Podcast Episode

434 – How Do I Know if My WordPress Site is Hacked?


Is there a plugin for that?

With more than 50,000 plugins in the WordPress repository, it’s hard to find the perfect one. Each week, I will highlight an interesting plugin form the repository.

For more great plugins, download my 50 Most Useful Plugins eBook.

Catch Scroll Progress Bar is a simple yet handy WordPress plugin that provides a visual representation of how much of a blog post remains. As your reader scrolls down your web page, the progress bar begins to fill, indicating how much progress they’ve made.

How Do I Know if My WordPress Site is Hacked?

Here are a few things to look for to ensure that your WordPress has been hacked.

  • Check to make sure your home page is what you think it should be
  • Make sure your site is not running slower than normal
  • Check to make sure your site isn’t spamming viewers with ads and popups
  • See if traffic has decreased. If so, that could mean your site has been compromised
  • Monitor to make sure files on your server aren’t being changed
  • Double check to make sure there are no additional admin accounts on your site
  • Make sure your admin account has not been deleted

Thank You!

Thank you to those who use my affiliate links. As you know I make a small commission when someone uses my link and I want to say thank you to the following people. For all my recommended resources, go to my Resources Page

Full Transcript

Business Transcription is provided by GMR Transcription.

On today’s episode, we are going to talk about the top signs that our WordPress site might be hacked, right here on “Your Website Engineer” podcast, episode number 434. Hello, and welcome to another episode of “Your Website Engineer” podcast. My name is Dustin Hartzler. I’m excited to be here with you today because I’ve been digging into some WordPress things and thought maybe we should talk about this; what happens or what it may look like to have a hacked site. This all came about today as I was updating some outdated plugins – believe me, this never happens. But no, I was updating some outdated plugins on my WooCommerce test site, one of those sites that I don’t use very often, but I just noticed there was a ton of things out there.

And I thought, “Hey, we always talk about keeping things updated, but we never really talk about what could happen or what may happen to your site or what are some of the results of being hacked or having your site compromised.” So, we’re gonna go ahead and talk about those things today. I do have a couple of announcements and a plugin to share with you first, but let’s go ahead and dive right in. The first thing is, and I, for some reason, missed this last week, is WordPress, a security release of 5.1.1. And it’s now available as of last week – or March 12th, actually, and it basically does a few things.

There are some changes to help users prepare for the minimum PHP version bump that’s coming up to 5.2, making sure that people aren’t using too old a versions of what not, and they’ve got a handful of other things that are in there. It now has the ability to go in and update PHP and all that kind of stuff. But if you haven’t updated to 5.1.1, I recommend doing that this week. So, that’s the first announcement. The second piece of news that I wanna share with you today is an article from the Houston Chronicle, and this is all about – it’s article with Matt Mullenweg kind of talking about how he’s made Houston his home base, talks a little bit about what the tech space looks like in Houston and Austin, per se, and just a lot of question and answers about how Automattic works, what the distributive model works and those types of things.

So, if you’re interested in that, check out the show notes for episode number 434, and you can go to yourwebsiteengineer.com/434 and you can find it there, or you can search for it on the Houston Chronicle website at houstonchronicle.com. And the other thing that I want to share today is, right before I started recording this, I got an e-mail from Flywheel. And Flywheel is a – both a great hosting company and they have a software tool called Local by Flywheel, and it is a great way to create WordPress sites that run locally on your machine. So, if you wanted to take it offline or you wanted to work so it’s a little bit faster and you don’t have to wait for uploading things to the – a cloud server or what not, you can use a tool like Local by Flywheel.

And it has four different videos created by Zack Gordon. He’s a WordPress educator. He spends a lot of time helping people learn JavaScript and how that works within the WordPress ecosphere. But he has four videos, and there’s a link to these in the show notes as well, on how to use a Flywheel. It’s basically an overview; then there’s a video on importing, cloning, and exporting sites; then there is a tutorial on how to push sites live, and then there is a tutorial on favorite features for developers. None of the videos are more than four minutes in length, and so you’ve got about 12 to 13 minutes’ worth of video content.

If you haven't checked out Flywheel, I do recommend that. It is one of the easiest ways to get set up. I recommend this a lot to WooCommerce customers as they are getting ready to try to figure out what’s going on their site. Sometimes, it just makes a lot of sense to make a local copy of it and then do some debugging and some testing there. All those videos are on YouTube, and again, like the other two announcements, the link is in the show notes for episode number 434. Okay, moving on into the “is there a plugin for that?” There is a plugin that I wanna share today, and I believe I’ve done one similar to this but this is something that’s been catching on.

I’ve been noticing it on more and more websites, especially blog and long-form article type websites. But this is called Catch Scroll Progress Bar, and it’s a simple but handy – a small plugin for WordPress that provides a visual representation of how much a blog remains. And so, you might see this as you scroll down. There’s a little bar going across the top or across the bottom of the page, and it’s just a very subtle visual that lets you know how much is left on this page. It, I think, is kind of cool. It empowers you to just kind of let people know how much more they have to read, and you can control whether this goes on the front page or blog page or posts or pages.

And it’s really cool, you select the background color, the foreground color, and you’ve got some other options as well. And it also allows you to set how tall you want the bar height to be and if there’s a border radius and a few other fine-tuned details. So, if you're interested in something like that to add to your plugin repertoire or to your website to make that visual of long of a blog post you have left, I recommend checking out Catch Scroll Progress Bar. All right, moving right along. Like I said at the top of the show, I just wanted to share a few different ways to let you know if your website has been hacked and some things that may trigger your mind really, really quickly, and to try to go about trying to fix what might have happened to your website.

So, to preface the whole conversation is the way to fix a website – there’s different ways to do this, and I’ve done this in the past. One time my site was hacked and it changed any file I had in PHP, it added some malicious code at the very top of it, and I one time went through the Via F2P and deleted all of the malicious code from my website. It was a big pain, it took forever, and that is not the best way to recover from a hack. One of the best ways to recover from a hack is to have an active backup. And I’ve talked about this on shows before, but to have a plugin, whether it be iThemes or iThemes BackupBuddy, or the BackWPup is the one I recommend, or VaultPress or any of the plugins that are out there.

I recommend always having a backup plugin there. The WP backup plugin is a free plugin. You can back it up and you can send those; you send the backup off to DropBox or to Amazon S3 or any of those services that keep your data away from your server that your website is hosted on. So, that’s the first thing. The first piece of news is, make sure that we have a backup because clicking a button to restore a backup is way less painful than spending hours combing and digging through files and trying to figure out where the malicious attack has happened. So, let’s go ahead and run down through some of these. The first way that you may know that something has happened or your site has been compromised is your homepage is different.

This seems like an obvious sign, but how many times do we actually check our homepage? Honestly, what I do is I log in, I go to yourwebsiteengineer.com/, and then the UR – my custom URL to log in. And from there, I log in and then I do whatever I need; I publish the article, and a lot of times, I don’t even preview the image itself or preview the blog post that I’ve created. But most of the time, I never even look at that homepage. So, the primary goal of some hacks is to troll a website or to get notoriety, so they change your homepage just to something funny or leave it hacked. It may say something like, “This site is owned by such and such.”

So, you do wanna check regularly to make sure that there are no issues with your homepage and make sure there’s nothing going on, on your homepage. Make sure it’s exactly the way that you left it the last time and make sure everything looks good. The second thing to look at is, has your performance of your website dropped in any way? Your site may feel sluggish when there is an infection or you could experience slowdowns if your website is – experienced one of those, they’re called brute-force attacks, or if there’s a malicious script that is attacking your server. And sometimes, even cryptocurrency that could – if there’s something of that running on the server that your website’s on, that could really slow down your site.

And so, you wanna make sure that you’re not seeing anything along those lines. I would recommend Jetpack monitor. It is a free plugin; Jetpack is, of course. But there’s a monitor plugin or a module inside of Jetpack, and what that does is it will e-mail you when your website goes down. And that’s another thing that could happen if your website has been compromised in some way. If there are so many attacks, it could shut your website down. If you do see that your website is running slowly, then check your server logs. This is a great place to look to see if there’s any unexpected number of requests.

You can also use a web application firewall or something like that – Secury, secury.net uses to protect these what are called a denial-of-service attacks or DDOS. A drop in performance doesn’t necessarily mean someone hacked your site. It might mean that configurations have changed or things might have changed on your WordPress website. It may be on the server side of things. And so, if you see your website’s – it looks like it’s a little bit slower or doesn’t feel quite as peppy as it normally is, then check your log files and just see if there’s anything going on there. Contact your host and see if they can run a scan just to see if there’s anything going on for your website. So, check your website performance.

Item number three on the list is, your website contains malicious or spam pop-up ads. There's a good chance that your website has been compromised if your visitors are seeing pop-ups that redirect them to a malicious website. The goal of this type of attack is to drive traffic away from your website to the attacker’s site so they can use targets or they can use click fraud as pay for click advertising. The most frustrating thing about this type of hack is that you might not be able to see the pop-ups. A pop-up hack is designed to not be shown for logged-in users, which decreases the odds of a website user actually seeing them. So, even when a site owner logs out, the pop-ups will never display.

One other thing to be cognizant of here too is the pop-ups may be limited if you use some sort of ad blocker. And so, maybe you have somebody that comes to your website, and they’re seeing these pop-up ads and they send you a screenshot and say, “Hey, I’m – this is what I’m seeing when I go to this page on your website,” and if you try to replicate that and duplicate that and you can’t see it, then more – most likely you might already have a pop-up blocker already enabled for your website or for your browser. So, make sure that you turn that off, and you can check to see what might be causing that. If you are indeed seeing pop-ups, then there’s a good chance that it is some sort of malicious code running on your website.

Item number four is you decr – you notice a decrease in website traffic. So, if you log into Google Analytics, maybe you see a steep decline in your website traffic or maybe your – folks aren’t staying on your website nearly as long. Definitely, a drop in traffic drastically needs some sort of investigation. It could be a malicious script on your site that’s redirecting folks away from your site or Google could be blacklisting your website as a malicious site. One thing to check there is you can Google your – the name of your website, so, in my case, it’d be “Your Website Engineer,” and then usually you get the first results and what not.

But if you're not seeing your first results, or sometimes it will say, “This site is a malicious site” or “There is spam on this site” in the Google search results, and so people aren't clicking on those. So, make sure you are looking at Google Analytics or even Jetpack, if you have Jetpack enabled and you're looking at site stats, that’s there. You can check to see if you do have a steady drop of traffic. And these are all good to kind of keep an eye on. And even if you don’t think that you're having some sort of problem, just keep an eye on “Oh, I should check my website every once in a while in a logged-out state, make sure the homepage is okay, check my traffic every once in a while to make sure that I don’t see a big spike in traffic, either up or down.” And so, check out those things.

Another thing that you may see, and this could happen if you have a website’s that’s been under attack, is sometimes you will see unexpected file changes. So, if files on your website have changed, if they’ve been added or removed, it could be a sign that your site has been compromised. This is why it’s essential to have some sort of notification system in place to alert if you there’s been any website file changes. I know that some website hosting companies do this. I know Flywheel did a great job this, in e-mailing me when there was something that was wrong or had changed. You could use iThemes’ security plugin to track a file changes.

And you might get a lot of notifications, so those can be tweaked. You probably don’t want to be getting regular notifications when your backup or cache files have changed because those change quite regularly, but you wanna make sure that you are making sure that there are no code changes in any of the WordPress core files or in any plugin or theme files. The sixth item is unexpected new users. Now, sometimes we see this and our sites aren’t compromised. If there is somewhere that somebody can register for your WordPress site, they can register in – by the login page or something and they’ll be set as a subscriber, this happens a lot, and this can be avoided with some spam protection.

But if you’re starting to see new admin accounts that are under “administrator,” they have full rights to your website, this is a – bad news. Sometimes people can get in through a compromised username and then get in. Other times there’s different ways to hack in and get into a website. But if you see this, for sure, delete those users, change your username and password from WordPress, and try to kind of minimize the damage if you see somebody has logged in and created a new admin account. And the last one is admin users are removed. Sometimes this happens if you are unable to log in to WordPress even after a password reset.

This may be a very serious sign of an infection. Then, the hacker might have been able to get in, then they were able to create their own admin account and then delete you as an admin account and pretty much lock you completely out of your website. One of the ways to get around this is to have two-factor authentication, so every time that you log in to your WordPress site, it also asks for a password so you can log in with a password that’s sent via text to your phone or in your – the two-factor authentication code that's enabled that – some sort of a generator that’s giving you that six-digit code to log in.

Now, if you do get locked out completely, as long as you haven’t got locked out of your website host, you should be able to go in and manually add a new admin user and then delete the old one. But if you get to that point, it’s definitely, definitely a high-priority item to get rid of that other user, log in yourself, change all your passwords for everything, and try to figure out what’s going on and try to keep people out. Definitely one of the plugins to recommend is that iThemes Security Pro. Go through there and make sure you’ve checked all the boxes and you’ve changed as many things to make it as difficult and as hard for hackers to get into your WordPress website.

So, those are the things that I wanna talk about today. Again, your homepage is different, your performance has dropped, your site contains malicious spam or code or pop-up ads, you notice a decrease in website traffic, you see unexpended file changes, unexpected new admin users, and admin users are being removed from your website. If any of those happen, then it is stop everything you’re doing, try to figure out what’s going on, restore backup, change passwords, and then try to limit the login attempts. That’s another great plugin. There's one called Limit Login Attempts that will allow you to make sure that only people from certain IP address ranges, or you can really lockdown who can access and get into your WordPress dashboard.

That’s the things that I want to share with you today. Now, hopefully, all this is an – just an episode for the future you, the future that will never actually happen. Kind of like insurance. We’re getting ready and we have this insurance policy just in case, hopefully, we never have to go through these steps to make sure that our website is or is not hacked. I hope your future with WordPress is great and is not filled with malicious sites, and that you never have to deal with the headache of trying to fix a site that has been just jampacked with malicious code. That’s what I wanna share with you this week. Take care and we’ll talk again soon.

Oh, and by the way, the last thing that I forgot in the new section is I'm looking for – and I have an upcoming sabbatical with Automattic over the next – it’s May through the end of July, basically, and I wanna batch some of my episodes while I’m going, and so, then that way I don't have to every week record a podcast episode. And I’m looking for who – what type of plugins or premium themes or premium plugins or services, what can I review? I wanna do some reviews of some of the premium services out there just to see what they’re like and how they will best work. Do you wanna know how the Divi plugin works or the Divi theme or Beaver Builder or if – what type of backup service do you want me to test out?

If you have something specific that you just are on the fence, “I don’t know if I should purchase or not,” I’d love to do a review of that over the next coming months. So, if you’ve got something like that, send an e-mail to dustin@yourwebsiteengineer.com, or you can send a tweet @DustinHartzler and I’ll be happy to answer them there, or as always, you can use the Contact form on yourwebsiteengineer.com. That’s all I’ve got for you this week. Take care, and we’ll talk again soon. Bye-bye.