Your WordPress site is suddenly behaving oddly. Perhaps a drop in traffic, or a changed theme, or maybe even new content. And now you can’t log in.
The answer to this mystery is simple: your site has been hacked. Here’s what to look for, and what to do about it.
1. You Don’t Recognize Your Website
You have a routine, as the owner of a website or blog (WordPress is suitable for either), and it probably involves visiting it every day to check for comments, spot typos you missed, or just admire it.
But if you load up your site one day and find you don’t recognize it, you have a problem.
Visual changes to your site—new logo, new images, possibly different content—all point to one thing: your site has been hacked. Typically, theme files will have been replaced (perhaps they were the weak point in your site security) and now things look and feel wrong.
Malicious code added to a website can impact your site in several ways, including:
- Explicit or unwanted content may be displayed.
- The footer area may be filled with new links to other sites.
- Code only visible to web crawlers will impact the site’s search engine ranking. Other code from third party sites may be called, slowing your WordPress-powered website down to a snail’s pace.
- Fonts can even be hijacked by hackers looking to gain access to your WordPress site.
A website that has been hijacked by bad code is not somewhere you want your readers to visit.
2. You Can’t Log In
Perhaps your website looks fine. But what happens if you suddenly find you cannot log in?
This is often the second thing you do, either through a web browser or WordPress mobile app. If you cannot login, this may be because you’ve temporarily forgotten your password… or because it’s been changed for you.
Hackers often delete the admin account, or simply change the password, to prevent you regaining access. If you’re able to take control of your site back, their efforts are wasted, so they like to make things as difficult as possible.
Direct hacking is rare, however. This is all usually done by means of a dedicated script. Malicious code like (a form of WordPress-specific malware) this typically finds its way onto your site either via third party themes, plugins, or advertising code.
3. Your Website Traffic Dropped
Perhaps you don’t need to log in every day. You might have an editorial system in place that puts the emphasis on your contributors. But you probably have a few alerts set up. One of these might be to monitor your site’s visitor numbers.
A marked decrease in readers can be the result of downtime, or simply a lack of interest, if your content is seasonal. Or it might be worse. Could your site’s traffic have dropped due to hackers?
Malware that targets websites will typically divert visitors to sites owned by the hackers. These will almost certainly be scam sites, and exist with the single aim of conning you.
Noticing this effect on your website can take time, however. Logged in users often are not redirected, only those that visit on a casual basis. As such, it may take a while for you to notice the drop in traffic.
4. Spam Emails Are Being Sent
When people sign up to your site, they surrender their email address. This makes it easy for them to reset their password, for example. Hackers can take advantage of this by utilizing your host’s servers and sending spam emails to your regular visitors.
The idea here is simple: they want to con your visitors. These messages might claim to be from your website, but the content will typically be to trick them into sharing more personal information (this is called phishing). Alternatively, links to malicious software might be included (malware that is now hosted on your website).
Many of your visitors will take action by marking these messages as spam. This can make things difficult if you wish to send emails to users with Gmail accounts; anything from your site would then be marked as spam in future, even after you’ve resolved the problem!
5. New User Accounts Were Created
Along with spam emails being sent and your site’s theme being redesigned, WordPress blog hackers often create new user accounts. They can do this without actually hacking your site, but the advance creation of accounts can prove useful to them once a site is successfully attacked.
It’s always a good idea to ensure that accounts cannot be created without approval. However, if you discover accounts have been created without your knowledge, you can suspect a malicious player.
How to Avoid WordPress Site Hacks
These five key signs of a WordPress hack are reasonably simple to spot. But what can you do about them?
If you are making regular backups, restoring content shouldn’t be too difficult. But make sure you know how to contact your web host. They will have to delete the entire website, as part of the process of removing the hacker’s access and malicious code. Once this is done, you’ll be able to reinstall WordPress and restore your data.
As you do this, take the time to check your site’s plugins and themes. Any containing unusual code could be the cause of the hack; you don’t want this back! Also look out for new admin accounts, as it is possible the hackers have had access for a while. Delete these accounts, and keep the WordPress hackers at bay!
Before you even get hacked, make sure of the following.
- You should change the default “Admin” username, and set a strong password. Hackers invariably use the default username, as it is low-hanging fruit; change it, and they’ll turn their attention elsewhere.
- Only use well-regarded, trusted plugins. Always check the plugin reviews.
- Avoid pirated themes, using only reputable sources if you’re using third-party themes. here’s how to tell if your WordPress theme is legal.
- Always keep WordPress, plugins, and themes up to date.
- Maintain a regular backup routine.
- Install an encrypted login plugin to make hacking your site trickier.
See our guide to securing your WordPress blog from hackers for full details. It is also worth monitoring your site’s traffic via your hosting provider or a tool such as Google Analytics. This can help you to track not just sudden changes, but unusual external links on your site.
Image Credit: stokkete/Depositphotos