The WordPress site has been hacked. It’s easy to become panicked if this happens to you. In this post, I’ll show you how to tell whether your website has been hacked, as well as how to clean it up and make it more safe.
Try a free trial.
Finally, I’ll give you some pointers on how to avoid having your WordPress site hacked in the future.
WordPress Hacked: Signs Your WordPress Site Is at Risk
Your WordPress site isn’t functioning properly. But how do you determine if the issue is the result of a hack? Let’s look at some of the telltale symptoms that your website has been hacked:
- You are unable to log in.
- Your website has changed without your intervention (for example, the homepage has been replaced by a static page or new content has been added).
- Your website is redirected to a different website.
- When you or other people try to access your site, your browser displays a warning.
- Google warns you that your site has been hacked when you search for it.
- Your security plugin has alerted you to a security breach or an unexpected change.
- Unusual activity on your account has been reported to your hosting provider.
Let’s look at each of these in greater depth.
You Can’t Log In
If you can’t log in to your website, it’s possible that it’s been hacked. It’s more probable, however, that you’ve simply forgotten your password. Try resetting your password before assuming you’ve been hacked. If you can’t, that’s a red flag. Even if you can, you may have been hacked and will need to conduct additional research.
To restrict access, hackers may remove users or alter their passwords. Your user account may have been terminated if you are unable to reset your password, which is a symptom of hacking.
Your Site Has Changed
Replacing the homepage with a static page is one type of hacking. It’s likely that your site has been hacked if it appears completely different and isn’t utilising your theme.
The alterations could be subtle, such as the addition of bogus information or connections to questionable websites. You could have been hacked if your footer contains full with links you didn’t add, especially if those links are buried or in a small letter size.
Before you believe you’ve been hacked, be sure the modifications weren’t made by accident by other site administrators or editors.
This could be the case if your theme isn’t from a respected source and you’ve just updated it.
Your Site is Redirecting
When users visit your site, hackers may instal a script that sends them to another site. This is most likely a site you don’t want your users to visit.
This happened to me while I was in charge of a school website that was referring to a dating site. As you can expect, my client was dissatisfied, and I had to drop everything else I was doing to solve it right quickly. It turned out that the problem was due to a server security flaw rather than a flaw in my website, which is one reason to only utilise high-quality hosting. I moved hosting providers as soon as feasible and nearly instantly corrected the problem.
It’s possible that your browser is telling you that your site has been hacked if it’s notifying you that your site has been hacked. It could potentially be a problem with domains or SSL, or some code in a theme or plugin that has to be removed.
To help you determine the problem, look at the instructions that came with the alert in your browser.
Search Engine Warnings
If your site has been hacked, Google may display a warning when you search for it. This could indicate that your sitemap has been compromised, causing Google to crawl your site differently. It could also be a more serious issue; you’ll need to perform the diagnosis below to figure out what’s going on.
Why WordPress Sites Get Hacked
There are numerous reasons why WordPress blogs are hacked, but here is a list of the most prevalent ones.
One of the most common reasons for hacking is this. “Password” is the most often used password in the world. Not only for your WordPress admin account, but for all of your users and all parts of your site, including FTP and hosting, secure passwords are required.
Out of Date Software
Security updates are available for plugins and themes, as well as WordPress itself, and must be deployed to your site. You’re putting your site at risk if you don’t keep your themes, plugins, and WordPress version up to date.
Plugins and themes that aren’t from trusted sources may expose your site to risks. Install free WordPress themes and plugins from the official theme directory if you require them.
Check the vendor’s reputation before purchasing premium themes and plugins, and acquire recommendations from individuals and sources you trust. Installing nulled plugins, which are premium plugins downloaded for free and designed to harm or collect information, is never a good idea.
How Does WordPress Get Hacked?
If you’re interested in learning more about how WordPress sites are hacked (and aren’t interested in jumping to the measures to take if your own site has been hacked), here are the most common ways hackers gain access to your site:
- Backdoors — these allow someone to access your site without using the usual means, such as scripts or hidden files. In 2013, the Tim Thumb vulnerability was one such occurrence.
- Pharma hacks are an attack that allows malicious code to be injected into out-of-date WordPress versions.
- When hackers utilise automation to exploit weak passwords and obtain access to your site, this is known as brute-force login attempts.
- Backdoors are used to add malicious redirects to your site, which is known as malicious redirects.
- Cross-site scripting (XSS) — the most prevalent vulnerability detected in WordPress plugins, allowing a hacker to send malicious code to the user’s browser.
- Denial of Service (DoS) occurs when faults or bugs in a website’s code are utilised to overwhelm the site, causing it to stop working.
If you own an ecommerce site, be sure to read our comprehensive guide to preventing ecommerce fraud.
These all sound frightening, but there are things you can take to safeguard your WordPress site. Let’s start with the procedures you should take if your website has been hacked.
WordPress Site Hacked: What to Do (Step-By-Step Guide)
We provide a hack-free guarantee if your site is hosted with Kinsta, which means we will go over your site and remove the hack. If you’re using another hosting provider, you’ll have to work with them, but you might have to do a lot of the work yourself.
The procedures you must do will vary depending on how your site was hacked, and you may not need to do all of them. The following are the steps we’ll take:
- Don’t panic
- Put your site in maintenance mode
- Passwords must be reset.
- Use the Kinsta Malware Removal Service
- Update plugins and themes
- Remove users
- Remove unwanted files
- Clean out your sitemap
- Reinstall plugins and themes
- Reinstall WordPress core
- Clean out your database
Step 1: Don’t Panic
I understand that telling someone who is panicking to “don’t panic” is the worst thing you can say. However, if you’re going to diagnose and address the problem, you’ll need a clear head.
If you’re having trouble thinking clearly, simply put your site in maintenance mode and leave it for a few hours until you feel better. Again, it sounds easier said than done, but it’s critical in this case.
Step 2: Put Your Site in Maintenance Mode
You don’t want visitors to find your site in a vulnerable state, and you also don’t want them to see how your site will look while you fix it.
So, if you can, put it in maintenance mode.
This won’t be feasible if you can’t log in to your WordPress site right now, but come back as soon as you can.
Coming Soon Page & Maintenance Mode is a plugin that allows you to put your site into maintenance mode, making it appear as if it’s undergoing routine maintenance rather than being fixed after a hack.
After that, you can unwind a little knowing that no one can see what’s going on.
You can use the plugin’s settings to add a logo and change the colours, or you can simply type in some explanatory text and leave it at that.
You can now view your broken website, but others cannot.
Step 3: Use Kinsta Malware Removal Service
When migrating to Kinsta, you can purchase the Kinsta malware removal service for a one-time price of $100 to avoid all of the steps below. Important: If you’re a Kinsta customer, this is already included in your package!
If you don’t want to or can’t afford to do this, keep reading to learn how to clean up your hacked site.
Step 4: Reset Passwords
Because you don’t know which password the hacker used to get access to your site, you should update them all to prevent the hacker from doing so again. This doesn’t just apply to your WordPress password; you should also change your SFTP, database, and hosting provider passwords.
You’ll need to make sure that all other admin users’ passwords are changed as well.
Step 5: Update Plugins and Themes
The following step is to ensure that all of your plugins and themes are current. Go to your site’s Dashboard > Updates and update anything that’s out of date.
You should do this before trying any other repairs because if a plugin or theme is causing your site to be vulnerable, any additional changes you do may be undone by the vulnerability. So, before you go any further, double-check that everything is up to date.
Step 6: Remove Users
It’s time to delete any admin accounts that have been added to your WordPress site that you don’t recognise. Check with any authorised administrators to be sure they haven’t altered their account details and you just don’t recognise them before proceeding.
In your WordPress admin, go to the Users screen and click the Administrator link above the list of users. Click the tick next to any users who shouldn’t be there, then pick Delete from the Bulk Actions dropdown list.
Step 7: Remove Unwanted Files
Install a security plugin like WordFence, which will scan your site and notify you if there are any files there that shouldn’t be, or utilise a security service like Sucuri to find out if there are any files in your WordPress installation that shouldn’t be.
Step 8: Clean Out Your Sitemap and Resubmit to Google
A hacked sitemap.xml file is one of the most common reasons for a site being blacklisted by search engines. A sitemap had been infested with bogus links and foreign characters in one situation we fixed at Kinsta.
You can use your SEO plugin to rebuild your sitemap, but you’ll also need to notify Google that the site has been cleaned. Add your site to Google Search Console and send Google a sitemaps report to let them know you want it indexed. This does not ensure that your site will get crawled right away, and it could take up to two weeks. You won’t be able to speed this up, so you’ll have to be patient.
Step 9: Reinstall Plugins and Themes
If your site is still having issues, you’ll need to reinstall any plugins or themes that haven’t been updated recently. Reinstall them after deactivating and deleting them from your Themes (here’s how to properly delete a WordPress theme) and Plugins pages. Put your site in maintenance mode first if you haven’t previously.
If you’re not sure how safe a plugin or theme you bought from a plugin or theme seller is, now is the time to think about whether you should keep using it. Don’t reinstall a free theme or plugin you got somewhere other than the WordPress plugin or theme directories. Install it from the theme or plugin directory instead, or purchase the licenced version. If you can’t pay it, you can substitute a free theme or plugin from the theme or plugin directory that performs the same or similar functions.
Check the support pages for all of your themes and plugins if this doesn’t solve the problem. It’s possible that other people are having issues, in which case you should deactivate the theme or plugin until the issue is resolved.
Step 10: Reinstall WordPress Core
If everything else fails, you’ll have to reinstall WordPress. If the WordPress core files have been hacked, you’ll need to instal a fresh WordPress installation.
Using SFTP, upload a fresh set of WordPress files to your site, being sure to overwrite the existing ones. Take a backup of your wp-config.php and.htaccess files first, just in case they’re overwritten (which they shouldn’t be).
If you installed WordPress using an auto-installer, don’t use it again because it will overwrite your database and you’ll lose your content. Instead, only upload the files using SFTP. If you’re on Kinsta and used our WordPress installer, you won’t have to worry about this step since as part of our hack patch service, we’ll replace WordPress core for you.
Step 11: Clean Out Your Database
You’ll also need to clear out your database, which has been hacked. Cleaning out your database is a good idea because a clean database has less old data and takes up less space, making your site speedier.
How to Prevent Your WordPress Site from Being Hacked
So you’ve cleaned up your website and changed your passwords to make it a little more secure than before.
However, there is more you can do to prevent future hacks and avoid repeating the same mistake.
Ensure All Passwords Are Secure
If you haven’t already, make sure you’ve reset all of your website’s passwords, not just the WordPress admin password, and that you’re using secure passwords.
You can compel users to use strong passwords with a security plugin, or if you’re with Kinsta, it’s included in your hosting plan.
You can also use two-factor authentication to make it more difficult for hackers to create accounts on your site.
Keep Your Site Updated
It’s critical to maintain your website current. You should execute any updates to your theme, plugins, or WordPress itself because they often include security patches.
Automatic updates can be enabled either by modifying your wp-config.php file or by installing a plugin that does it for you. If you’d rather not do that and instead test updates beforehand, a security plugin will alert you when an update is required.
If you have a staging server, make sure you update your site appropriately by producing a backup and testing updates on it. For all sites, Kinsta plans feature automated backups and a staging environment.
Don’t Install Insecure Plugins or Themes
In the future, be sure that WordPress plugins have been tested with your version of WordPress and that you’re downloading them from a trusted source.
Don’t be lured to obtain free plugins and themes from third-party sites; instead, use the theme and plugin directories. Check the reputation of the plugin provider and ask for recommendations if you’re buying premium themes or plugins.
Clean Out Your WordPress Installation
Delete any themes or plugins you have installed but haven’t enabled. It’s time to get rid of any files or old WordPress installations that aren’t being used in your hosting environment. Remove any databases that you aren’t utilising.
If you have old, unused WordPress installations on your server, they are especially dangerous because you are unlikely to keep them updated.
Install SSL on Your Site
SSL adds an extra degree of security to your website and is completely free. SSL is included in all Kinsta plans at no additional cost. If your hosting provider does not offer free SSL, you can add free Let’s Encrypt SSL using the SSL Zen plugin.
Avoid Cheap Hosting
You’ll be sharing server space with hundreds of other customers if you choose cheap hosting. This will not only cause your site to slow down, but it will also increase the likelihood of one of those other sites exposing server insecurity.
Cheap hosting companies are less likely to keep a close eye on server security or to assist you if your site is attacked. A good hosting company, such as Kinsta, will guarantee that your site will not be hacked and will work hard to keep it safe.
Set up a Firewall
You can set up a firewall for your site using a security plugin or a service like Cloudflare or Sucuri. This will act as a second line of defence for hackers, reducing the likelihood of hacks and DDoS attacks on your site.
All of our customers’ WordPress sites are safeguarded by Google’s enterprise-level firewall here at Kinsta. In MyKinsta, we also give consumers with an easy-to-use IP Deny tool for blocking dangerous IP addresses.
Install a Security Plugin
If you use a security plugin, it will alert you to any unusual behaviour on your site. Unauthorized logins or the addition of files that shouldn’t be there are examples of this.
Refer to the plugin’s notice to figure out what the issue is once more.
You don’t need to instal security plugins if your site is hosted by Kinsta. This is due to the fact that Kinsta includes all of the necessary security elements.
Consider A Security Service
If you don’t utilise Kinsta, you might want to look into a security service like Sucuri, which will keep an eye on your site and fix it if it is hacked again.
It isn’t cheap, but if your website is critical to your company’s revenue, it will pay for itself. There are several plans available, each with a different turnaround time for security fixes. Sucuri will keep an eye on your site, notify you if there’s a security breach, and take care of the problem. This means you won’t have to go through the hassle of cleansing your site again.
Alternatively, Kinsta hosting plans include security features such as DDoS detection, uptime monitoring, hardware walls, and a hack-free guarantee, which means we will clean up your site if it is hacked. We’ll transfer your site for free and clean it up if it gets hacked in the future if you switch to Kinsta. Check out our hand-picked list of the top WordPress migrating plugins.
It’s an awful experience to have your website hacked. It indicates that your website is unavailable to visitors, which could have a negative influence on your business. It will necessitate quick response, which will have an impact on your other activities.
Here’s a quick rundown of what you should do if your website has been hacked:
- Passwords should be reset.
- Plugins and themes should be updated.
- Users who shouldn’t be there should be removed.
- Remove any files that you don’t want.
- Make sure your sitemap is up to date.
- WordPress core, as well as plugins and themes, to be reinstalled.
- If required, clean up your database.
Remember that taking the procedures outlined above to prevent hacking will save you from having to repeat the process in the future: it pays to maintain your site as safe as possible.