What to do if WordPress is hacked?
WordPress sites suffers hacks very frrequently. In fact, WordPress is one of the most targeted CMSs, which shouldn’t come as a surprise considering it powers nearly half the internet, providing more targets to bad actors.
That said, suffering a hack is unpleasant and may lead to consequences for your brand and your users, so you want to take care of it as soon as possible if it ever happens.
Follow these recommendations to overcome a hack.
Why do WordPress sites get hacked?
Hackers attack WordPress sites for various reasons. While some attacks result from pure malice, they’re not as common as those trying to gain something from the victims or their site, whether to extract ransom money or funnel traffic into the attacker’s site.
Some of the most common reasons for hacking websites include the following:
- Making a profit from blackmailing victims into paying for ransom.
- Monetary compensation. Many “hacker for hire” groups commit cybercrimes for a fee.
- Compromising websites and computers to sell or rent access to them, often to perform DDoS attacks.
- Stealing credit card information, social security numbers, and other personally identifiable information (PII), which they can later use for future attacks, sell, or both.
- Causing financial loss to the site owners by interrupting revenue streams and generating post-attack costs.
- Using stolen credentials to make unauthorized purchases or move funds.
- Performing identity theft with stolen credentials.
- Impersonating trusted organizations and individuals to convince others to give up PII.
- Stealing intellectual property.
- Spreading malware through malicious links.
- Tricking users into giving up multi-factor authentication codes and accessing their accounts.
- Adding stolen credentials to their backlog, which they can use to perform future stuffing attacks (reusing known passwords).
- Gaining a foothold in an organization’s inner systems as part of a multi-layered cyberattack.
- Redirecting your site to an external site by adding spam links and pages.
- Establishing long-term unauthorized access. This allows hackers to exploit sites for long periods before detection.
- Degrading the website’s performance.
- Locking out other website users.
How do WordPress sites get hacked?
Just as there are many reasons to hack a website, there are many ways to do so. The cybersecurity threat landscape is always shifting, with attackers and developers constantly catching up to each other’s methods.
The most common ways to hack WordPress websites include the following:
- Cracking insecure passwords.
- Exploiting outdated core installations, PHP versions, plugins, and themes.
- Brute force attacks.
- Cross-site scripting (XSS).
- Database or SQL injections.
- Denial of service attacks.
- Phishing scams.
Signs your WordPress site was hacked
Depending on the method attackers use, there are many potential signs your site suffered a security breach. These are some of the most common:
- A sudden drop in website traffic. Many attacks indirectly cause your site to no longer attract as much traffic. It can be due to spam malware redirecting users to another website, or maybe Google blacklisted your site after labeling it a source for phishing or malware.
- You notice malicious links you didn’t add. Once attackers have backdoor access, they may inject spam links at the footer of your website, although they can be anywhere else.
- Your front page is entirely different. If you suffer a defacement attack, hackers change your homepage to announce the hack. Often, they ask for a ransom to restore your site.
- You can’t log in. Attackers may have changed your password or deleted your admin account.
- New suspicious admin accounts. If you notice admin accounts neither you nor other members of your team created, there’s a good chance a piece of malware created it.
- Suspicious scripts in your WordPress core installation. The most common directory attackers choose to leave malicious scripts is wp-content. The file will be named similarly to standard installation files to seem harmless. Malware scans and integrity check plugins alert you when new suspicious files are created.
- Sudden performance drop. If your site is suddenly slow for no apparent reason, you may suffer a denial-of-service attack.
- Pop-up ads. Another classic tactic used by attackers trying to monetize someone else’s website for themselves. Pop-ups often appear only for users that are not logged in and usually open in a new window.
What to do if your WordPress site gets hacked?
Now that we’ve discussed why hackers attacks sites, how, and the signs of hacking, let’s break down what you should do if you notice a security breach.
First of all, don’t lose your cool. Getting hacked is very unpleasant but rarely the end of the world. According to Security Magazine, in 2017, there was one cyberattack every 39 seconds. Given WordPress’s market share, many of those happened and still happen to WordPress sites.
You’re not the first or last site owner that suffered a hack. After the initial shock, you must pick yourself up and take the necessary measures.
Put your site offline or in maintenance mode.
The first measure (assuming you can log in) is to take your site offline or put it in maintenance mode. That way, visitors won’t see your rebuilding site while you sort things out.
To put your site in maintenance mode, there are many plugins you can use, including WP Maintenance Mode and Under Construction Page.
Reset all passwords and update all plugins and themes.
Plugin and theme vulnerabilities are one of the most common weaknesses hackers exploit. To ensure it wasn’t an outdated plugin or theme, update all of them as soon as possible.
To check how safe a plugin is, visit the WPScan Vulnerability Database. It lists known security vulnerabilities in plugins. If you see one of your plugins on the list, check whether it’s been updated since the vulnerability became publicly known. If not, you may be better off deleting it.
Also, replace every password with a strong, unique one across all accounts associated with your WordPress site. If you weren’t using it before, start using two-factor authentication to log in. Multi-factor authentication is one of the most significant security measures to stop hackers in their tracks.
Remove suspicious admin accounts.
As we mentioned, attackers may create admin accounts they can use to make changes on the site and log in without raising suspicions. Check with your team members which account is legitimate and which is likely to be the work of a hack.
Go to Users > All Users on your dashboard to delete suspicious accounts. Find the accounts you’ve confirmed with the rest of your team to be malicious and press Delete. You’ll be greeted with a screen asking whether you want to assign all content currently assigned to the “admin” account to another user.
It is an excellent chance to explore the content this account has created, if any, and delete it.
Scan for and remove suspicious files.
Security plugins like Sucuri, Wordfence, and others have malware and integrity scans that detect when a suspicious file is created or a legitimate file is modified within your core installation.
Run scans and delete any suspicious files.
Remember that some web hosting plans have scans and security measures that may be incompatible with security plugins. Check your plan’s terms, and either use a plugin or raise a security ticket to your web host.
Clean out your database.
Your site’s database may also have been hacked. To determine whether it’s been compromised, use a plugin like malCure WP Malware Scanner & Firewall, MalCare WordPress Security, All In One WP Security & Firewall, and WP Changes Tracker.
All these plugins can scan your database and clean it up. On top of having a secured database, clean databases also take up less space because they have fewer stale data entries.
Consider reinstalling WordPress.
It is the nuclear option if nothing else has worked, but it may be the only one if your core WordPress files are deeply compromised. The idea is to replace the core files without overwriting essential files that should stay the same, especially wp-config.php and .htaccess (only on Apache servers).
You should back up these files first and ensure they are not compromised. But once you do, you can replace the rest of the installation via SFTP. Generally, avoid using auto-installers since they’re likely to wipe your database, potentially making you lose a lot of content.
Some web hosting plans have features to replace core files while preserving specific essential files. Explore whether your web host has a similar feature.
14 security best practices to avoid hacks
Once you’ve secured your site from the hack, you must check your security standards to ensure they’re up to par with current security needs. These are the minimum measures you should take to protect your website:
- Keep your WordPress core and PHP version updated.
- Only install secure themes and plugins.
- Use strong, unique passwords on all accounts related to WordPress.
- Use plugins to limit the number of failed login attempts.
- Enable multi-factor authentication on every possible account.
- Restrict user permissions only to what’s necessary for their roles.
- Create logs to record every action users take while logged in.
- Change your default login URL.
- Host your website with a secure hosting provider.
- Install a plugin that runs regular malware scans.
- Enable SSL/HTTPS so visitors can securely connect to your site.
- Use file integrity checks to detect breaches and potential backdoors.
- Use a web application firewall to block access and filter malicious activity.
- Regularly back up your website in external locations (not only on the server it’s hosted in).
Check out our article about WordPress security best practices for a deeper breakdown of each of these.
Thousands of WordPress hacks occur every day worldwide, given how popular it is. Getting hacked doesn’t have to be the end of the world. You can certainly learn a lot from it.
Make a habit of frequently updating your security measures and keep these points in mind if your site is hacked.
If you found this article useful, read our blog for more WordPress insight, tips, and guides.