WordPress is an extremely popular web platform, and because of its popularity it is often the target of hackers  looking to “take over” pieces of your site for their own benefit. Hackers like to maximize the effect of their work, so they’ll often target widely installed plugins or themes with known security vulnerabilities. In most cases, your site was not targeted specifically, but was wordpress site hacked because of some vulnerability in a plugin or theme installed on your site.

WordPress sites are constantly under attack by hackers and script kiddies. And quite often these attacks are successful and end up compromising a Web page. This can result in these websites being kicked out of the Google index in order to avoid further corruption. So what you do when your WordPress site has been hacked?

How do you know if you’ve been hacked?

There are many ways you may find out that your website has been hacked. The most obvious is when the hacker has simply defaced your website. You wake up one morning, open your browser and low and behold, your website is no longer there. It has been replaced by a new page and has a big sign saying “Hacked by ______ (fill in the blank).” Or even worse, you get redirected to, hmmm, let’s call it an “unsavory” website. Well, in those cases it is obvious that you’ve been hacked.

However, hackers oftentimes will attempt to cover their tracks so that it isn’t obvious that a site has been hacked. They’d really prefer that you didn’t know about it, because they want to use your site as long as they can to do their dirty work.

Here are some big signs that your website has been hacked:

• Your website is defaced.
• Your website redirects to an ‘unsavory’ site such as a porn site or pharmaceuticals site.
• Google or Bing notifies you that your site has been compromised.
• Your Firefox or Chrome web browser indicates that your site may be compromised.
• You notice strange traffic in your web logs such as unexplained big spikes in traffic, especially from

How does it happen?

According to a survey last year by StopBadWare and Commtouch, 63% of website owners indicated that they did not know how they were hacked. If your website has been hacked, it is critical to understand how it happened in order to prevent another hack by the same hacker.

There are many, many ways a website can be hacked. Here are some common ways hackers can take control of your website:

• Guessing your password.
• Using malware on your local computer to capture your login credentials.
• Finding a security vulnerability in specific software that you happen to be using (especially outdated software).
• Hacking someone else’s site that resides on the same shared-server that you are using for your site.

Note: getting hacked because of someone else’s site on the same server is a good reason to avoid cheap hosting providers. They don’t always have the best security practices and you often have “bad neighbors” on the same server.

So, is your wordpress site hacked? Now what?

1. Stay calm

First of all, stay calm. You can recover.

2. Pull back and take the page offline

First and foremost, take the website offline and save its current state. Although it’s infected, you should save its current state because it can be used as evidence later and evidence is indeed advisable. Because it may help you in filing any claims for damage later.

3. Check your computer

Make sure that your computer is not the catalyst for the problem, with the initial vulnerability. If your computer is infected with trojans, it’s possible that a hacker has been spying your passwords and then used them to hack in and cause the infection to your site.

My Recommendation:

• Check your computer (and the computers of the other people you work with on your WordPress site) and scan the databases or FTP Web server with a virus scanner (recommendations: AVG or Avast).
• Download the Kaspersky Rescue Disc on a computer that you know is not infected and then use it on your computer.
• Install Sandboxie: With Sandboxie you can browse and operate in a sort of safety capsule . Furthermore, while using it, any viruses delivered will be trapped in the sandbox until the sandbox has been deleted.

Alternative: Use a MacBook or a Linux Distribution. These are attacked rarest and tend to be less susceptible to distributed malware.

4. Change all passwords

There is no way to know if someone is in possession of your passwords. Therefore you have to change all of your passwords:

• Passwords of all WordPress users
• All FTP passwords
• Passwords for all MySQL databases
• Master password of a Reseller

Only when all the passwords have been changed, can you assume that unauthorized persons do not have access via this route.

5. Set up SFTP

Encrypt future data transfers with a secure SFTP access. You can check with your web host or set it up in your backend. Save where possible, but don’t save passwords!

6. Locate the attack

Try to find out where the attack initially took place, that is, which files were uploaded or modified? Frequently, files such as index.php in the root or the header.php can be changed in the theme folder and infected with malicious code. In these files and folders look for texts such as “base64” or “eval“. You can also use plugins (e.g. Wordfence) to investigate changes in the WordPress core files.

7. Download a new installation of WordPress or restore from a Backup

If you can pinpoint the time of attack (when and where it took place), you may be able to restore your site to a point before the attack happened but it may be better to upload to a new installation all together. Upload a new WordPress installation in the wp-admin folder and in wp-include re-upload and overwrite the old version.

Then download as all files in the WordPress root reboot, except the .htaccess and wp-config.php (because these locations may be where the attack took place, you’ll want these to be new ). Restore a Backup if you know when the attack took place (e.g. by modification date and the time the files were compromised). But of course this is only an option if you have set a backup through your web host and via a successful restore point no data will be lost.

8. Check your Theme for infiltrations

To make sure that the WordPress Core is clean, you have to check the theme of your site. Look for modification times that look suspect (e.g. files being changed in the middle of the night). Additionally, check for strange Code (“base64”, “iframe”, “eval”) and clean up everything you find. Always plan for the unexpected and backup your backup.

9. Perform the right security measures

If your site has been hacked once, it can be hacked again and again. This is why you have to make sure that all safety precautions have been taken. Look for all the necessary professional advice you can find. And most importantly, when carrying out the security measures one should always renew their security key, so that the authentication cookies can be recreated.

10. Be ready for potential attacks and react in time

The first WordPress AntiVirus plugin scans Google for safe browsing and lets you know whether or not your website has malware or phishing content. With it you can react in time before the page disappears from the Google index forever. Also, Wordfence checks websites files for changes, which allows for another way to discover malicious code before it’s too late.