This is one of the most-asked questions that I get emailed from people that read some posts from my Types of WordPress Malware Attacks and What They Do series.
99% of the time website owners are the last ones to find out that their WordPress websites are hacked, after visitors, Google, website scanners, and their hosting provider.
Some signs that your WordPress site has been hacked include a drop in website traffic or performance, added bad links or unknown files, popups or redirects, an inability to log in, suspicious new user accounts, and more.
The most common signs of a hacked WordPress website are:
Suspicious User Accounts
If you see new Administrator users that you did not create, then your website had definitely been hacked!
🚩 If you notice strange Admin accounts delete them immediately!
For sites that do have lots of users, it’s useful to constantly monitor what they’re up to so you can quickly detect suspicious activity. There’s no centralized location for actions taken by all WordPress users, so there’s no efficient way to audit your site at regular intervals. Which is where the new Nashaat plugin comes in.
Nashaat (Arabic for activity) logs and monitors user activity to troubleshoot errors, trackback actions, protect your website or increase productivity.
I find the plugin to be extremely useful for a site with multiple users, providing you with a way to monitor others activity. It is a great plugin that you should definitely consider adding to your site!
I’ve been cleaning hacked WordPress websites for more than 5 years and a while ago I decided to store all those unknown or modified WordPress files that I discover. Files are stored on GitHub stefanpejcic/wordpress-malware and in there you can see examples of malware files.
If you have SSH access, you can search for PHP files in the uploads folder (shouldn’t be any) using the command:
find wp-content/uploads -name "*.php" -print
Popups and Redirects
Some malware can be tricky! So-called referral-specific malware will only activate depending on where the visitors come from, for example, it could be checking if the referral is a Google search and only then display the popup.
On the other hand, some will only display popups to non-logged-in users, in order to avoid being detected by the Administrator user.
Here is an example of a Cloudflare phishing popup that downloads malware:
If any visitor reports to you that he got redirected to a third-party website or shown a popup on your website that you are sue you didn’t create, then your site is most likely hacked and you should fix it ASAP! See: How to clean up a hacked WordPress site (Complete Guide)
Strange External Links
These links have been added to the website content and should be checked manually.
If you don’t see any of the above signs that your website is hacked, but you still suspect it, then you should perform the following:
Search for your website on Google in this format: site:domain.com if the website is compromised and Google indexed those pages then you should see them in search results:
Use security vulnerability scanners to discover your points of security weakness. Test your WordPress Application, Web Server, System, and Firewall for any issues.
In this post I discussed three ways to scan your WordPress website for vulnerabilities:
- Burp Suite
Verify WordPress Checksum
Malware has evolved so much to the point that it is almost indistinguishable from regular code, and that is why code checksum is such a thing.
To detect any of the non-standard WordPress core and plugin files you can use the verify checksums commands in WP-CLI (the WordPress Command Line Interface).
wp core verify-checksums
This command downloads md5 checksums for the current version from WordPress.org, and compares those checksums against the currently installed files.
To check WordPress plugins, run:
wp plugin verify-checksums --all
Browse the files and code manually
Here you can see a list of all WordPress core files:
wp-admin wp-content wp-includes index.php license.txt readme.html wp-activate.php wp-blog-header.php wp-comments-post.php wp-config-sample.php wp-cron.php wp-links-opml.php wp-load.php wp-login.php wp-mail.php wp-settings.php wp-signup.php wp-trackback.php xmlrpc.php
Browse the files of your website and compare files with the ones on the link above.