Having your WordPress site hacked is more common than it should be. In fact, WordPress is one of the most targeted CMSs, which shouldn’t come as a surprise considering it powers nearly half the internet.
That being said, getting hacked is unpleasant and may lead to consequences for your brand and your users, so you want to take care of it as soon as possible if it ever happens.
Follow these recommendations to overcome a hack.
Why do WordPress sites get hacked?
WordPress sites are hacked for various reasons. While some attacks result from pure malice, they’re not as common as those trying to gain something from the victims or their site, whether to extract ransom money or funnel traffic into the attacker’s site.
Some of the most common reasons for hacking websites include the following:
Making a profit from blackmailing victims into paying for ransom.
Getting hired to perform industrial or business sabotage. Many “hacker for hire” groups commit cybercrimes for a fee.
Compromising websites and computers to sell or rent access to them, often to perform DDoS attacks.
Stealing credit card information, social security numbers, and other personally identifiable information (PII), which they can later use for future attacks, sell, or both.
Causing financial loss to the site owners by interrupting revenue streams and generating post-attack costs.
Using stolen credentials to make unauthorized purchases or move funds.
Performing identity theft with stolen credentials.
Impersonating trusted organizations and individuals to convince others to give up PII.
Stealing intellectual property.
Spreading malware through malicious links.
Tricking users into giving up multi-factor authentication codes and accessing their accounts.
Adding stolen credentials to their backlog, which they can use to perform future stuffing attacks (reusing known passwords).
Gaining a foothold in an organization’s inner systems as part of a multi-layered cyberattack.
Redirecting your site to an external site by adding spam links and pages.
Gaining hidden admin access, they can exploit for long periods before being detected.
Degrading the website’s performance.
Locking out other website users.
How do WordPress sites get hacked?
Just as there are many reasons to hack a website, there are many ways to do so. The cybersecurity threat landscape is always shifting, with attackers and developers constantly catching up to each other’s methods.
The most common ways to hack WordPress websites include the following:
Cracking insecure passwords.
Exploiting outdated core installations, PHP versions, plugins, and themes.
Brute force attacks.
Cross-site scripting (XSS).
Database or SQL injections.
Denial of service attacks.
Signs your WordPress site was hacked
Depending on the method attackers use, there are many potential signs your site’s been hacked. These are some of the most common:
A sudden drop in website traffic. It can be caused by spam malware redirecting users to another website, or maybe your site was blacklisted by Google for detecting phishing or malware.
You notice malicious links you didn’t add. Once attackers have backdoor access, they may inject spam links at the footer of your website, although they can be anywhere else.
Your front page is entirely different. If you suffer a defacement attack, hackers change your homepage to announce you’ve been hacked. Often, they ask for a ransom to restore your site.
You can’t log in. Attackers may have changed your password or deleted your admin account.
New suspicious admin accounts. If you notice admin accounts neither you nor other members of your team created, your site has likely been hacked.
Suspicious scripts in your WordPress core installation. The most common directory attackers choose to leave malicious scripts is wp-content. The file will be named similarly to standard installation files to seem harmless. Malware scans and integrity check plugins alert you when new suspicious files are created.
Sudden performance drop. If your site is suddenly slow for no apparent reason, you may suffer a denial-of-service attack.
Pop-up ads. Another classic tactic used by attackers trying to monetize someone else’s website for themselves. Pop-ups often appear only for users that are not logged in and usually open in a new window.
What to do if your site is hacked?
Now that we’ve discussed why sites are attacked, how, and the signs of hacking, let’s break down what you should do if you notice your website’s been hacked.
First of all, don’t lose your cool. Getting hacked is very unpleasant but rarely the end of the world. According to Security Magazine, in 2017, there was one cyberattack every 39 seconds. Given WordPress’s market share, many of those happened and still happen to WordPress sites.
You’re not the first or last site owner that suffered a hack. After the initial shock, you must pick yourself up and take the necessary measures.
Put your site offline or in maintenance mode.
The first measure (assuming you can log in) is to take your site offline or put it in maintenance mode. That way, visitors won’t see your rebuilding site while you sort things out.
To put your site in maintenance mode, there are many plugins you can use, including WP Maintenance Mode and Under Construction Page.
Reset all passwords and update all plugins and themes.
Plugin and theme vulnerabilities are one of the most common weaknesses hackers exploit. To ensure it wasn’t an outdated plugin or theme, update all of them as soon as possible.
To check how safe a plugin is, visit the WPScan Vulnerability Database. It lists known security vulnerabilities in plugins. If you see one of your plugins on the list, check whether it’s been updated since the vulnerability became publicly known. If not, you may be better off deleting it.
Also, replace every password with a strong, unique one across all accounts associated with your WordPress site. If you weren’t using it before, start using two-factor authentication to log in. Multi-factor authentication is one of the most significant security measures to stop hackers in their tracks.
Remove suspicious admin accounts.
As we mentioned, attackers may create admin accounts they can use to make changes on the site and log in without raising suspicions. Check with your team members which account is legitimate and which is likely to be the work of a hack.
Go to Users > All Users on your dashboard to delete suspicious accounts. Find the accounts you’ve confirmed with the rest of your team to be malicious and press Delete. You’ll be greeted with a screen asking whether you want to assign all content currently assigned to the “admin” account to another user.
It is an excellent chance to explore the content this account has created, if any, and delete it.
Scan for and remove suspicious files.
Security plugins like Sucuri, Wordfence, and others have malware and integrity scans that detect when a suspicious file is created or a legitimate file is modified within your core installation.
Run scans and delete any suspicious files.
Remember that some web hosting plans have scans and security measures that may be incompatible with security plugins. Check your plan’s terms, and either use a plugin or raise a security ticket to your web host.
Clean out your database.
Your site’s database may also have been hacked. To determine whether it’s been compromised, use a plugin like malCure WP Malware Scanner & Firewall, MalCare WordPress Security, All In One WP Security & Firewall, and WP Changes Tracker.
All these plugins can scan your database and clean it up. On top of having a secured database, clean databases also take up less space because they have fewer stale data entries.
Consider reinstalling WordPress.
It is the nuclear option if nothing else has worked, but it may be the only one if your core WordPress files are deeply compromised. The idea is to replace the core files without overwriting essential files that should stay the same, especially wp-config.php and .htaccess (only on Apache servers).
You should back up these files first and ensure they are not compromised. But once you do, you can replace the rest of the installation via SFTP. Generally, avoid using auto-installers since they’re likely to wipe your database, potentially making you lose a lot of content.
Some web hosting plans have features to replace core files while preserving specific essential files. Explore whether your web host has a similar feature.
14 security best practices to avoid hacks
Once you’ve secured your site from the hack, you must check your security standards to ensure they’re up to par with current security needs. These are the minimum measures you should take to protect your website:
Keep your WordPress core and PHP version updated.
Only install secure themes and plugins.
Use strong, unique passwords on all accounts related to WordPress.
Use plugins to limit the number of failed login attempts.
Enable multi-factor authentication on every possible account.
Restrict user permissions only to what’s necessary for their roles.
Create logs to record every action users take while logged in.
Change your default login URL.
Host your website with a secure hosting provider.
Install a plugin that runs regular malware scans.
Enable SSL/HTTPS so visitors can securely connect to your site.
Use file integrity checks to detect breaches and potential backdoors.
Use a web application firewall to block access and filter malicious activity.
Regularly back up your website in external locations (not only on the server it’s hosted in).