One of the reasons WordPress is so popular as a content management system is because of its airtight security (read: it’s rare ability to be hacked). But the truth is, 136,640 attacks are happening per minute to WordPress websites across the globe.
That’s a scary thought.
[clickToTweet tweet=”No matter how secure you think your WordPress website is, it is always going to be susceptible to attack.” quote=”No matter how secure you think your WordPress website is, it is always going to be susceptible to attack.”]
In fact, weak passwords, domain or hosting level breaches, insecure themes and plugins, and even an outdated WordPress core may cause your website to become more vulnerable than normal.
But the thing is, how can you tell if your website has fallen victim to hackers?
Fortunately, there are some surefire ways to tell if your WordPress website has been hacked. And, by familiarizing yourself with the most common signs, you will be able to identify an attack quickly and easily, and get started on a solution right away.
Top Signs Your WordPress Website Has Been Hacked
1. A Sudden Drop in Traffic
Malware and trojans love to hijack website traffic and redirect it to spammy websites. Unfortunately, some hackers don’t redirect logged in users, causing their bad deeds to go unnoticed for quite some time.
However, if begin to notice unusual drops in daily traffic to your website, this may be a sign your site has been hacked.
2. Inability to Login
If you are having trouble logging into your WordPress dashboard, there could be a problem with your admin account. Sometimes hackers like to delete your account so they can have control over your website. And, since the account has been deleted, you will not be able to reset your password from the login page.
To fix this, you will have to fiddle with your website’s wp-login.php on an FTP client (such as FileZilla) by deleting it and reinstalling a fresh version with a new WordPress install. From there, add some code to your website, as recommended here, and start anew.
3. Email Issues
Sending spam emails is one way hackers like to utilize WordPress websites. To do this, they break into your site and use your host mail’s servers to send spammy WordPress emails to the masses.
Here’s a look at how it works:
- Hackers break into your WordPress website and install scripts to send out thousands of emails from your IP address
- People receive these spammy emails and mark them as spam
- Your website is then added to a block list
If you are having trouble sending or receiving WordPress emails, there is a good chance your mail server has been compromised, or far worse, you have been blacklisted by Google. Take care to resolve this issue quickly to minimize long-term damage.
4. A Change in Website Appearance
This is one of the most obvious ways to tell intruders have attacked your website. If you notice visual changes to your website, you can conclude that hackers have invaded your theme files and dropped a lot of bad, invisible code to your site.
Bad code added to your website will result in any of the following:
- Visible only to crawlers, invisible code added to your site will slow your site down and get tracked by Google, therefore affecting your search engine rankings
- Footer sections will now have unwelcome links and content added that attract the wrong kind of attention
- Explicit or otherwise unwarranted content will be visible to site visitors
Again, since hacking into websites is a sneaky business, you may not always know that it’s happening.
5. Incorrect Meta in Search Results
If you run a manual search result on your website and notice that the Meta descriptions that should be there are not, or they have changed, you can guess that someone has invited themselves into your website and done damage.
The kicker is, when you get back into the dashboard of your website, everything looks the way it should. This is because malicious code has been injected into the backend of your website, thus modifying your website’s data in a way that only search engines can see.
6. New User Accounts
For websites that allow users to register, spammy user accounts are a normal occurrence. Simply delete them and go about your day.
On the other hand, if you do not allow user registration on your WordPress website, and notice new accounts being created in the backend of your site, you can assume your website has been hacked and you need to take action.
7. Site Scanner Alerts
If you use a website scanner like Sucuri Security or the popular Wordfence security plugin, you will receive notifications of any suspicious activity on your website.
One popular notification involves unknown scripts or files on your server. By infecting your site’s files and scripts with corrupt or unknowns additions, hackers are then able to do things such as redirect all of your site’s visitors to a website of their choice.
This is in hopes that their website’s search engine results will increase thanks to the boost in traffic. As a result, your website suffers because of drops in traffic and your user experience is horrible because site visitors cannot connect with your content.
The best way to delete these unknown files and scripts is to access your WordPress website via an FTP client. Then delete the suspicious code and links on your website. Next, re-upload clean versions of anything you deleted that was infected but still needs to be in your website files.
How to Avoid WordPress Website Hacks
You can take several precautions to ensure your WordPress website is not hacked:
- Monitor your site’s traffic via your hosting provider or a tool such as Google Analytics
- Take swift action when you notice anything unusual – highs or lows in site traffic, design defacing, spammy links or code, etc.
- Always keep an updated version of WordPress, plugins, and themes
- Only use themes and plugins from reputable developers to avoid poorly coded software and vulnerabilities
At some point or another, your WordPress website will become compromised. In fact, it’s not a matter of if, but when. That said, there are some definitive signs that you will notice should your website fall victim to hackers.
Take heed and learn the warning signs so that you will notice right away when your site has been hacked. This way you can get the problem patched up before your website takes a big hit in traffic, sales, and reputation.
Obviously you and I have different definitions of “airtight security”.
WordPress is a pig of a system, technically, in many aspects.
Lindsay Liedke says
I am sorry to hear you feel that way. Unfortunately, in my experience, this is not the case. Especially if you take the necessary steps to secure your site from outside threats. Mind you, I did state that no matter what, your website will always be susceptible to threats. This is inevitable. But there are plenty of people running successful WordPress websites that have experienced very little, if any hacks, and are completely satisfied using this CMS.
I wonder what you might suggest as an alternative?
With all the plugins, wordpress is incredibly easy to be hacked. It’s one of the biggest reasons people stay away from it.
Lindsay Liedke says
Thank you for your insight. Though there may be people that stay away from WordPress, there is no denying it is the most widely used CMS across the globe. And, as with anything in this world, there will be people that like it, and people that don’t. I guess that’s the reason we have choices when it comes to which CMS we want to use.
While I do agree that irresponsible plugin use can lead to vulnerabilities, there are some very advanced WordPress users that claim that having a lot of plugins on your WordPress website, so long as they are reputable and cleanly coded, will have very little impact on your site’s ability to be hacked. In fact, I once interviewed Andy Stratton of WP Maintainer that made this very claim. In addition, Pippin Williamson, one of the most well known WordPress plugin developers, runs upwards of 80 plugins on his own website without a hitch. It’s all about taking the right measures to secure your website, and know what to do if your site is hacked. As I mentioned above to Drewbert, I never stated it was impossible to hack WordPress. However, I stand my opinion that there are plenty of ways to identify and rectify a possible hack.
I will also ask you what I asked Drewbert: which CMS do you then recommend?
Thomas Raef says
I don’t believe it’s buggy or incredibly easy to be hacked. The fact is that it’s the most popular platform for new websites. Many website owners don’t believe their sites are of interest to hackers so they don’t take the necessary precautions to protect it.
Any entity that does not believe it will be attacked and therefore takes no steps to protect said entity, will be “low hanging fruit”. Take any CMS: Drupal, Joomla, etc. and don’t update it or take certain precautions and make it the most popular – and they’d be considered buggy or incredibly easy to be hacked as well.
Lindsay Liedke says
Hi Thomas Raef,
Thank you for your comment 🙂 I agree, WordPress is not easily hacked or it wouldn’t be the most popular CMS right now. I also agree when you say that many people do not take the right precautions to secure their website, which leaves them open to vulnerabilities.
Although I do not have experience with Joomla or Drupal, I do think that you are right in saying they too are vulnerable to attack when left outdated or not properly secure. And, if they were to ever take the top spot as “most popular CMS” there would still be people that had problems with it, just as there is a select group of people that dislike WordPress.
Thank goodness we have the option to choose which CMS we use!
Michael Neely says
Great article, Lindsay! I have owned WordPress sites for six years and I have moved into WordPress development. There is many reasons that WordPress is the #1 CMS in the world. WordPress powers over 25% of the most popular websites on teh internet. Is it hackable? Yes. There are no unhackable websites as many prove everyday. I even took an .htaccess attack this year in which my desktop views were fine but my mobile views went to pron sites. I found out the hard way texting a link to a client. I recovered the client and cleanup was very easy. Most web hosts offer a site lock product that makes sites virtually impenetrable, I am told. Keep all your plugins and themes updates. Delete the themes and plugins you’re not using. This limits the “back doors” into WordPress sites.
I am not a hacker and wouldn’t know where to begin to hack a site, but my experience is that WordPress is a great CMS and I recommend it to all my clients.
That’s my two cents…
Lindsay Liedke says
Hi Michael Neely,
Thank you so much for stopping by and for the kind words about my article. And, congratulations on getting into WordPress development. That is sure to open a lot of opportunities for you!
I appreciate you confirming my opinion that WordPress is highly secure, though not perfect, as nothing in this world is 🙂 I also enjoy the fact that you shared your personal experience regarding a recent hack. It is never fun for these things to happen, and you are right when you say that updating themes and plugins, as well as deleting ones that are not in use are great ways to secure the backend of your website. It’s also good to know you recovered fairly easily and have continued using WordPress despite your experience.
Thanks again for stopping by, your two cents have been noted 🙂
Malware is a big problem that has serious repercussions for website owners. Loss of income not to mention identity theft. This is a great post for website owners to identify malware problems and how to improve their security for their site. Thanks for the post!
Lindsay Liedke says
Thank you so much for stopping by and you are welcome! I agree, malware is a scary things and can have dire effects on someone’s website if the proper precautions are not taken. I think that every website owner should crack down a little harder on their site’s security to prevent bad things happening, especially if they rely on their websites for income.
I appreciate the kind words, remember to keep coming back for more great insight into how to run a WordPress website!
Thank $DEITY I changed the default “admin” account and installed Wordfence then! This morning, I woke up to 55 Wordfence emails trying to break into the nonexistent admin account. I have an inkling who’s behind it, but I’d rather not say whom in this comment.
TL;DR… Wordfence rocks!