Many a time, you could easily mistake your site misbehaving or the presence of spammy comments on it as a sign of your website being hacked. So if you suspect, your website is hacked, here is a checklist you should refer to.
Take a pen and paper, or open a notepad on your computer and make a list of all the changes that you notice on the site and when you first observed it. If you suspect that your WordPress site is hacked, then you would need to contact your hosting provider, and keeping these points handy would help you answer their queries better.
1. Signs of a hacked website
To confirm your suspicions you would need a more elaborate checklist. Below is a checklist that will help you look for all the signs of a hacked website. For a more detailed guide to identify a hacked website, refer to our article on the 10 signs of a hacked WordPress site.
a. “This Site May Be Hacked” –
You must have seen this message appearing on the Google search engine results of a few websites you have visited. If you see one under the link to your website, then you can confirm that your site has been compromised.
b. Spam emails sent from your site –
Attackers are always on the lookout for websites with clean IP addresses (so that they can go under the radar of email servers) to send spam emails. Spamming someone’s inbox can cost you your reputation and even affect your business gravely. So be on the lookout for this very important sign.
c. Site suddenly becomes slow or unresponsive –
A site can become slow or unresponsive due to an increased load on its server resources. Which, in turn, could be due to a spike in traffic to your site. So if you notice your site has become unusually slow or unresponsive without any significant increase in legitimate visitors to the site, it is definitely a red flag.
d. You found plugins you haven’t installed –
As a WordPress user, you would be relying on a range of plugins to handle the various functions of your website. The hacker is aware of this and injects malicious files disguised as plugins in your website to avoid detection. So be on the lookout for unknown plugins that you have not installed.
e. You have a new user account that you didn’t create –
Hackers often create user account profiles when they hack a website so that they can access the website at will. And since most users do not routinely check the user accounts and its activity on their website, the hack may go undetected for long. So it is important to routinely check the user accounts and user roles associated with your website to see if there are any unknown users that were not created by you.
f. PC Antivirus is flagging the site as unsafe –
Visitors trying to access your site would be warned by their system’s antivirus software if your site has been compromised. If you receive any notifications from your site visitors or your customers that their antivirus is issuing such warnings, then it is a sign that your website has been hacked.
g. Your site comes up when searching for illegal medicines –
A popular form of hacking is a pharma hack. In this form of hacking, your hacked website would appear in searches for illegal/banned drugs such as viagra. Your site’s meta description (the brief two lines that appear below your site’s link) would contain mentions of these illegal drugs as well. This form of hacking is difficult to discover since the WordPress hack is visible only on search engines and the website content otherwise seems untouched.
h. Visitors are being redirected to other sites –
This often happens when hackers want to misdirect traffic from a well-ranking site to an inferior one in a devious manner. So when a visitor sees your site’s link in the search results and clicks on it, he/she is taken to another fraudulent site. This can have disastrous effects on your site’s web traffic and search engine ranking. So watch out for this.
i. Web host issues warning or disable your site –
Web host providers often issue a malware warning and notify you if your website has been hacked. In fact, sometimes they even take down your site or suspend it to contain the hack. Contact your web host to find the exact cause of the warning and in case it is because of a hack, take immediate action. We shall discuss the steps to scan and clean your site in the next section.
j. Search engines blacklist your site –
Search engines such as Google are committed to providing a safe browsing experience for its users. And so they are on high alert when it comes to flagging compromised websites. Being blacklisted by a search engine can have disastrous effects on your SEO ranking as you can imagine.
2. Aaargh! My site is hacked, what do I do now?
Ok, so now that you have confirmed that your site has been compromised, it is time to get cracking. Here is a 5-point action plan you need to urgently execute.
- Firstly, backup your website before you do anything.
- Secondly, contact your web host to get information about the hack
- Thirdly, scan your website for the malicious code.
- Fourthly, clean your site
- And lastly, secure your site against future attacks.
a. Backup your website before you proceed any further
The absolute first thing you should be doing once you confirm your site has been hacked is to backup your website. This step will ensure you have the latest copy of your website that you can later use to analyze for vulnerabilities.
If you have been maintaining a consistent and regular backup routine, this is where your backup strategy will bear fruit.
However, let us warn you that this has risks of its own. The backup solution you choose would need to be an earlier version of your site that has not been infected may not reflect the recent changes you have made on the site, and you would lose valuable content.
Moreover, the site was hacked because of certain vulnerabilities. Unless you address those security holes, your site may get infected again. So restoring backups is not a solution to fix hacked websites, but more of a contingency plan or a disaster recovery plan. Worse comes to worst, you can restore an earlier backup of your site that is not infected.
b. Scan your website to locate infected files
Confirming that your site is hacked can be extremely devastating. However, now is not the time to indulge in regret and guilt for not taking proper steps to protect your site. It is time for action and that too immediate.
Contact your web host immediately. They may be able to help you locate the infected files by providing you with a list of these. These may come handy, but be warned that this list may not be comprehensive or exhaustive. With or without this list you would need to do a comprehensive scan of your website. To do that you can either manually examine each recently modified file or you can make use of a plugin scanner.
i. Manual scan – highly ineffective
Earlier when cyber attacks were much simpler, you could still manage to do a decent job of manually checking or scanning your website, and finding the infected files and folders. However, now the hackers are so smart that detecting their hidden files requires very advanced technology and skills.
If you still want to have a go at manually scanning your website, the easiest way to do so would be to go through all your recently modified files using an FTP client such as FileZilla. The section marked in red shows the last modified date of the files. Look for files that are listed as recently modified, but those in which you haven’t made any changes.
Be warned that this is not a foolproof way to look for malware since hackers have ways to change the last modified date of files they have infected so as to avoid detection.
If you have an activity log plugin installed such as WP Security audit log, then you can look for any suspicious activity in the log. See the image below to know how an audit log would look.
As you can see, the WP security audit log records all activities on the site and this can give you some information about any suspicious activities such as – newly created users, password changes, modified WordPress plugin/theme files etc. In fact, since outdated themes and plugins are a hacker’s wonderland and his favorite playground, looking for any unusual activities in wp-content in the server log may also give you some clue about the malware infection.
ii. Scanning using tools
However, we would recommend that you do not waste any precious time going through these activities. Time is of the essence when it comes to fixing a hacked website and that time should be used to effectively scan and clean the infected files promptly.
So, instead of wasting time manually examining your site, you can make use of some excellent tools available in the WordPress repository that can quickly and effectively clean even your hidden malware. These tools can detect even hidden malware under 60 seconds! Once you detect these infected files, the next step involves removing the hacks.
3. WordPress site hacked: How to Repair & Fix it
Cleaning up a site is a highly complicated task, best left to experts. Hence manually removing the hack is out of the question. Here is a detailed guide you can refer to for making an informed decision when it comes to choosing the right malware removal plugin for you.
Most security plugins have a minimum turnaround time of 4 hours. Once a hack has been reported to these WordPress security plugins, you are assigned a security analyst who finds your infected files and cleans them thoroughly. This whole process can take anywhere between a few hours to a couple of days. We do not have to tell you that when you are dealing with a hacked website, even 4 hours can be a lifetime! There needs to be a faster solution, don’t you think? Well, there is.
Let us show you how to fix your hacked WordPress site using MalCare.
a. Fixing hacked site with MalCare:
Step 1: Firstly, you will need to set up a MalCare account for your website. Here is a video to guide you through the process.
Step 2: Once you have set up an account, the next step is to go to your MalCare dashboard. And click on the security section of the dashboard.
Step 4: You will be taken to the security page of your site’s dashboard. Here you can see an overview of your site’s health. Now you need to click on the clean site button!
Step 5: In the next screen you will be asked to enter your site’s FTP/SFTP details. Contact your web host if you are not sure about your site’s FTP/SFTP details.
Step 6: In the next screen you will be asked to select the folder that contains the WP installation. In our specific case, our test site’s folder was named ‘mg-test-1’ However, this is not a default name and you would need to find which folder contains WordPress installation in your case.
Tip: Look for the folders and files such as wp-content, wp-config, wp-includes etc. Whichever folder contains all of these files and folders is the one you need to select. And click on continue.
Step 7: Once you click on Continue, the next screen displays a message that your site is being cleaned.
The next screen shows you that your site has been completely cleaned.
And that’s all folks!! Peace of mind under a minute!
4. My site is fixed and clean… now what?
So now that you have successfully cleaned your website, you might think you are done! Sorry to burst your bubble, but you are not. Here are a few things you need to do after fixing your hacked site.
a. Find the cause of the hack –
It was a specific vulnerability in your website that caused it to be hacked in the first place. So your number one task is to find out what that vulnerability was.
Outdated plugins and themes are the number one cause of compromised sites. Typically, whenever a plugin develops a vulnerability, the plugin developer creates a patch and issues an update.
When developers deploy security updates, the vulnerability becomes common knowledge and hackers target this vulnerability in hopes of breaching websites that haven’t updated the plugin yet.
Therefore, the first security measure you need to implement after fixing a hacked site is to update your WordPress (WordPress core files, WordPress themes & plugins for WordPress) without any further delay.
b. Choose your backup service wisely –
If you notice, we drop the word ‘backup’ rather frequently around here… Installing a new theme or plugin? Do a backup, first. Scanning your website? Backup. Cleaning your site? Definitely do a website backup, first.
There is a reason behind this. Yes, it has a lot to do with us being a backup service provider. But no, not for the reasons you think.
You see, we have in our several years of existence, come across more website owners than we can count, who (in the past) have made seemingly insignificant changes to their site, only for it to break!!
There is no worse pain than that of a broken site (without a backup). Ehm… maybe an ingrown toenail!
So choose your backup plugin service provider wisely. Don’t worry, we won’t leave you in a lurch like that. Here is a guide to help you choose the right backup plugin service provider. Each site and site owner would have different requirements, so weigh all the pros and cons and choose wisely.
c. Choose hosting provider carefully –
Choosing the right web host provider plays a crucial role in the health of your WordPress website. While most web hosts offer unlimited bandwidth, unlimited disk space, email etc, it is important to dig deeper and understand how good their technical support is, do they have 24/7 support, do they have a high (above 99%) up-time scores for their websites, do they offer malware and spam protection etc.
Another important factor to consider when choosing a web host is what kind of hosting companies you want to opt for – shared, dedicated or VPN. Each has its own pros and cons and it is entirely up to you and your website’s requirements which provider you go for. Refer to this post for a more detailed guide to choosing the right web host provider, refer to this article.
d. Enable site hardening –
WordPress recommends users to take certain measures to harden their websites against hackers, bots et all. It includes disabling file editor, enabling website firewall security and many more such measures.
The catch? You’ll need to be a bit technically savvy to perform all of these site hardening practices. Here is a list of articles that can help you understand these site hardening practices and guide you through them as well.
If you are going to implement site hardening on your own, we recommend you do a backup of your site before doing anything else. A vast majority of you would be better off using a security plugin such as MalCare that offers Site Hardening features (among many others) that can be enabled with just a few clicks!
5. To infinity and beyond
As the saying goes, once bitten, twice shy. In the context of cyber attacks, once you go through the experience of your site getting hacked, then you tend to live in constant fear of when it will happen next. That is no way to live!
So instead of devoting all your time and effort to protecting and maintaining your site, do what you do best and focus on your business goals. Leave the taxing job of protecting and maintaining your site to us, coz we are good like that!