Originally published on on February 28, 2019 By Michael Moore
Finding yourself asking âIs my WordPress site hacked?â means youâll want some quick answers. In this post, we cover seven signs of infection and what to do if you discover youâve been hacked.
The faster you notice the signs of a website breach, the quicker you can get your site cleaned up. The quicker you can get your website cleaned, the less damage the hack can do to your website.
7 Signs Your WordPress Site is Hacked
Not all hacks have the same goal, so the signs of a website compromise will depend on the attackers motive. Here are 7 different symptoms you need to look out for when you are monitoring the health of your site.
1. Your Homepage is Different
Changes to your homepage seem like an obvious sign. But how many times do you actually run a thorough check or your homepage? I know I typically go straight to my login URL and not my home URL. From there, I log in, update my site or edit a post. After I finish what I came to do, I often leave without looking at my websiteâs home page.
The primary goal of some hacks is to troll a website or gain notoriety. So they only change your homepage to something they find funny or to leave a hacked by calling card.
2. Your Website Performance Has Dropped
Your site may feel sluggish when it has an infection. You can experience slowdowns on your website if you are experiencing brute force attacks or if there is a malicious script using your server resources for cryptocurrency mining. Similarly, a DDoS (or denial of service attack) happens when a network of IPs simultaneously sends requests to your website in an attempt to cause it to crash.
If your site is running slowly, check the server access logs for an unexpected number of requests. You can also use a web application firewall like the one provided by Sucuri to help protect your website against a DDoS attack.
Just note that a drop in performance doesnât necessarily mean someone hacked your site. You may just need some tips on how to speed up a WordPress site.
3. Your Website Contains Malicious or Spam Popups Ads
There is a good chance a hacker has compromised your website if your visitors see popups that redirect them to a malicious website. The goal of this type of attack is to drive traffic away from your site to the attackerâs site so they can target users with click fraud for Pay Per Click advertising.
The most frustrating thing about this type of hack is you may not be able to see the popups. A popup hack can be designed to not show for logged in users, which decreases the odds of website owners seeing them. So even when the site owner logs out, the popups will never display.
Your view of the popups can also be limited if you use an ad blocker extension in your browser. For example, a customer reported a popup hack and shared screenshots and a video of the popups. After I spent hours running through their website, I was not able to recreate anything they were reporting. I was convinced that their personal computer had been hacked and not the website. Finally, it dawned on me why I wasnât able to see the popups. I had installed an ad blocker extension on my browser. As soon as I disabled the ad blocker extension, I was able to see popups everywhere. I share this embarrassing story to hopefully save you from running into the same mistake.
4. You Notice a Decrease in Website Traffic
If you log into your Google Analytics account and you notice a steep decline in website traffic, your WordPress site could be hacked. A drop in site traffic deserves an investigation. There could be a malicious script on your site that is redirecting visitors away from your site or Google could already by blacklisting your website as a malicious site.
The first thing you want to look for is your websiteâs outbound traffic. By tracking your website with Google Analytics, , you will need to configure your site to track the traffic leaving your site. The easiest way to monitor outbound traffic on your WordPress site is to use a WordPress Google Analytics plugin. A good Google Analytics plugin will allow you to track specific activity with a click of a button.
5. Unexpected File Changes
If files on your website have been changed, added or removed, it could be a sign that your site has been compromised. Thatâs why it is essential to have a notification system in place to alert you of website file changes. You can investigate any unexpected changes by comparing the changed file to a version in a recent backup.
Using a WordPress security plugin like iThemes Security can help you track file changes. Because of the number of notifications this setting can generate, you can exclude files and directories in the File Change Detection settings. It is okay to exclude directories that you know are going to be regularly updating. Backup and cache files are a perfect example of this and excluding them will reduce the number of notifications you will receive.
6. Unexpected New Users
If your website has any unexpected registrations of new admin users, thatâs another sign your WordPress site has been hacked. Through an exploit of a compromised user, an attacker can create a new admin user. With their new admin privileges, the hacker is ready to cause some major damage to your site.
In November of 2018, we had several reports of new admin users being created on customer websites. Hackers used a vulnerability in the WP GDPR Compliance plugin (vulnerability patched in version 1.4.3) to create new admin users on WordPress sites running the plugin. The plugin exploit allowed unauthorized users to modify the user registration to change the default new-user role from a subscriber to an admin. Unfortunately, this wasnât the only vulnerability and you canât just remove the new users the attacker created and patch the plugin.
If you had WP GDPR Compliance and WooCommerce installed, your site might have been injected with malicious code. The attackers were able to use the WooCommerce plugin background installer to insert a backdoor installer in the database.
7. Admin Users Removed
If you are unable to log into your WordPress site, even after a password reset, it may be a serious sign of infection.
When the the first thing the attacker did was delete all admin users. So how did this hacker even get into their Github account? A Gentoo admin userâs password was discovered on a different site. I am guessing that the username and password was discovered either through scraping or a database dump. Even though the adminâs password for their Gentoo Github account was different than one used on the compromised account, it was very similar. So this would be like me using iAmAwesome2017 as a password on one account and iAmAwesome2019 on another site. So the hackers were able to figure out the password with a little effort.
You can also enable the Trusted Devices feature in iThemes Security Pro to restrict admin capabilities for logins from untrusted devices. If an attacker successfully logs into your site as an existing admin userâeither by a brute force attack or if the userâs credentials were part of a database dumpâthey will not have full admin capabilities.
Even with the password being compromised, this breach could have been prevented if the admin was using two-factor authentication. Two-Factor authentication requires an extra code along with your username and password credentials to log in. iThemes Security Pro allows you to enable WordPress two-factor using a mobile app or email to receive your access additional code.
Even with the password being compromised, this breach could have been prevented if the admin was using two-factor authentication.
Wrapping Up: Is My WordPress Site Hacked? A Checklist
Even if you follow WordPress security best practices, your website can still be hacked. Thatâs why it is so important to look out for the tell-tale signs of infection with this quick checklist.
- 1. Is my home page is different?
- 2. Has my website performance dropped?
- 3. Does my website show unexpected popups?
- 4. Has there been a decrease in site traffic?
- 5. Are there unexpected file changes?
- 6. Are ther unexpected new admin users?
- 7. Have admin users been removed?