What to do when WordPress is hacked?

If your website has changed in appearance without your intervention, or your login to WordPress has stopped working, these can be signs that your WordPress site has been compromised. Fortunately, you can fix the problem by taking just a few steps.

You often can’t immediately tell if a website has been hacked. However, there are some clues that indicate your WordPress website has been hacked.

• Login doesn’t work: If you can’t log in anymore, then it may indicate that your website has been hacked and the attackers have changed the password. However, try to reset your WordPress password first to make sure that you have not just forgotten your login credentials.
   
• Browser warnings: You may find that your browser issues a warning when you try to access your WordPress website. This can also be a sign of an attack. But often the reason for the warning could be a problem with SSL or outdated WordPress plugins.
   
• Search engine warnings: Similar to browser warnings, search engine warnings can also indicate that your WordPress site has been hacked. Such warnings can indicate sitemap hacks in particular.
   
• Redirects: If you try to access your website and are immediately redirected to another page, this is also an indication that your WordPress website has been hacked. Attackers often add scripts to websites that set up redirects to websites of their choosing.
   
• Your website looks different: The appearance of your WordPress site can also be an indication of an attack. If you notice changes that you yourself or other admins have not made, you should take a closer look. The visual changes don’t have to be major. Even individual links to pages where you have not set up a link can indicate external interference.

There are several reasons why your WordPress site might fall victim to an attack. The most common causes are insecure passwords, managed software and insecure code. If you use themes and plugins from insecure sources or don’t update the software you use on a regular basis, security vulnerabilities may exist that attackers can exploit. Rogue hosting providers that don’t protect their servers against external attacks are also a possible gateway.

There are a number of actions you can take if your WordPress site has been compromised. What you need to do exactly and what steps are required depend on the type of attack. If your WordPress admin login has stopped working and you can’t reset the passwords either, it’s worth seeing if you can still access the contents of your database using tools like phpMyAdmin.

As a first step, you should put your site into WordPress maintenance mode or even take it offline entirely. This way, you make sure that users can no longer access your site while you fix issues caused by the attack.

It’s also worth creating a WordPress backup. This way, you can access all files at any time and possibly undo changes. A backup is also a good idea for evidence preservation. If you know when attack took place, it’s also possible to fall back on a backup that you created beforehand. Of course, this is only possible if you haven’t made any major changes to your site since then.

If your WordPress has been hacked, the problem doesn’t even have to be with the website itself. It may be that the attackers used a local computer as a gateway for the hack, for example, by introducing malware that spies on your passwords. Therefore, be sure to examine your PC for such software. Virus scanners can help you detect and remove malware.

It’s also important to reset all passwords and replace them with secure passwords. If you have used your WordPress password for other logins, you should renew the login details there too. Otherwise, you run the risk of your other accounts being hacked as well.

First of all, you should reset your WordPress admin password. In addition, you should change your SFTP password, your database password and the password with your hosting provider. If you have other admins on your WordPress site, they should also change their passwords as soon as possible.

If you find admin accounts on your WordPress site that are unknown to you, you should remove them. It could be that these are accounts that the attackers have created to make modifications to your website. Navigate to “Users” and then to “Administrator”. Remove all unfamiliar accounts from the list.

As a next step, update all WordPress plugins and themes you use on your site. It may not be your WordPress that has been hacked, but merely one of the extensions you use. Therefore, it’s worth trying this step before following the tips below to possibly save yourself unnecessary work.

You should also reconsider the use of themes or plugins that you have downloaded from third-party providers where you do not know how safe they really are. It’s best to use only certified plugins and avoid third-party software altogether.

Attackers may have made changes to central files or even introduced files that modify your WordPress site. A WordPress security plugin like WordFence can help you to find unwanted files.

Files that are often infected with malicious code, apart from the .htaccess file, are mainly index.php, footer.php, function.php or header.php. If you discover any changes in these files, you should definitely replace them.

A common reason for search engine warnings in particular is a hacked sitemap. Therefore, you should take a closer look at your sitemap.xml file after an attack and possibly recreate it. For example, there are WordPress SEO plugins, which will regenerate the sitemap for you. Nevertheless, you have to manually inform search engines like Google that your website problems have been fixed so that it will be crawled again afterward. However, this process can take up to two weeks and cannot be accelerated.

If all other measures did not help, you need to reinstall the WordPress core. You should avoid using an automatic installer as this will overwrite your database. Instead, you need to upload the individual files manually using SFTP and overwrite your old files.

Whether or not you have been hacked, it’s a good idea to make sure that your WordPress site is as secure as possible. This way, you significantly reduce the risk of attacks. While there’s no such thing as 100% protection against your website falling victim to attackers, a combination of various protective measures will ensure that the likelihood is significantly reduced. Such protective measures include:

• Secure passwords: Make sure to use secure passwords. Not only will a password manager help you remember these passwords, but it will also generate them. Two-factor authentication also contributes to increased security.
   
• Updates: Keep the software you use up to date. You should install WordPress updates regularly.
   
• Delete unnecessary software: If you have installed plugins or themes that you don’t use, you should definitely delete them. They only act as unnecessary targets for attacks.
   
• SSL/TLS: Encrypt your website using SSL or TLS.
   
• Firewalls: You can think of firewalls as barriers to attackers. If you set up a firewall for your website, it also reduces the likelihood of hacks such as DDoS attacks.
   
• Use a reputable hosting provider: A reputable hosting provider like IONOS protects its servers from attacks in the best possible way.