Last Updated on July 15, 2022 by Oluwatuyi
We are often asked, how do I check if my WordPress site has been hacked?
There are some common telltale signs that may help you figure out if your WordPress is hacked or compromised.
So, we’ll share some of the most common signs that your WordPress site is hacked and what you can do to clean it up.
Signs Your WordPress Site Is Hacked (And How to Fix It)
- 1 Signs Your WordPress Site Is Hacked (And How to Fix It)
- 1.1 Bad Links Added to Your Website
- 1.2 Your Website’s Homepage is Defaced
- 1.3 You are Unable to Login into WordPress
- 1.4 Suspicious User Accounts in WordPress
- 1.5 Unknown Files and Scripts on Your Server
- 1.6 Unusual Activity in Server Logs
- 1.7 Failure to Send or Receive WordPress Emails
- 1.8 Your Website is Often Slow or Unresponsive
- 1.9 Suspicious Scheduled Tasks
- 1.10 Popups or Pop Under Ads on Your Website
- 1.11 Users Are Randomly Redirected to Unknown Websites
- 1.12 Hijacked Search Results
- 2 How to Fix Hacked Website
Bad Links Added to Your Website
Data injection is one of the most common signs of a hacked WordPress. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.
Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they could be anywhere. Deleting the links doesn’t guarantee that they won’t come back.
You will need to find and fix the backdoor used to inject this data into your website.
Your Website’s Homepage is Defaced
This is probably the most obvious one as it is clearly visible on the homepage of your website.
Most hacking attempts do not deface your site’s homepage because they want to remain unnoticed for as long as possible.
However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some may even try to extort money from site owners.
You are Unable to Login into WordPress
If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.
Since the account doesn’t exist, you would not be able to reset your password from the login page.
There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how the hackers got into your website.
Suspicious User Accounts in WordPress
If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.
However, if you don’t remember allowing user registration and still seeing new user accounts in WordPress, then your site is probably hacked.
Usually the suspicious account will have the administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.
Unknown Files and Scripts on Your Server
If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.
To find the files, you need to connect to your WordPress site using an FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.
Usually, these files are named similarly to WordPress files so that they can hide in plain sight. To recognize them yourself, you will need to audit the file and directory structure. However, deleting these files will not guarantee that they won’t return.
Unusual Activity in Server Logs
erver logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.
You can access them from your WordPress hosting account’s cPanel dashboard under Statistics.
These server logs can help you understand what’s going on when your WordPress site is under attack.
They also contain all the IP addresses used to access your website, so you can block suspicious IP addresses.
They will also indicate server errors that you may not see inside your WordPress dashboard and may be causing your website to crash or be unresponsive.
Failure to Send or Receive WordPress Emails
Hacked servers are commonly used for sending spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.
If you are unable to send or receive WordPress emails, then there is a chance that your mail server is hacked to send spam emails.
Your Website is Often Slow or Unresponsive
All websites on the internet can become the target of random denial of service or DDoS attacks. These attacks use several hacked computers and servers from all over the world using fake IP addresses.
Sometimes they are just sending too many requests to your server, while other times they are actively trying to break into your website.
Any such activity will make your website slow, unresponsive, and unavailable. You can check your server logs to see which IPs are making too many requests and block them, but that may not fix the problem if there are too many or if the hackers change IP addresses.
It is also possible that your WordPress site is just slow and not hacked. In that case, you should follow our guide to boost WordPress speed and performance.
Suspicious Scheduled Tasks
Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.
A hacker can exploit cron jobs to run scheduled tasks on your server without you knowing it.
Popups or Pop Under Ads on Your Website
These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads.
These popups do not appear for logged in visitors or visitors accessing a website directly.
They only appear to the users visiting from search engines. Pop-under ads open in a new window and remain unnoticeable by users.
Users Are Randomly Redirected to Unknown Websites
If your website is redirecting visitors to an unknown website, then that’s another important sign that your website may be hacked.
This hack often goes unnoticed as it does not redirect logged-in users. It may also not redirect visitors accessing the website directly by typing the address in their browser.
These types of hacks are often caused by a backdoor or malware installed on your website.
Hijacked Search Results
If the search results from your website show incorrect titles or meta descriptions, then this is a sign that your WordPress site is hacked.
Looking at your WordPress site, you will still see the correct title and description.
The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.
How to Fix Hacked Website
Keeping Your WordPress Website Secure from Future Attacks
Once your website is clean, you can make secure it by making it extremely difficult for hackers to gain access to your website.
Securing a WordPress website involves adding layers of protection around your website. For instance, using strong passwords with 2-step verification can protect your WordPress admin area from unauthorized logins.
Similarly, you can block access to important WordPress files to protect them or set WordPress files and folder permissions correctly.
We hope this article helped you learn the signs to look for in a hacked WordPress site. You may also want to see our guide on how to install a SSL certificate. If you have any issue on this, you can use our comment session or join our delegate on facebook to solve any issues related to WordPress and subscribe to our YouTube Channel for WordPress video tutorials.