What to Do if Your WordPress Website Was Hacked

WordPress Website Hacked? We’ll Show You What to Do Next


WordPress is the world’s most popular way to build websites. Of the top 10 million sites on the internet, more than 43% are powered by WordPress (43.2%). It’s no wonder that the company behind WordPress, i.e. Automattic, has a highly skilled and expert team of programmers called the ‘WordPress Core Team.’ These world-leading experts are responsible for securing the core WordPress software from hackers and malicious attacks.

As you know, you can install various themes and plugins in WordPress to extend the functionality of your website. In a few rare instances, there are chances that one of your themes or plugins may have a security loophole which hackers can use to access your website. In fact, iThemes, on their monthly vulnerability reports, clearly state that plugins are the main weak point of WordPress websites.

In this blog post, we’ll guide you through the signs to look for to know if your WordPress website was hacked. In addition, we’ll also share some strategies to protect your website from being hacked, what steps to take if it’s hacked and what measures you can take to prevent future attacks.

Since most of the steps in this article can be implemented for free, we recommend you go through each tip we’ve shared- and implement it on your WordPress website today.

Let’s get started!

what-to-do-if-your-wordpress-website-was-hacked-1

5 Signs Your WordPress Site Has Been Hacked

When your WordPress site gets hacked, you’ll probably know it immediately. But you also may not realize it for quite some time. So here are five basic signs to look out for to know if your WordPress site has actually been hacked.

1. You’re Unable to Login or Can’t Get to the Login Page

This is obvious. If you aren’t able to log in to your WordPress dashboard, it means your WordPress account has been hacked (unless your coworker played a prank on you). There can be many reasons for this, but the number one reason why this happens is that your username is one of the following:

  • admin
  • Admin
  • administrator
  • test
  • root

If this is the case for you, change your username immediately, as WordPress accounts with these usernames are frequently targeted by hackers.

Most WordPress site owners know they can’t change their admin account username – but it’s possible to do so by visiting PHPMyAdmin, accessible from their web hosting control panel. You can then access the wp_users table and change the username in the user_login column by double-clicking the username and typing a new one. This will make the hackers’ job far more complex.

2. You’re Experiencing a Sudden Drop in Traffic

If your website was performing really well and now got a sudden drop in traffic, chances are your WordPress site has been hacked. That’s because malicious hackers create a backdoor to your WordPress file system and replace the code with their own scripts and files.

This way, they redirect the traffic coming to your website to other spammy locations, steal the private information of incoming visitors and wreak havoc in other ways.

In addition, once Google discovers that your site has become infected and is misbehaving, it blacklists your site from the search engine until you secure your website.

All of these matters lead to a sudden drop in traffic.

3. Your Homepage Has Been Vandalized

Most hackers operate in secrecy, but some like to make themselves known when they successfully hijack a website. If your homepage has been vandalized and you can clearly see the name of the hacker or some form of an announcement that your website has been hacked, you need to act immediately.

This happens mainly because hackers want to hold your website hostage in exchange for money or some other demand, similar to how ransomware operates.

what-to-do-if-your-wordpress-website-was-hacked-2

4. You See Pop-Ups and Other Ads You Didn’t Put There

If your WordPress site has become slow and unresponsive and now has pop-ups, ads on the sidebar or any other kind of anomalies, it can be a sure sign it has been hacked.

Usually, this kind of hacking isn’t done by a hacker.

Instead, this is an automated attack that has entered your WordPress core system through a weakly protected theme or an insecure plugin.

What makes this kind of hack genius (and dangerous) is that the ads won’t show up for logged-in users or users who can access your site directly. Rather, the ads will only show up for those visitors who visit your site via Google or another referral site.

This can make it practically impossible to know that your site has been hacked for the longest time.  

Plus, the ads lead your visitors to spam websites, which can damage not only your website and its traffic but also your reputation.

5. There’s Unusual Activity in Your Server Logs or Spot Suspicious User Accounts

If there’s one extremely efficient way to know if your website is hacked, it’s by looking at your server logs.

They are located in your cPanel, which can be accessed by logging in to your hosting account. More often than not, overly cheap hosting providers may have a limited set of tools, although if they use cPanel, they should provide a specific menu for you to look at that information. In cPanel, under statistics, you’ll find two kinds of logs:

  1. Access Logs: these logs show you who accessed your WordPress through which IP.
  2. Error Logs: these logs show you what errors occurred while modifying your WordPress system files.

Using the information inside your server logs, you can get a good idea of whether your WordPress website was hacked. And since these logs also record all the IP addresses used to access your website, you can blacklist or block those IPs that are unknown or not from your location.

what-to-do-if-your-wordpress-website-was-hacked-3

How Did My WordPress Site Get Hacked?

Unfortunately, it’s a common problem that affects many website owners, and there are various reasons why it can happen. One of the biggest reasons WordPress gets easily hacked is insecure password security. If your WordPress password is weak or easily guessable, hackers can easily gain access to your site and perform all sorts of malicious activities.

That’s why it’s essential to use strong, complex passwords that are difficult to guess. It’s also important to ensure that all user information, including FTP and web hosting, is properly encrypted and secured. On top of that, by installing a two-factor authentication plugin, you can help protect your WordPress site from being hacked and keep your valuable data and information safe.

What Steps Should You Take?

Your WordPress website can be hacked if you don’t take serious steps to improve your site’s security. And even if it is hacked, it’s still a good idea to prevent this from happening again.

In this section, we’ll discuss what preventive measures you should take before your WordPress site is hacked and after it has been recovered.

Steps to Take Before Your WordPress Site Gets Hacked

Let’s start by looking at the precautionary steps you should take to prevent hackers from breaking into your WordPress site.

1. Update your WordPress and your plugins to their latest versions

According to WordPress, only 62% of sites have the latest version of WordPress installed, while 40% of websites don’t. Since WordPress powers millions of websites, it poses a serious security risk to many of them.

One of the main reasons people don’t update their WordPress installations is the misconception that updating WordPress is a complex and time-consuming process. Many website owners also fear that updating their websites will cause them to break or lose their data, which sometimes is true, depending on the level of customization present.

However, this is far from the truth. WordPress updates are designed to be user-friendly, and they’re often automated to simplify the process.

Another reason for not updating WordPress is the assumption that their website needs to be bigger or more significant to be targeted by hackers. However, this is a dangerous misconception as hackers often target small websites because they tend to have weaker security measures.

It’s crucial to understand that outdated WordPress versions can leave your website vulnerable to security breaches and slow down your website’s performance. Many people need help to update their WordPress to the latest version either because they are unaware of this or forget about it. This exposes them to many security threats as each new update comes with new bug fixes and security patches.

And the same goes for other outdated software like WordPress plugins. Keeping them up to date will help ensure all the security fixes are applied, leaving no room for hackers and malicious code to sneak into your website.

2. Always create backups

While many people realize the importance of backing up their websites, sadly, most don’t actually do it.

No matter how many security measures you take, there’s still a chance your WordPress website may get hacked. And once your website is infected by hackers who put in their own malicious code and files, it won’t be able to return to its former self.

In this case, a recent backup of your WordPress files is essential. For this, you can use several well-known WordPress plugins like BackupBuddy and Jetpack, both of which have different payment plans depending on requirements. Jetpack is included with HostPapa Optimized WordPress plans. Or, you can use HostPapa’s secure and reliable Automated Website Backup solution to secure your website’s files in the web server.

3. Install the top WordPress security plugins

In general, WordPress is highly secure. But many of the plugins and fancy themes you install on it are not. These provide a gateway inside your website that hackers are looking for. Before you know it, your site is hacked and blacklisted by Google.

For this reason, it’s important to regularly scan your WordPress sites for malware and other malicious forms of code. In addition, it’s also equally important to actively monitor your website for any incoming threats as well.

For that, installing a WordPress security plugin is a must.

Currently, the two best plugins in this regard are Wordfence and Sucuri. Both provide great security features such as scheduled malware scanning, real-time IP monitoring, spam detection, etc. These security plugins have different plans you can subscribe to, and none of them cost more than $200 per year to get you started.

what-to-do-if-your-wordpress-website-was-hacked-4

Steps To Take After Your WordPress Site Has Been Hacked

When you look at a hacked WordPress site, you shouldn’t panic and follow the steps below to bring it back to normal.

1. Get Ahold of Your Website Backup Files

The first step you should take after your site has been hacked is to look for any backups you may have of your site. If your backup has been stored on the same server as your website, it’s highly likely that the backup isn’t there anymore – or has been corrupted. That’s why keeping your website’s backup in the same place you store your WordPress website is never a good idea.

There are three likely places where you might have a backup of your WordPress website:

  • Inside your WordPress backup plugin service. If you’ve installed a WordPress backup plugin, chances are they’ve stored a backup of your site on their own cloud service or on a cloud service like Google Drive or Dropbox.
  • In your own account in the cloud. Check out your Google Drive, Dropbox or other cloud services. You may have a copy in the cloud if you have a manual website backup.
  • With your hosting provider. If you didn’t invest in a WordPress backup plugin or don’t have a manual website backup, your last bet is to contact your hosting provider since it’s highly likely that they also regularly create a backup of your website on their server. The hosting control panel will be the first place you should look for your website backup files. HostPapa’s Automated Website Backup ensures you have up to seven website backups ready to be easily restored back into your account. This way, data loss is a thing of the past.

You’re good to go if you can find a backup from one of these places! All you have to do is manually restore your website, using one of the plugins where you created the backup or by asking your hosting provider to do so.

2. Remove All Your Unused/Outdated Themes and Plugins

As mentioned above, themes and plugins are one of the easiest ways hackers access your website. The more unnecessary and unused plugins you have, the more vulnerable you leave your website to unsuspecting attacks.

That’s why the moment you restore your backup, here are three important steps you should take:

  • The first thing you want to do is browse your list of plugins and themes and delete the ones you haven’t used in a long time, especially the deactivated ones.
  • Another vital thing you should do is look out for plugins and themes that haven’t been updated in a long time. Because the longer a theme or plugin goes without an update, the more security holes it leaves in your WordPress backend.
  • The final thing you want to check is whether your site uses a free theme. If you’re using a free theme, consider upgrading to its paid version or another paid theme, as those tend to provide better security to your WordPress site.

Many people assume that since they’ve deactivated a plugin or theme, it can’t cause harm to their WordPress backend. But that’s totally untrue. The plugin, even if deactivated, is still installed on your server and occupies space, which means hackers can still access it.

And finally, once you’ve deleted all the unnecessary plugins and themes, update the ones you plan to keep to their latest versions.

what-to-do-if-your-wordpress-website-was-hacked-5

3. Update All Your Usernames and Passwords

One final thing you should do is update your WordPress admin account username and password. Since your WordPress site was recently hacked, doing this is a good idea since it’s the best way to protect yourself from future attacks.

Here’s what you can do to fortify your WordPress login information:

  • Frequently change your WordPress login password after every few weeks.
  • Stop using the default username, i.e. ‘admin’  or similar. Instead, use a unique username.
  • Generate a strong password using a service like LastPass and store your password inside it for maximum security.

These tips are applicable to your WordPress login info and useful should you want to update your hosting account or FTP account password.

Another way you can protect your website from being attacked again is by hiding the ‘wp-admin’ directory and by limiting the number of login attempts which can be made to enter your WordPress. Both these things can be done using the WPS Hide Login and WPS Limit Login Attempts plugins.

3 Useful Tips You Can Use To Secure Your WordPress Site From Further Attacks

“Better safe than sorry”…

This sentence is almost cliché, but in the case of WordPress, it cannot be more true. Your website takes a lot of time, money and energy to build. But one simple attack by a malicious hacker can bring it down instantly.

what-to-do-if-your-wordpress-website-was-hacked-6

That’s why to make sure anything like that doesn’t happen, here are a few tips you can use to make your WordPress website extra secure.

Tip # 1: Enable two-factor authentication.

If you’ve shared the password to your WordPress backend with multiple people, you should enable two-factor authentication for each one (including yourself).

Two-factor authentication ensures that even if your WordPress login details get leaked by someone, no hacker can enter your dashboard without you knowing an attempt was made.  

Tip # 2: Invest in a firewall solution and SSL certificate.

A firewall will block any suspicious network traffic from entering your WordPress website. And even if some harmful traffic gets into your site, an SSL certificate will encrypt sensitive information within your website so that no one can access it. And in this way, your website will be protected from both ends.

To get an SSL certificate and firewall for your website, you’ll need to subscribe to one of the more premium plans within your WordPress security plugins. And if you don’t want to, you can purchase an SSL certificate from your hosting provider separately.

Tip # 3: Choose your hosting provider carefully

Make sure you host your website with a good hosting provider. That’s because they are responsible for keeping your website safe on their servers.

But the sad truth is many hosting providers fail to provide the high level of security needed to keep your site safe. According to WPWhiteSecurity, 41% of websites are hacked due to a security vulnerability on the site’s hosting platform.

That’s why you should research and choose a hosting provider with a good reputation for being secure and who goes the extra mile to protect your website on their servers.

Summing It Up

Once you’ve taken these precautions and followed the tips and strategies outlined in this blog post, you can be sure the chances of your website being hacked will get reduced dramatically.

And even if it gets hacked, you can finally have peace of mind that no matter how strong an attack your website faces, you’ll always be able to restore it to its former glory in just a few hours.

Enjoyed this post? Then head to our HostPapa blog to read more exciting topics like this one!

The HostPapa customer support team is here to help you achieve your online aspirations and your business goals.

decorative squiggle

Skyrocket your online business with our powerful Shared Hosting

Shared Hosting from HostPapa is suited for all your business needs! No‑risk 30‑day money‑back guarantee. 99.9% uptime guarantee. 24/7 support. Free setup & domain name.†

Related Posts

HostPapa Mustache