WordPress is the leading CMS software used today on the internet and with that popularity, malicious users target specific WordPress exploits in order to compromise and deface WordPress sites all over the internet. In this article, we will share 12 common signs that your WordPress site has been compromised.
1. Sudden Drop in Website Traffic
If you look at your Google Analytics reports and see a sudden drop in traffic, then this could be a sign that your WordPress site is hacked.
There are many malware and trojans out there that hijack your website’s traffic and redirect it to spammy websites.
Another reason for the sudden drop in traffic is Google’s safe browsing tool, which might be showing warnings to users regarding your website.
You can check your website using the Google’s safe browsing tool to see your safety report.
2. Your Site’s Homepage is Defaced
This is probably the most obvious one as it is clearly visible on the homepage of your website. Most hacking attempts do not deface your site’s home page because they want to remain unnoticed for as long as possible.
However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some hackers may even try to extort money from site owners.
3. Bad Links Added to Your Website
One of the most common signs among hacked WordPress sites is data injection. Hackers create a backdoor on your WordPress site which gives them access to modify your WordPress files and database.
Some of these hacks add links to spammy websites. Usually these links are added to the footer of your website, but they really could be any where. Deleting the links will not guarantee that they will not come back.
You will need to find and fix the backdoor used to inject this data into your website.
4. Unknown Files and Scripts on Your Server
If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.
You need to connect to your WordPress site using a FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.
Usually, these files are named like WordPress files to hide in plain sight. Deleting these files immediately will not guarantee that these files will not return. You will need to audit the security of your website specially file and directory structure.
5. Unable to Login to WordPress
If you are unable to login to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.
Since the account doesn’t exist, you would not be able to reset your password from the login page. There are other ways to add an admin account using phpMyAdmin or via FTP.
6. Unusual Activity in Server Logs
Server logs are plain text files stored on your web server. These files keep record of all errors occurring on your server as well as all your internet traffic.
You can access them from your WordPress hosting account’s cPanel dashboard under statistics.
7. Suspicious User Accounts in WordPress
If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete. However, if you don’t remember allowing user registration and notice new user accounts in WordPress, then your site is probably hacked.
Usually the suspicious account will have administrator user role, and in some cases you may not be able to delete it from your WordPress admin area.
8. Your Website is Either Slow or Unresponsive
All websites on internet can become victims of random denial of service attacks. These attacks use several hacked computers and servers from all over the world using fake ips. Sometimes they are just sending too many requests to your server, other times they are actively trying to break into your website.
Any such activity will make your website slow, unresponsive, and unavailable. You will need to check your server logs to see which ips are making too many requests and block them.
9. Popups or Pop Under Ads on Your Website
These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads for illegal websites. These popups do not appear for logged in visitors or visitors accessing a website directly.
They only appear to the users visiting from search engines. Pop under ads open in new window and remain unnoticeable by users.
10. Failure to Send or Receive WordPress Emails
Hacked servers are commonly used for spam. Most WordPress hosting companies offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.
If you are unable to send or recieve WordPress emails, then there is a chance that your mail server is hacked to send spam emails.
11. Hijacked Search Results
If the search results from your website show incorrect title or meta description, then this is a sign that your WordPress site is hacked.
Looking at your WordPress site, you will still see the correct title and description. The hacker has again exploited a backdoor to inject malicious code which modifies your site data in a way that it is visible only to search engines.
12. Suspicious Scheduled Tasks
Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to setup scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.
A hacker can exploit cron to run scheduled tasks on your server without you knowing it.
Hopefully this article showed you a few things to watch out for. Take a look at our other blog posts. We explain how to further protect your WordPress installation and how to recover a WordPress site that has already been compromised.