Is My WordPress Site Hacked? 7 Signs of Infection

Originally published on on February 28, 2019 By Michael Moore

Finding yourself asking “Is my WordPress site hacked?” means you’ll want some quick answers. In this post, we cover seven signs of infection and what to do if you discover you’ve been hacked.

The faster you notice the signs of a website breach, the quicker you can get your site cleaned up. The quicker you can get your website cleaned, the less damage the hack can do to your website.

Note: Two things we mention quite a bit in this post is the importance of a solid WordPress backup and WordPress security solution. We highly recommend installing and activating a WordPress security plugin and WordPress backup plugin as soon as possible.

7 Signs Your WordPress Site is Hacked

Not all hacks have the same goal, so the signs of a website compromise will depend on the attackers motive. Here are 7 different symptoms you need to look out for when you are monitoring the health of your site.

1. Your Homepage is Different

Changes to your homepage seem like an obvious sign. But how many times do you actually run a thorough check or your homepage? I know I typically go straight to my login URL and not my home URL. From there, I log in, update my site or edit a post. After I finish what I came to do, I often leave without looking at my website’s home page.

The primary goal of some hacks is to troll a website or gain notoriety. So they only change your homepage to something they find funny or to leave a hacked by calling card.

2. Your Website Performance Has Dropped

Your site may feel sluggish when it has an infection. You can experience slowdowns on your website if you are experiencing brute force attacks or if there is a malicious script using your server resources for cryptocurrency mining. Similarly, a DDoS (or denial of service attack) happens when a network of IPs simultaneously sends requests to your website in an attempt to cause it to crash.

If your site is running slowly, check the server access logs for an unexpected number of requests. You can also use a web application firewall like the one provided by Sucuri to help protect your website against a DDoS attack.

Just note that a drop in performance doesn’t necessarily mean someone hacked your site. You may just need some tips on how to speed up a WordPress site.

The iThemes Security plugin’s WordPress Malware Scan feature will help to identify suspicious scripts.

3. Your Website Contains Malicious or Spam Popups Ads

There is a good chance a hacker has compromised your website if your visitors see popups that redirect them to a malicious website. The goal of this type of attack is to drive traffic away from your site to the attacker’s site so they can target users with click fraud for Pay Per Click advertising.

The most frustrating thing about this type of hack is you may not be able to see the popups. A popup hack can be designed to not show for logged in users, which decreases the odds of website owners seeing them. So even when the site owner logs out, the popups will never display.

Your view of the popups can also be limited if you use an ad blocker extension in your browser. For example, a customer reported a popup hack and shared screenshots and a video of the popups. After I spent hours running through their website, I was not able to recreate anything they were reporting. I was convinced that their personal computer had been hacked and not the website. Finally, it dawned on me why I wasn’t able to see the popups. I had installed an ad blocker extension on my browser. As soon as I disabled the ad blocker extension, I was able to see popups everywhere. I share this embarrassing story to hopefully save you from running into the same mistake.

A WordPress security plugin such as iThemes Security plugin allows you to keep an eye on your website’s security logs for file changes, logins and changes made by users.

4. You Notice a Decrease in Website Traffic

If you log into your Google Analytics account and you notice a steep decline in website traffic, your WordPress site could be hacked. A drop in site traffic deserves an investigation. There could be a malicious script on your site that is redirecting visitors away from your site or Google could already by blacklisting your website as a malicious site.

The first thing you want to look for is your website’s outbound traffic. By tracking your website with Google Analytics, , you will need to configure your site to track the traffic leaving your site. The easiest way to monitor outbound traffic on your WordPress site is to use a WordPress Google Analytics plugin. A good Google Analytics plugin will allow you to track specific activity with a click of a button.

If you find your website has already been blacklisted by Google, follow these steps for how to remove Google blacklist warning.

5. Unexpected File Changes

If files on your website have been changed, added or removed, it could be a sign that your site has been compromised. That’s why it is essential to have a notification system in place to alert you of website file changes. You can investigate any unexpected changes by comparing the changed file to a version in a recent backup.

The iThemes Security Pro File Change Scan feature will notify you of any changes made to your site.

Using a WordPress security plugin like iThemes Security can help you track file changes. Because of the number of notifications this setting can generate, you can exclude files and directories in the File Change Detection settings. It is okay to exclude directories that you know are going to be regularly updating. Backup and cache files are a perfect example of this and excluding them will reduce the number of notifications you will receive.

6. Unexpected New Users

If your website has any unexpected registrations of new admin users, that’s another sign your WordPress site has been hacked. Through an exploit of a compromised user, an attacker can create a new admin user. With their new admin privileges, the hacker is ready to cause some major damage to your site.

In November of 2018, we had several reports of new admin users being created on customer websites. Hackers used a vulnerability in the WP GDPR Compliance plugin (vulnerability patched in version 1.4.3) to create new admin users on WordPress sites running the plugin. The plugin exploit allowed unauthorized users to modify the user registration to change the default new-user role from a subscriber to an admin. Unfortunately, this wasn’t the only vulnerability and you can’t just remove the new users the attacker created and patch the plugin.

If you had WP GDPR Compliance and WooCommerce installed, your site might have been injected with malicious code. The attackers were able to use the WooCommerce plugin background installer to insert a backdoor installer in the database.

If your site has a backdoor installed, you should contact a hack repair specialist. Another option is to use a backup file to roll back to a copy of your website prior to the breach using a previous backup.

7. Admin Users Removed

If you are unable to log into your WordPress site, even after a password reset, it may be a serious sign of infection.

When the the first thing the attacker did was delete all admin users. So how did this hacker even get into their Github account? A Gentoo admin user’s password was discovered on a different site. I am guessing that the username and password was discovered either through scraping or a database dump. Even though the admin’s password for their Gentoo Github account was different than one used on the compromised account, it was very similar. So this would be like me using iAmAwesome2017 as a password on one account and iAmAwesome2019 on another site. So the hackers were able to figure out the password with a little effort.

As we can see, you should use a unique password for every account. A simple variation in your passwords isn’t enough. Using LastPass, you can generate and securely store strong, unique passwords for every site.

You can also enable the Trusted Devices feature in iThemes Security Pro to restrict admin capabilities for logins from untrusted devices. If an attacker successfully logs into your site as an existing admin user–either by a brute force attack or if the user’s credentials were part of a database dump–they will not have full admin capabilities.

Even with the password being compromised, this breach could have been prevented if the admin was using two-factor authentication. Two-Factor authentication requires an extra code along with your username and password credentials to log in. iThemes Security Pro allows you to enable WordPress two-factor using a mobile app or email to receive your access additional code.

Even with the password being compromised, this breach could have been prevented if the admin was using two-factor authentication.

Wrapping Up: Is My WordPress Site Hacked? A Checklist

Even if you follow WordPress security best practices, your website can still be hacked. That’s why it is so important to look out for the tell-tale signs of infection with this quick checklist.

  • 1. Is my home page is different?
  • 2. Has my website performance dropped?
  • 3. Does my website show unexpected popups?
  • 4. Has there been a decrease in site traffic?
  • 5. Are there unexpected file changes?
  • 6. Are ther unexpected new admin users?
  • 7. Have admin users been removed?