Symptoms of hacked WordPress website

  1. Website is being redirected to some malicious website
  2. Search results is taking users to a different website
  3. unable to login to WordPress backend
  4. Unknown administrator accounts in WordPress users list
  5. Search engines display “website may be hacked” warning
  6. Sudden drop in website traffic
  7. Popup ads on website pages
  8. Website suspended by hosting provider due to malicious activity or too much outgoin email
  9. Abnormal behavior of browsers when visitng website
  10. Browser blocking website with warning such as “Deceptive site ahead”
  11. Japanese/Chinese keywords in search results
  12. Unknown links added to website pages
  13. The website homepage is defaced
  14. Unknown files and scripts on website directories
  15. Unknown scheduled tasks

Scan your site

You may use external online scanner to quickly identify vulnerabilities, check if domain is blacklisted, JavaScript malware in html source code..SolveWP.com has a free external WordPress website vulnerability scanners.

  1. Visit solvewp.com website
  2. Enter your website URL
  3. Click scan website
  4. Check results with warning or danger icons

An external scan only can identify the output of the website, but not internal files. If an external scanner can’t identify any malicious issue, you may still need to run an internal scan.

Check WordPress core file integrity

You must need to check WordPress core files integrity. You can easily check the integrity of core files by using the diff command in the terminal or using a custom script with WordPress API, we will cover that in the next post.

Check recently modified files

Another way to detect of website hack that is the file modification date. You can easily locate recently modified files via FTP, sort them by modification date. Modified files will appear at the top. If you see some changes that are not made by you, it can be a sign that intruders have access to your website backend.

You can check manually recently modified files in WordPress:

Login into your server using an FTP client or SSH terminal.

If you are using SSH, you can check all modified files list in the last 15 days using this command:  $ find ./ -type f -mtime -15

If you are using SFTP, see the last modified date column for all files on the server.

Note any files that have been recently modified.

Check modified all files using terminal commands on Linux: $ find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .

If you want to see directory files, type in your terminal:

$ find /etc -printf '%TY-%Tm-%Td %TT %p\n' | sort -r .

Unfamiliar modifications in the last 7-30 days may be suspicious.

Hosting provider suspension

If your website shows the message that is “This site is currently unavailable” this symptom is your website has been hacked. When your website has been hacked or someone trying to hack, the hosting provider may suspend or lock your account. In these cases, you might be notified by your hosting company that your account already being suspended. When they have detected something wrong with your website like malicious code and then they will send you an email to fix it.

Clean up infected files

Once you are determined that your website is really infected, you should take these necessary steps to clean and recover your website. Professional help strongly recommended.

Backup your WordPress website

Taking regular backup of the website is a life savior. In the case of already hacked, you still should take a backup before starting a cleanup job. To keep backup of your website you can use the backup facility in your cPanel or use a plugin such as UpdraftPlus for free.

Reinstall WordPress core

Most of the time attackers exploit malware into core files in root folders. To remove the root of the malware, the best way to reinstall WordPress in the public_html directory. You need to upload a fresh WordPress and install except the wp-content folder, wp-config.php file, and .htaccess file. Firstly you will need to download a fresh WordPress file from WordPress.org

Clean hacked database tables

Many hacks involve the database. Advanced hackers choose the database to hide their redirect javascript links. To remove malware from your WordPress database, professional help required to fix database injection without losing website data.

Secure WordPress user accounts

If you observed any unknown WordPress users in your account and also default ‘admin’ account then immediately remove them so that attackers can’t reuse it and there have no longer access. But administrator account can be hidden using a custom script in theme function that will not be visible in users list.

Remove unknown users manually:

  • Log in to WordPress as an admin and click Users.
  • Find the suspicious new user accounts.
  • Hover over the suspicious user and click Delete.

Remove hidden backdoor in your WordPress site

Attackers always leave a way to get returned to your website. There is various type of backdoor that attackers use a return to your website. Attackers inject backdoor into files such as config.php file and directories like /themes, /plugins, and /uploads.

Following these function are used in the backdoor

  • base64
  • str_rot13
  • gzuncompress
  • eval
  • exec
  • system
  • assert
  • stripslashes
  • preg_replace (with /e/)
  • move_uploaded_file

Removing backdoor is a hard job, professional hand recommended.

Replace themes and plugins

When your WordPress website has been hacked, replacing theme and plugins files with fresh copy is highly recommended. You won’t lose any data or website customization if you leave it to a professional’s hands.

Remove malware from your website: You should always try to take the primary steps yourself but if you are not confident enough and want professional service, Solvewp.com is always ready to help immediately for a fair a price. You will always be charged lowest but will get friendly, one to one the best quality support with minimum 6 months of free of charge protection warranty.