Symptoms of hacked WordPress website
- Website is being redirected to some malicious website
- Search results is taking users to a different website
- Unable to login to WordPress backend
- Unknown administrator accounts in WordPress users list
- Search engines display “website may be hacked” warning
- Sudden drop in website traffic
- Popup ads on website pages
- Website suspended by hosting provider due to malicious activity or too much outgoin email
- Abnormal behavior of browsers when visitng website
- Browser blocking website with warning such as “Deceptive site ahead”
- Japanese/Chinese keywords in search results
- Unknown links added to website pages
- The website homepage is defaced
- Unknown files and scripts on website directories
- Unknown scheduled tasks
Scan your site
- Visit solvewp.com online scanner page website
- Enter your website URL
- Click scan website
- Check results with warning or danger icons
An external scan only can identify the output of the website, but not internal files. If an external scanner can’t identify any malicious issue, you may still need to run an internal scan.
Check WordPress core file integrity
You must need to check WordPress core files integrity. You can easily check the integrity of core files by using the diff command in the terminal or using a custom script with WordPress API; we will cover that in the next post.
Check recently modified files
Another way to detect of website hack that is the file modification date. You can easily locate recently modified files via FTP, sort them by modification date. Modified files will appear at the top. If you see some changes that you have not made, it can be a sign that intruders can access your website backend.
You can check manually recently modified files in WordPress:
Login to your server using an FTP client or SSH terminal.
If you are using SSH, you can check all modified files list in the last 15 days using this command:
$ find ./ -type f -mtime -15
If you are using SFTP, see the last modified date column for all files on the server.
Note any files that have been recently modified.
Check modified all files using terminal commands on Linux:
$ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
If you want to see directory files, type in your terminal:
$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .
Unfamiliar modifications in the last 7-30 days may be suspicious.
Hosting provider suspension
If your website shows the message: “This site is currently unavailable,” this symptom is your website has been hacked. When your website has been hacked, or someone is trying to hack, the hosting provider may suspend or lock your account. In these cases, you might be notified by your hosting company that your account is already being suspended. When they have detected something wrong with your website, like malicious code, they will send you an email to fix it.
Clean up infected files
Once you are determined that your website is really infected, you should take these necessary steps to clean and recover your website. Professional help is strongly recommended.
Backup your WordPress website
Taking regular backup of the website is a life savior. In the case of already hacked, you still should take a backup before starting a cleanup job. To keep a backup of your website, you can use the backup facility in your cPanel or use a plugin such as UpdraftPlus for free.
Reinstall WordPress core
Most of the time, attackers exploit malware into core files in root folders. To remove the root of the malware, the best way to reinstall WordPress in the public_html directory. You need to upload a fresh WordPress and install it except the wp-content folder, wp-config.php file, and .htaccess file. Firstly you will need to download a fresh WordPress file from WordPress.org.
Clean hacked database tables
Secure WordPress user accounts
If you observed any unknown WordPress users in your account and also default ‘admin’ account, then immediately remove them so that attackers can’t reuse it and there have no longer access. But administrator account can be hidden using a custom script in the theme function that will not be visible in the user list.
Remove unknown users manually:
- Log in to WordPress as an admin and click Users.
- Find the suspicious new user accounts.
- Hover over the suspicious user and click Delete.
Remove hidden backdoor in your WordPress site
Attackers always leave a way to get returned to your website. There is various type of backdoor that attackers use a return to your website. Attackers inject backdoor into files such as config.php file and directories like /themes, /plugins, and /uploads.
Following these function are used in the backdoor
- preg_replace (with /e/)
Removing the backdoor is a hard job. Professional hand recommended.
Replace themes and plugins
When your WordPress website has been hacked, replacing theme and plugins files with fresh copy is highly recommended. You won’t lose any data or website customization if you leave it to a professional’s hands.
Remove malware from your website: You should always try to take the primary steps yourself, but if you are not confident enough and want professional service, Solvewp.com is always ready to help immediately for a fair a price. You will always be charged the lowest but will get friendly, one to one, the best quality support with a minimum of 6 months of free of charge cleanup warranty.