piwik Matomo

WordPress hacked?

Has your WordPress site been hacked?

I can save your website!

If you discover that your WordPress website has been hacked, the first thing to do is stay calm. Panicking can quickly lead to complete data loss for your website. Then all the work you have put into the site will simply be gone.

Do you want immediate help for your hacked website? Then

give me a call or send me an email,

and I will get back to you as soon as possible.

Indications of a hacked website

What signs indicate that a website has been hacked?

Your WordPress is often sluggish or pages load slower than usual

If, for some inexplicable reason, the pages of your WordPress system become slow, this may be a sign of a so-called DDOS attack (DDOS = “Denial-of-Service”). In this case, requests are sent to your site from many computers. If you see an unusual increase in traffic in the server log, this may indicate an attack. There is nothing you can do about this in the WordPress system itself. However, you can exclude entire countries by making an entry in the .htaccess file, for example. I made the following entries for a customer on behalf of a server administrator:

# CN = China
# RU = Russland
# VN = Vietnam
# BY = Weissrussland
# KP = Nordkorea
# BR = Brasilien
# BD = Bangladesch
# Weiter Möglichkeiten:
# US = USA
# IL = Israel
<IfModule mod_geoip.c>
  GeoIPEnable On
     SetEnvIf GEOIP_COUNTRY_CODE (CN|RU|VN|BY|KP|BR|BD) BlockCountry
     Deny from env=BlockCountry
</IfModule>

Strange WordPress user accounts

If you see users in the list of users in the WordPress backend who seem strange to you and who have administrator rights, this may also indicate that a bot has hijacked the site. If the name doesn't make sense and the username, nickname, and public name are all identical, I would definitely say that this is unauthorized access. This user can make any changes to your site. You can revoke their rights by removing the administrator role until it is clear what purpose this user serves. Ultimately, you should delete them, of course. If you cannot do this in the backend, you must delete them directly in the database

Incorrect search results

If a different title or description suddenly appears in the search results for your page than the one you specified in the WordPress backend, this is also a sign that your website has been hacked. If you search for your own site on Google using “site:your-domain.com,” it is possible that your website will appear very far down the list, e.g., with
keyword: “something cryptic” | your website

Visits to your website suddenly drop significantly

A sudden drop in your website visitors is another indication. In this case, your visitors could be redirected to other websites with malware.

Or your website will be blacklisted by Google and classified as unsafe. You can prevent this with the Google transparency report

Unknown pop-ups on your website

Someone is trying to make money by smuggling in their own pop-ups. The spam ads are often displayed in a new browser window, initially unnoticed by the user. These usually only appear for users who arrive at your WordPress site via search engines

You find files and scripts on your server that don't belong there.

They usually look similar to WordPress files, but they don't belong there. You can only determine this if you look around on the server with an FTP program and know which files belong to WordPress. These can often be found in the “wp-content” directory.

Removing these files only helps temporarily, because the actual script that creates these files or saves them to your server is located somewhere else entirely. A few days later at the latest, a similar file will appear there.

Standard files on the server have been tampered with.

One of my clients had repeatedly made changes to various standard WordPress files. At some point, we noticed a small visual error on the home page. I had reversed the changes several times, but they reappeared within two days at the latest.

Emails can no longer be sent or received

Some WordPress websites use an email account to send emails (e.g., from the contact form or when automatic plugin updates have been set up). It is possible that the email account has been hijacked via WordPress and spam emails are being sent. Under certain circumstances, you may no longer be able to send or receive emails. 
The longer this situation persists, the more likely your server is to end up on an email blacklist

Unknown scheduled tasks

Cron jobs are commands that can be given to a server to perform regular tasks. These cron jobs can also be set up for WordPress, for example, to publish scheduled posts or automatically empty the trash. If you use a plugin to monitor tasks in WordPress, you may find jobs in the list of cron jobs in WordPress that you are not familiar with. This could also indicate that the site has been hacked.

Unknown links on your website

Hackers may have gained access to the backend and database via a security vulnerability in your WordPress installation and placed links to spam websites in various places on the website.
If you simply remove the links, they will soon reappear elsewhere.

The home page of your website is broken or has minor errors.

Either the hacker has a small error in their bot that causes minor inconsistencies on the website, or it is the hacker's intention to let you know that they have hijacked your website. They will then post their own content on the website or perhaps try to blackmail you.

Your WordPress registration has failed

If you are sure that the login details you entered are correct, you should search for your username in the database. A hacker may have deleted or changed your backend account. If your account has been deleted, you will no longer be able to reset your password. You can create an administrator account directly in the database, but this will only prevent it from happening again once you have eliminated the source of the hacked WordPress.

Unusual activity on the server

You can check the server's log files to see if there have been any significant changes in traffic or errors on the server. A sudden increase or decrease in traffic, or an unusually high number of errors on the server, may indicate that the system has been hacked. Here, you may also be able to see where the attacks are coming from and block the IP addresses of the sources.

How can I rescue my hacked WordPress website?

The easiest thing for you would be to contact me and I will rescue your website.

How do I proceed here?

  1. First, I'll see if I can create a backup of the website. Either via the backend with the Duplicator or “manually.” If I download your data via FTP, my virus scanner will probably flag any infected files it finds. Then I'll know where to look to at least temporarily regain access to the site.
  2. Secondly, I look at the users. If there are any suspicious users, they will be deleted in consultation with you. The passwords for all remaining accounts will be changed.
  3. Then, depending on the severity of the infection, I will first update everything that can be updated. The update page should show a complete list here.
  4. Then I will install a firewall. I have had very good experiences with wordfence. This allows the entire WordPress to be scanned for infected and/or manipulated files. The firewall compares the sources of the WordPress, theme, and plugin files with the originals and then suggests a course of action (e.g., delete, ignore, etc.).
  5. I look at the plugins and themes in the backend and set everything that does not affect the frontend (e.g., YOAST SEO or an inactive default theme) to automatic update. In addition, WordPress itself should at least perform security updates automatically.
  6. Then I make another backup of the system.

Do you have any questions?

Then please feel free to contact me

Contact form  +49 40 4327 3227  info@netshot.eu