Something just isn’t right with your WordPress site. Maybe you’re seeing weird links in your blog posts, or perhaps your site has suddenly stopped functioning the way it should. If you’re lucky, you’ll get a notification from your host that you’ve got infected files so you can take action. But what if you don’t? How can you find out if your site has been hacked?
Ideally all bloggers would take steps to protect their sites from hackers, such as installing a great security plugin, but unfortunately even the best preventive measures sometimes fail. If you suspect that your blog or website has been compromised, there are a number of steps you can take to check your WordPress site for malware or evidence of being hacked.
Step One: Make sure all plugins and themes are up to date. Plugin and theme developers release updates for two main reasons – to improve functionality and to patch security flaws. You should always keep your themes and plugins up to date.
Even if a plugin or theme is deactivated, its files could still allow someone to gain access to your site. Get rid of anything you don’t actually use, or keep it up to date at the very least. Be sure to take the appropriate steps to upgrade your theme safely so you don’t lose your customizations.
Step Two: Strengthen your WordPress install. There are several thing you should do every time you install WordPress, like getting rid of the “admin” user and choosing a good password. If you haven’t done those things, do them now to prevent problems in the future.
Step Three: Identify the problem. If you know something is still “off” but you aren’t sure what it is, now is the time for some basic troubleshooting. What do you see that causes you to think your site has been hacked? When did you notice it? Does the problem go away if you deactivate all your plugins? (If so, it’s probably a plugin issue.) Does the problem go away if you change to the Twenty Eleven or Twenty Twelve theme? (If so, your theme may be infected.) The more information you have, the better equipped you’ll be to take care of it.
Step Three: Scan your site. There are several methods you can use to scan your WordPress site for malware, all of which may provide different results. I recommend going through each of these just to be safe:
- Visit Is It Hacked? to run a free scan. You can also set up free monitoring to warn you if your site displays signs of infection. I love this site because they aren’t trying to sell you any kind of cleanup service (so you can trust the scan results).
- Go to the Sucuri website and run a free scan. I don’t always trust the results of Sucuri scans because they try to rope you into paying them for malware removal, but this is a good way to see if your site is on any blacklists.
- Install Wordfence Security (it’s free) and run a scan. Wordfence will identify any files that have been changed, need to be updated, or may contain malicious code, as well as providing you with the information you need to fix them.
- Install Anti-Malware (also free) and run a full scan of your site. You need to register first to make sure you have the latest definitions file, but it only takes a second. This plugin will clean up all kinds of infected files and put protective measures in place to prevent them from being infected again.
- Finally, ask your host to scan your site for additional infected files. Many hosts will provide a list of files, though very few of them give you much direction on addressing the problem.
Step Four: Consider bringing in reinforcements. There’s nothing worse than realizing your site has been hacked and feeling unsure about how to handle it. A number of other companies provide malware removal as well. If you aren’t comfortable going through these steps yourself, don’t ignore the problem – get some help!
The Bottom Line
If your readers are reporting issues you can’t explain or your WordPress site randomly starts misbehaving, don’t stick your head in the sand. Anything on the internet can be hacked or compromised no matter what type of security you have in place, and it happens more often than you think.
Even if nothing is wrong with your site, take 20 minutes each month and go through these steps to ensure that your site is safe and free of threats.
Do you have any other tips for finding out whether your site has been hacked? Have you ever experienced malware on your own site? Let us know what you think in the comments!
Mark Fulton says
I have first hand experience and know it can be such a hassle to deal with. I found this simple PHP script very helpful in finding one exploit.
Basically it searches all the files on your server for a match to “base64_decode” which malicious injections often use. You can also use it to search for known exploit file names. You can copy the code here:
http://pastebin.com/53y1hLZH
Keep spreading the WordPress knowledge.
Andrea Whitmer says
Thanks for stopping by, Mark! Appreciate the script – that’s a great resource. 🙂
Sean says
Don’t forget to use strong passwords for both your WordPress admin interface and FTP/cpanel/etc passwords. I use an open source tool called KeePassX that will generate strong passwords for each account and store them for when I need them.
I’d like to add my site, IsItHacked, to the list of tools. It checks many of the same blacklists as Sucuri but performs some different checks and will even check your site on a schedule for free (emailing you the results).
Andrea Whitmer says
Hi Sean,
Thanks for sharing your site – I’ll have to edit the post to include it as a resource! Looks like a great tool.
Tony says
Thank you, Andrea. I went to the URL’s you listed, ran the scans on my websites, and found out one of them was blacklisted by Norton. I had been wondering why website traffic had decreased considerably over the past year, and now I know why. Thanks for the great article.
Andrea Whitmer says
Sorry to hear that your site was infected, Tony, but hopefully you got it cleared up!
Ryan McGraw says
I’ve had two Genesis sites hacked, I think, in the last month? All plugins disappear and a massive chunk of code been inserted into the functions file?
Thanks for the tips – I’m going through them all now
Ryan
Andrea Whitmer says
Gross, Ryan! I’m sorry to hear that. Hope you got some answers!
Rehan Gillani says
Hello Andrea Whitmer,
I am not a WP beginner but not an expert either.
For the last 48 hours, I have been observing some very unusual things e.g. page redirections and 404 error on many of my previously published blog posts. The number of visitors on my blog has also been significantly decreased.
I read this post in an effort to identify the real cause behind this situation. I don’t know if I’ll be able to get all the things back to normal. But this post has helped me learn some new things about WP security and I want to say THANKS for sharing your expertise.
Andrea Whitmer says
Thanks for stopping by, Rehan! I’m sorry to hear that you’re having difficulty, and I hope you’ve been able to resolve the issues with your site.
This is an ancient article,
so comments are now closed.