How to Know if Your WordPress Website is Hacked (and how to fix it)


Read the full episode transcript below:

00:28 David Blackmon: Hey everybody, welcome to another episode of WP The Podcast, I’m David Blackmon

00:35 Tim Strifler: And i’m Tim Strifler

00:38 David Blackmon: Today in episode 745 we’re going to talk about websites getting hacked. How to know if your WordPress website is hacked, and how to fix it. Now here’s if your website is redirecting to a porn site your website’s probably been hacked.

00:57 Tim Strifler:  Yes that is a without doubt one of those they’ll tell fireways. Yeah exactly.

01:02 David Blackmon: Yeah this this actually happened to a client of ours.  And they were a very well established local business in Lafayette, Louisiana. And they called with just the panic like “oh my god our website is redirecting to this you know porn site”. And um we got it fixed pretty quickly, um but you know it’s nothing quite worse than you know, your business’s website being redirected to a not so desirable website.  And that all comes down to hosting. I’m gonna throw this plug in here, you know they were on cheap hosting. They wanted to you know, they didn’t want to pay the big bucks, they didn’t want to go all the way to 20 bucks a month or whatever for a business you know. And so they were paying the five dollar budget hosting and they were on shared hosting. And a lot of this happens on shared hosting when websites get hacked and stuff, because you can be doing everything possible to protect yourself doing everything right but if you’re on a shared hosting environment, you’re only as secure as your neighbor. And that was the case for them. They had a thousand other websites on that server. I’m sure, and you know hackers got in from someone else’s website, and then because they were on the same server needless to say we got them upgraded to some nice hosting shortly thereafter, and they haven’t been hacked since. So we’re going to go over kind of a few things, and Tim’s going to talk about the the article that we’re going to actually refer to and stuff um.

02:46 Tim Strifler: Yeah absolutely, yeah. And i just want to add to what you just said David, um before we dive into the list here, because the same thing happened to me. I was on Hostgator and i got hacked. And it wasn’t anything that i was doing i had that site locked down, i was using itheme security and i had just like, i had that thing locked down just like Fort Knox. And i got hacked because of the, uh it was a sideways hack. It was another site on the same server that was hacked, and so therefore i got hacked. So then i thought okay like it’s one of those things like fool me once, shame on you. Fool me twice shame on me, right? Rather than just leaving ben i was like okay well maybe it was just a bad server. Like and so i created a completely different hosting account, i was on a different shared server, it was the same level of account on Hostgator, but it was just a whole new account. So i was on a different server within a few months the same thing happened, and i was like “okay that’s my fault like i trusted you again hostgator and you you still screwed me” . Yeah and again i had the site locked down. So then i was like all right enough is enough and that’s when i switched to WP Engine and i’ve never had the issue again. But um yeah, so David mentioned we’re going through an article from our friends over at WP Beginner. And so that’s uh this is our inspiration for this topic. And so you can follow along if you want we have the link in the show notes, but it’s a great article that kind of breaks down these different signs of how you know, you got hacked. Because sometimes you’re not sure. So the first one on the list is, you get a sudden drop in website traffic. And the reason why this happens is because if google recognizes that your site is hacked, they’re going to put up a this site contains malware little uh warning on the browser. And um yeah you won’t be getting traffic uh because of that. And so that’s like usually the first thing, and that’s in a lot of cases that’s when people are made aware because all of a sudden Google tells them essentially, because they’re not getting traffic to their site. And that actually happened with WP Gears. We acquired the domain and it was blacklisted on some list and so on certain browsers on certain operating systems or something we were, people telling us like “oh i tried to buy your course, but i’m getting this warning”. And so it took us a little while to get it figured out and be blacklisted, but yeah that’s usually the first sign is that drop in traffic, because of the blacklist warning that google and other browsers will put on there.

05:24 David Blackmon: Yep number two on this list is bad links added to your website. So data data injection is one of the most common signs of a hacked WordPress website. So what will happen is the hackers will build in back doors into your WordPress website, So that they can insert links to drive traffic to um you know the websites that they want to drive traffic to. And they’re probably getting paid for it. Whether it’s you know, um undesirable sites most of the time. So um you just got to watch out for that um you’ve got to find out and fix the back door used to inject the data in your website and stuff and there there are ways to do that and stuff so yeah.

06:05 Tim Strifler: Yes definitely and that’s what happened to me is like at first glance. I i wouldn’t see anything on my site but i would like click on different places, and it was like there was bad links added like invisible links essentially added to like images or like paragraph sections or whatever that would go to an undesirable site. You know some affiliate scam or something. And then that was how i figured it out um and that is different than the number three on the list which is your website’s home page is defaced. Which that’s you land the home page and it’s clearly something’s out of whack here. It’s very clear it’s very obvious that you’ve been hacked because all of a sudden now there’s just a bunch of ads right very clearly visible ads or sometimes it could be something really inappropriate, you know as David mentioned at the beginning of the episode. So there’s different things that can happen uh when your website’s home page is defaced.

07:04 David Blackmon: Another way you can tell, if your website’s hacked is if you’re unable to log in. Once your website’s hacked what a lot of hackers will do, is they’ll go in and they’ll delete your admin account. So you don’t even have access to your own website. So if you can’t log in it might be a sign that you may have been hacked. There’s ways to get into your site, obviously from the host level and stuff, which you know that’s only a temporary thing when they delete your admin account but um it’s one of the signs to be able to tell.

07:35 Tim Strifler: Yeah definitely, and the next on the list is suspicious user accounts added to your WordPress site. So uh it’s rather than what David just mentioned, where your account is deleted. Um your account’s still there but you go in and you see some accounts, user accounts, admins that you didn’t add that you don’t recognize the name and you’re kind of confused. That’s usually the first telltale sign that your site has been hacked when uh you see those suspicious users.

08:05 David Blackmon: Yeah next is unknown files and scripts on your server. If you’re using a site scanner like Securi you know or something like that, which lets you know and you’re noticing security, yeah you’re noticing that hey you know your site. All of a sudden grew you know uh two gigs overnight you might want to take a look at it and see if there’s you know any any files or have been added to your site and it could be a sign that your site’s been hacked.

08:36 Tim Strifler: The next sign is your website is slow or unresponsive, right? If your website was previously running really fast uh and you have good hosting and you have it optimized and then all of a sudden uh it’s going really slow but you didn’t make any changes, you’re in a dedicated you know uh vps or uh or dedicated server or something like that. So there shouldn’t be any type of slowdown then that might be a sign that your website’s hacked and the reason is because or your website’s in the process of getting hacked, because if you become a target for a a ddos attack which stands for denial of service, um which basically is your site gets hit trying to log in um like thousands of times per second from different servers around the world. And the sole purpose of that is to bring down your site. Right, or in some cases the brute force attack is just trying to get into the site they’re guessing different password and username combinations thousands of times per second until they get one that’s accurate. So either one or two things happen is they get in or they bring down the site, and so your website can be really slow unresponsive or just completely unavailable during that process, because it’s getting hit so many times. It can’t handle that much traffic even though the traffic is like kind of fake. It’s not real people real traffic it’s it’s getting hit many times and so yeah that’ll crash your site.

10:04 David Blackmon: Next one on the list is a failure to send or receive WordPress emails. So a lot of hack servers are commonly used for sending spam emails. Most WordPress hosting companies also offer email accounts from the WordPress host. We don’t recommend that. Unfortunately when people are new to their website they think they need this so they go with it and stuff and many WordPress site owners use the host’s mail servers to send their WordPress emails. So if you’re unable to send and receive WordPress emails and there’s a chance that your mail server is act to send spam emails and that will get you on the blacklist, and there are ways to clean that up if that does happen, but we definitely recommend that you don’t use email on the hosting level. Use something like g suite we’ve talked about it many times. So yeah what’s next Tim?

 11:03 Tim Strifler: Awesome. Yeah so the next item on our list is uh suspicious scheduled tasks. So uh there’s something called cron jobs which is a process within a server that will run an automated task, and so when you get a real visitor it’ll trigger the cron job. Right and so you can look and you can see what scheduled tasks you have. Right if you have a Woocommerce site there’s going to be scheduled tasks different things and all of a sudden if you notice some weird scheduled tasks in there, that you didn’t add it’s not by a plugin you added then your website might be compromised might be hacked and might be using it to automate some sort of weird cron job type of thing. So that’s a little more advanced and not as obvious as the other ones but that is definitely a way that you can see that your site’s hacked.

11:53 David Blackmon: Another way is hijacked search results. You may not even realize this. So you know in your search results for your website it shows incorrect titles or meta descriptions then it’s a sign that your WordPress site might be hacked. You go into your website you look at your description your titles your meta descriptions and they’re correct but what’s happening is is they’ve injected you know some type of back door program that’s rewriting your titles and meta descriptions for search without you even noticing it. So um you know again they’re driving traffic to their to their you know source and stuff wherever they want to send it and stuff. And that’s a sign and that’s kind of a little bit more difficult one to figure out until somebody you know lets you know “hey you know your your meta description is saying that you’re a a dildo salesman as opposed to a you know a pizza restaurant”, you know you might be hacked.

 12:57 Tim Strifler: Yeah now one of the oldest uh ways to see that a website is hacked is pop-ups. You don’t see them much these days because of browser. Browser pop-up blockers and stuff like that but um yeah you see pop-ups on the site whether it’s in a new window or within the site it’s not something you added and it’s clearly advertising something that you would never advertise well your site’s been hacked.

13:21 David Blackmon: Yeah next on the list is your core WordPress files are changed. And this is a biggie if your core WordPress files are changed or modified in some way. Then that’s an important sign that your site’s been hacked, and you need to take care of that pretty quickly and stuff. And again you know um Sakuri um what’s the other one Tim? You said Word Fence I think. I wanted to say word defense but i knew it wasn’t right so Word Fence yeah, so just just take a look at that and stuff.

 13:54 Tim Strifler: Yeah and the last one on our list is actually what David mentioned at the beginning of the episode is users are randomly redirected to unknown websites. So you’re on you on a site all of a sudden it goes to a porn site or viagra or something random unrelated. Well the site’s been hacked and so uh that’s one of those panic moments that David mentioned, with this client where it’s like okay this is like not a subtle thing this is a major takeover, and you got to get that fixed quickly. So one thing i do you know we’re kind of running up to the upper end of our typical time of uh length of time for our episodes, but i want to mention just a couple things to help prevent any of this. Right, um the number one thing right if you’re not gonna do anything else that we recommend use good hosting. David say if you’re serious about what?

14:50 David Blackmon: If you’re serious about your business you need to be serious about your hosting it all starts with hosting folks period.

 14:54 Tim Strifler: Yeah exactly, it’s like my multiple times of being hacked because i was on cheap shared hosting. Since upgrading a good premium hosting it’s never happened. So check out uh we’ve done a lot of web episodes on hosting. Check out uh WP Zone formerly uh Divi Space Hosting, check out WP Engine a lot more expensive but but good. Check out Flywheel and yeah those are all great hosts, and you won’t have to worry about getting hacked. And then you can add things like Itheme Scurity Pro, or Word Fence or Security on top of that but it all starts with having really good hosting.

15:33 David Blackmon: Absolutely, all right tomorrow we’ve got another great topic, how to plan out blog posts for your website. And there’s a call and we’re ending this recording in three, two, one.

 15:9 Tim Strifler: Take care, bye.

Did you Enjoy this Episode?

  • Will you consider sharing it online? Just click one of the share buttons below!
  • Will you leave us a review? 🙂
  • Have a question, or a topic request? Let us know in the comments below!

Want to Connect with David & Tim?

Submit a Comment

Your email address will not be published.

Where To Find Us

Listen to WP The Podcast on your favorite platform: