delete users added by the hacker. To do that, select the accounts and click on Delete

delete phpmyadmin users - wordpress

Click Yes to continue. 

Delete wp users - WordPress hacked

You have now deleted the hacker’s account. However, it is not over. You need to reset your user details. 

This will enable you to gain access to your WordPress dashboard since the hacker has changed your password and email. 

To do that, click on Edit

Edit user accounts from phpmyadmin - WordPress hacked

Next, enter a new password under the user_pass tab. You will see an encrypted text. Don’t worry. Just clear it and enter a new password. Ensure you enter a very strong password.

reset wordpress password phpmyadmin - wordpress hacked

After that, enter your username and email. 

Next, scroll down and click on Go to save. 

click on Go to save - wordpress hacked

You have now successfully removed hacker user accounts and have also regained access to your WordPress. You can return to your WordPress admin and attempt to login.

Step 5: Clean FTP Accounts

File transfer protocol (FTP) is a medium that allows website owners and managers to access their website files on a local machine. 

FTP is a protocol that enables users to transfer files between computers over the internet. It is commonly used to install new updates, delete files, and customize WordPress files.

However, hackers use FTP to gain illegal access to WordPress websites. FTP is possible on local devices thanks to clients such as FileZilla and Cyberduck. 

To check if a hacker has created additional FTP access to your website, follow the steps below.

Click on FTP Accounts from your cPanel dashboard.

cPanel FTP

In the case submitted to us, the hacker created a new FTP account in addition to the existing one. This allowed the hacker to add malicious code to WordPress from his computer.

hacking ftp account

To resolve this issue, we had to delete the FTP account. 

Click on Delete to remove the WordPress hacked FTP account.

Delete FTP account

Next, you need to change your FTP passwords. Click on Change Password to do that.

Delete FTP Account

Step 6: Reinstall WordPress Core

You have removed the WordPress hacked user account. However, you need to check your WordPress installation files to ensure the hacker did not compromise them. 

In many of the cases we have received, the WordPress hackers usually upload scripts to the WordPress root folder. This allows them to remotely make changes to WordPress websites. 

You can access your WordPress files right from your web host dashboard using the File Manager tool. You can also access them using FTP clients such as FileZilla and Cyberduck. Check our beginner’s guide to using FTP here

For this tutorial, we will access our WordPress core from the File Manager on our web host. 

From the cPanel, click on File Manager under Files.

compromised wordpress files

From the file manager, click on public_html to view your WordPress files.

_public html - WordPress Hacked

You can delete files, make edits, and upload new files to your WordPress from the file manager.

In the case we handled, we noticed some compromised files in our WordPress. 

For example, the ‘WP-Configurations’ file highlighted below is not part of the WordPress standard installation. 

compromised wp config

How do we clean a compromised WordPress core?

Manually searching for compromised files and deleting them will be time-consuming. That time will be better spent implementing measures to increase eCommerce sales

Therefore, the solution here is to reinstall WordPress on this website. Check out our detailed guide on how to reinstall WordPress. 

Step 7: Scan and Secure your Website

You have now removed all threats on your website. The next step is to scan your website for vulnerabilities WordPress hackers may exploit. 

Website scanning helps you to detect malware, malicious URLs, and infections. A standard scanning tool also checks your server and monitors your site’s online reputation.

There are many WordPress security scanning plugins that can help you scan your website. Popular WordPress scanners include WordFence, Sucuri, Virustotal, Sitecheck, and Malcare.

How to Scan and Secure Your Site With the Wordfence Plugin

WordFence is the most popular security scanner for WordFence. To use WordFence to scan your website, follow the steps below.

First, log in to your WordPress Dashboard and navigate to Plugins >> Add New.

Next, search for ‘WordFence’. When it appears on the search result, click on Install Now

WordFence

Ensure you click on Activate after installing the plugin.  

Next, you need to add a license to use WordFence. Click on Get Your WordFence License to proceed. 

Get WordFence License- WordPress hacked

Click on Get a Free License. 

WordFence Free License

The free option does not come with real-time protection. However, you can get access to monthly security updates and malware protection. 

Click on the ‘I’m OK waiting 30 days for protection from new threats’ to proceed with the free plan. 

Wordfence license

Next, enter your email to get a link to your inbox. Click the link to activate a free WordFence on your website.

Wordfence License installed

You have now activated a WordFence license on your WordPress website.

To scan your WordPress website, locate WordFence from your WordPress dashboard.

After that, click on Scan.

Scan WordPress website

Next, click on Start New Scan to begin the scan.

Start new scan

You will get a report about your site after the scan. The WordFence plugin will generate a detailed report of your site.

For example, in our report, we have some outdated plugins which the hackers may have exploited.

Report of scan

Side Note: Installing WordFence automatically activates security protection on your WordPress.

Read our detailed guide on how to protect your WordPress website from hackers using DDOS attacks here.

Step 8: Update Plugins and Themes – WordPress Hacked

The WordFence scan showed that our website has many outdated themes and plugins.

To update our plugins, navigate to Plugins >> Installed Plugins. Next, tick all the plugins, select Update under bulk actions, and click on Apply.

Update all plugins

We have now updated our plugins.

Plugins updated successfully

Next, we need to delete unused plugins. To do that, select the plugins, choose Deactivate under bulk actions, and hit Apply.

Deactivate unused plugins

How to Update your WordPress Theme

To update your WordPress theme navigate to Appearance >> Themes from your WordPress dashboard.

Update WordPress themes

Next, click on Update now to update your theme.

Update theme

You have now successfully updated your WordPress theme.

Step 9: Seek Professional WordPress Help for Your Hacked WordPress Site

You have tried all the fixes above. However, your WordPress hacked site is still inaccessible. If that is the case, you must seek Professional WordPress Support.

A hacked WordPress website is a serious issue that can cause loss to your online business. 

It is recommended to hire a WordPress expert for incidents that require major changes to the WordPress core.

FixRunner provides professional WordPress assistance that can help you regain access to your site.

We also provide ongoing support for WordPress websites for small and large businesses. We have different pricing options that appeal to everyone.

FixRunner Pricing plan

FAQs – WordPress Website Hacked

Can My WordPress Be Hacked?

WordPress is a popular content management system. However, it is also a popular target for hackers. Hackers can gain access to your WordPress root, causing potential hacks on WordPress websites.

Outdated WordPress files and leaks of sensitive details can contribute to this vulnerability. Additionally, a hack on your web host can also lead to the compromise of your WordPress site.

Why is My WordPress Website Hacked?

Using insecure passwords can lead to hackers gaining access to your WordPress website and performing malicious activities.

Additionally, an insecure web host can also be a factor in the potential hacking of your WordPress site.

Conclusion – WordPress Hacked

To sum up, a hacked WordPress website is a frustrating incident that can cause damage to your business and reputation.

This article identified common signs that indicate your WordPress website has been hacked and offered steps to address the issue.

Recovering a WordPress hacked site can be daunting and stressful. However, this article has provided you with all the information you need to regain access to your WordPress hacked site.

Read More Useful Articles:

 This post was written by Mesheal Fegor

Mesheal Fegor is a Web/WordPress Developer and technical writer. His WordPress help articles have been featured on Kinsta and other sites. Mesheal holds a master's degree in computer science. His writing focuses on technical WordPress issues, ranging from core WordPress problems, to issues with WooCommerce, and more.

Last edited by: FixRunner Team