I can save your website!
If you discover that your WordPress website has been hacked, the first thing to do is stay calm. Panicking can quickly lead to complete data loss for your website. Then all the work you have put into the site will simply be gone.
Do you want immediate help for your hacked website? Then
give me a call or send me an email, and I will get back to you as soon as possible.
What signs indicate that a website has been hacked?
If, for some inexplicable reason, the pages of your WordPress system become slow, this may be a sign of a so-called DDOS attack (DDOS = “Denial-of-Service”). In this case, requests are sent to your site from many computers. If you see an unusual increase in traffic in the server log, this may indicate an attack. There is nothing you can do about this in the WordPress system itself. However, you can exclude entire countries by making an entry in the .htaccess file, for example. I made the following entries for a customer on behalf of a server administrator:
# CN = China
# RU = Russland
# VN = Vietnam
# BY = Weissrussland
# KP = Nordkorea
# BR = Brasilien
# BD = Bangladesch
# Weiter Möglichkeiten:
# US = USA
# IL = Israel
<IfModule mod_geoip.c>
GeoIPEnable On
SetEnvIf GEOIP_COUNTRY_CODE (CN|RU|VN|BY|KP|BR|BD) BlockCountry
Deny from env=BlockCountry
</IfModule>
If you see users in the list of users in the WordPress backend who seem strange to you and who have administrator rights, this may also indicate that a bot has hijacked the site. If the name doesn't make sense and the username, nickname, and public name are all identical, I would definitely say that this is unauthorized access. This user can make any changes to your site. You can revoke their rights by removing the administrator role until it is clear what purpose this user serves. Ultimately, you should delete them, of course. If you cannot do this in the backend, you must delete them directly in the database
If a different title or description suddenly appears in the search results for your page than the one you specified in the WordPress backend, this is also a sign that your website has been hacked. If you search for your own site on Google using “site:your-domain.com,” it is possible that your website will appear very far down the list, e.g., with
keyword: “something cryptic” | your website
A sudden drop in your website visitors is another indication. In this case, your visitors could be redirected to other websites with malware.
Or your website will be blacklisted by Google and classified as unsafe. You can prevent this with the Google transparency report.
Someone is trying to make money by inserting their own pop-ups. The spam ads are often displayed in a new browser window, initially unnoticed by the user. They usually only appear for users who access your WordPress site via search engines.
They usually look similar to WordPress files, but they don't belong there. You can only determine this by looking around the server with an FTP program and knowing which files belong to WordPress. These can often be found in the “wp-content” directory.
Removing these files only helps temporarily, because the actual script that creates these files or stores them on your server is located somewhere else entirely. A few days later at the latest, a similar file will appear there.
One of my customers had repeatedly made changes to various standard WordPress files. At some point, we noticed a small visual error on the home page. I had undone the changes several times, but they reappeared two days later at the latest.
Some WordPress websites use an email account to send emails (e.g., from the contact form or when automatic plugin updates have been set up). It is possible that the email account has been hijacked via WordPress and spam emails are being sent. Under certain circumstances, you may no longer be able to send or receive emails.
The longer this situation persists, the more likely your server will end up on an email blacklist.
Cron jobs are commands that can be given to a server to perform regular tasks. These cron jobs can also be set up for WordPress, for example, to publish scheduled posts or automatically empty the trash. If you use a plugin to monitor tasks in WordPress, you may find jobs in the list of cron jobs in WordPress that you are not familiar with. This also indicates that the site has been hacked.
Hackers may have gained access to the backend and database via a security vulnerability in your WordPress installation and placed links to spam websites in various places on the website.
If you simply remove the links, they will soon reappear elsewhere.
Either the hacker has made a small mistake in their bot, which is causing minor inconsistencies on the website, or it is the hacker's intention to let you know that they have hijacked your website. They will then post their own content on the website or perhaps try to blackmail you.
If you are sure that the login details you entered are correct, you should search for your username in the database. A hacker may have deleted or changed your backend account. If your account has been deleted, you will no longer be able to reset your password. You can create an administrator account directly in the database, but this will only prevent it from happening again once you have eliminated the source of the hacked WordPress.
In the server's log files, you can determine whether there have been significant changes in access or errors on the server. A sudden increase or decrease in access, or an unusually high number of errors on the server, may indicate that the system has been hacked. Here, you may also be able to see where the attacks are coming from and block the IP addresses of the sources.
The easiest thing for you would be to contact me and I will rescue your website.