Latest News & Blog

Laptop with WordPress logo on screen

Signs & Symptoms Your WordPress Site Is Hacked

Website security is a real concern with approximately 30,000 websites hacked each day.

More than 43% of websites available on the internet use WordPress as their content management system (CMS) and WordPress site hacks are becoming a common occurrence for businesses and web publishers.

Cleaning up a hacked WordPress site can be incredibly painful and requires specialist knowledge.

If you suspect your site has been compromised, you need to engage a developer to fix your hacked WordPress website.

Detection is Key to Minimise Damage from a WordPress Hack

The faster you detect and respond to a website hack, the less damage to your business and website downtime will occur. 

As a business or website owner, you need to be aware of the signs / symptoms that appear when your WordPress website has been compromised.

Below you’ll find a checklist to help you detect if your WordPress site has been hacked.

1. Unexpected Changes to Your Site’s Design or Appearance

One of the most obvious signs of a hacked site is an unexpected change in its appearance.

Often referred to as the defacing of a website, this could include:

Defaced Homepage: Your homepage may display unfamiliar/inappropriate content, graphics, or messages.

New Pop-ups or Ads: Intrusive pop-ups or banner advertisements that you did not put on the site may start appearing.

Automatic Redirects: After a landing on your home page or another page on your site, you are automatically redirected to another website.

This is a telltale sign of a hacked website but most hacking attempts will avoid defacing your site homepage. This is because they want the hack to remain undetected for as long as possible.

2. Automatic Redirects to Unknown Websites

Hacked sites are often used to redirect visitors to other malicious websites.

If your site is redirecting users to unfamiliar websites, it’s a strong indication of a hack.

For example – You type in your domain name or click through a Google search to your website. After landing on your home page or another page on your site, you are automatically sent to another website after a few seconds.

3. Bad Links have been Added to your Website

This is referred to as a data injection attack. It happens when hackers or bots create a backdoor on your WordPress site, which gives them access to modify your WordPress files and/or database.

These types of hacks will add spammy links to your website that link out to malicious websites.

Even if you find and remove the spammy links, they will reappear again a short time later. This will continue happening until the backdoor to your site has been found and removed.

4. Your Emails are Sending Spam

If you find your business emails are suddenly no longer able to send email or receive email, there is a chance that your mail server has been hacked.

If your email server has been hacked and is sending out spam, it causes your domain (website address) to become blacklisted.

A hacked and blacklisted email domain will completely stop your ability to communicate via email with your clients.

This can quickly turn into a major issue because many businesses completely rely on email for their day-to-day internal and external communications.

Early detection and immediate action is important because this type of issue can days to be fully resolved.

5. Website is Very Slow or Server is Unresponsive

A very slow website or a web server that frequently goes down can be a sign of an attack.

Any website on the internet can be targeted by random denial of service (DoS) or distributed denial of service (DDoS) attacks.

Such activity can cause your website to become slow, unresponsive, or completely unavailable.

These attacks use numerous hacked computers and servers worldwide, often with fake IP addresses. Sometimes, they overwhelm your server with excessive requests, while other times they attempt to break into your website.

You can check your server logs to identify and block the IPs making excessive requests, this may not resolve the issue if there are too many attackers or if they frequently change IP addresses.

6. Google Marked Your Site as “Unsafe”

When a website has become compromised, Google can sometimes detect the hack and mark your site as unsafe.

If you have Google Search Console set up for your website, it will send you a warning email if this is the case.

Google will also try to prevent people from reaching your website from the search engine results page.

It usually does this by warning users in two places:

– The organic search results – Google will place a notice on any of your website’s results in Google Search stating “This site may harm your computer.”

– Splash screen before entering your site – If a user then clicks on your website in the search results, they will be met with a bright red splash screen stating that ‘The site ahead contains malware’. The message will encourage the user to navigate away from your unsafe website.

This will cause your site to lose a large proportion of its visitors and is a clear indication that your website has been hacked and/or infected by malware.

7. Hijacked Google Search Results

A clear indication that your website has been compromised is if you have pages appearing in the Google Search results with incorrect titles and/or meta descriptions.

Sometimes these titles and meta descriptions are easy to catch because they are in another language.

This also indicates that spammy pages/posts have been created and added to your website and are now indexed in Google.

You can check for this by going to google.com and typing this into the search bar:

site:yourdomain.com.au

Replace yourdomain.com.au with the URL or domain name of your website. Google will list all of the pages on your site that are currently indexed.
This will give you the opportunity to scroll through the results and check for any incorrect page title/meta descriptions or spam posts/pages that you didn’t create.

8. Can’t Log In to the WordPress Dashboard

If you are unable to log in to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since your admin account doesn’t exist, you will not be able to reset your password from the login page.

There are other ways to add an admin account using phpMyAdmin or via FTP, but this will require assistance from a Web Developer.

Even if you can regain access to WordPress, your site will remain unsafe until you get your website assessed and have the hack cleaned.

9. Suspicious User Accounts in WordPress Dashboard

If your website has been hacked, the perpetrators may have created fake administrative users in your WordPress admin so they can access your website.

You can check for this when you are logged into WordPress and navigate to Users –> All Users.

This will show you a list of all users on your website.

Have a look through the list of users and pay close attention to the ‘Role’ column.

If there are unknown or suspicious-looking user accounts with the role of ‘Administrator’, it means it is highly likely you’ve been hacked.

The best course of action here is to delete the suspicious users and update the passwords of any other administrator users on your site.

Also, go to Settings –> General look at the ‘Administration Email Address’ setting and ensure that the main admin is set to an email address that you recognise.

Once you’ve taken these immediate steps, you need to get your site checked by a WordPress hack repair professional.

10. Changes to Core WordPress Files

If you notice changes or modifications to your core WordPress files, it’s a strong indication that your site’s file system might have been hacked.

Hackers often alter core WordPress files to insert their own PHP code or create files with names similar to those of core files.

You can manually inspect your WordPress folders to identify any suspicious files or scripts but you need to know what to look for.

The best way to keep an eye on these core files is to install a WordPress security plugin that monitors the integrity of your core files and notify you if changes occur.

11. Suspicious Scheduled Tasks Appear on your Server

Web hosting servers let users set up cron jobs, which are scheduled tasks added to your server and they run automatically.

WordPress uses cron jobs for tasks like publishing scheduled posts and deleting old comments from the trash among a myriad of other useful things.

However, hackers can exploit cron jobs to run their own scheduled tasks on your server without your knowledge. That’s why you should regularly review your cron jobs and ensure only legitimate tasks are scheduled.

If you check your scheduled tasks and see any suspicious-looking tasks, this is an indication that your server may have become compromised. Get in touch with your web hosting provider as soon as you can to investigate.

12. Unusual Entries Appear in your Server Logs

Server logs are plain text files stored on your web server that record all errors and internet traffic on your site.

Reviewing server logs can help you understand what’s happening when your WordPress site is under attack. They contain all IP addresses accessing your site, allowing you to block suspicious ones.

Additionally, server logs can reveal errors that might not appear in your WordPress dashboard, which could be causing your site to crash or become unresponsive.

If you suspect your site may have been attacked or hacked, checking your server logs is a good place to start your investigation.

You can access these logs from your WordPress hosting account’s cPanel dashboard, typically found under Statistics or Metrics.

Fixing a Hacked Website

Being aware of the signs of a hacked WordPress site is the first step in protecting your online presence.

Website maintenance plans that include things like site monitoring, maintaining backups, and implementing robust security measures will help safeguard your site against cyber threats.

If your site is compromised, responding fast is crucial to minimise damage and restore normal operations as quickly as possible.

Cleaning up a hacked WordPress site can be incredibly painful and difficult. If you need professional assistance in securing and cleaning your WordPress site, our team is here to help.

Contact us today to ensure your site’s safety and security or call now on (07) 5531 3810 for assistance.

Connect with us

Keep in the loop or engage with us via

Acknowledgement of Country

We respectfully acknowledge the people of the Yugambeh language region, the traditional owners of the land on which we stand, and pay our respect to their elders past and present, and all Aboriginal and Torres Strait Islander Peoples who now live in the local area.

Go to top