wp-admin » How to Identify if My WordPress Website is Hacked?

How to Identify if My WordPress Website is Hacked?

This is one of the most-asked questions that I get emailed from people that read some posts from my Types of WordPress Malware Attacks and What They Do series.

99% of the time website owners are the last ones to find out that their WordPress websites are hacked, after visitors, Google, website scanners, and their hosting provider.

Some signs that your WordPress site has been hacked include a drop in website traffic or performance, added bad links or unknown files, popups or redirects, an inability to log in, suspicious new user accounts, and more.

The most common signs of a hacked WordPress website are:

Suspicious User Accounts

If you see new Administrator users that you did not create, then your website had definitely been hacked!

image 45 1024x386 - How to Identify if My WordPress Website is Hacked?
All users

🚩 If you notice strange Admin accounts delete them immediately!

For sites that do have lots of users, it’s useful to constantly monitor what they’re up to so you can quickly detect suspicious activity. There’s no centralized location for actions taken by all WordPress users, so there’s no efficient way to audit your site at regular intervals. Which is where the new Nashaat plugin comes in.

Nashaat (Arabic for activity) logs and monitors user activity to troubleshoot errors, trackback actions, protect your website or increase productivity.

image 50 - How to Identify if My WordPress Website is Hacked?
Monitor WordPress Users Activity Log

I find the plugin to be extremely useful for a site with multiple users, providing you with a way to monitor others activity. It is a great plugin that you should definitely consider adding to your site!

Unknown Files

I’ve been cleaning hacked WordPress websites for more than 5 years and a while ago I decided to store all those unknown or modified WordPress files that I discover. Files are stored on GitHub stefanpejcic/wordpress-malware and in there you can see examples of malware files.

image 51 - How to Identify if My WordPress Website is Hacked?
Unknown Files in WordPress FIles

I recommend the WordFence plugin that will regularly scan WordPress core files and notify you via email if any changes are detected:

image 52 - How to Identify if My WordPress Website is Hacked?
Part of WordFence email

If you have SSH access, you can search for PHP files in the uploads folder (shouldn’t be any) using the command:

find wp-content/uploads -name "*.php" -print

Popups and Redirects

Some malware can be tricky! So-called referral-specific malware will only activate depending on where the visitors come from, for example, it could be checking if the referral is a Google search and only then display the popup.

See also  5 different methods to open all links in new tab on WordPress

On the other hand, some will only display popups to non-logged-in users, in order to avoid being detected by the Administrator user.

Here is an example of a Cloudflare phishing popup that downloads malware:

image 56 - How to Identify if My WordPress Website is Hacked?
Cloudflare phishing popup that downloads malware

If any visitor reports to you that he got redirected to a third-party website or shown a popup on your website that you are sue you didn’t create, then your site is most likely hacked and you should fix it ASAP! See: How to clean up a hacked WordPress site (Complete Guide)

If you use SEO tools such as ahrefs or Moz (if not, you should) to monitor your website SEO performance, you may notice strange external links.

image 62 1024x484 - How to Identify if My WordPress Website is Hacked?
ahrefs.com Outgoing links

These links have been added to the website content and should be checked manually.

If you don’t see any of the above signs that your website is hacked, but you still suspect it, then you should perform the following:

Google Dorking

Search for your website on Google in this format: site:domain.com if the website is compromised and Google indexed those pages then you should see them in search results:

image 39 - How to Identify if My WordPress Website is Hacked?
Google Dorking example

Website Scanners

Use security vulnerability scanners to discover your points of security weakness. Test your WordPress Application, Web Server, System, and Firewall for any issues.

In this post I discussed three ways to scan your WordPress website for vulnerabilities:

  • WPScan
  • Burp Suite
image 64 - How to Identify if My WordPress Website is Hacked?
wpscan vulnerabilities report

Verify WordPress Checksum

Malware has evolved so much to the point that it is almost indistinguishable from regular code, and that is why code checksum is such a thing.

To detect any of the non-standard WordPress core and plugin files you can use the verify checksums commands in WP-CLI (the WordPress Command Line Interface).

wp core verify-checksums

This command downloads md5 checksums for the current version from WordPress.org, and compares those checksums against the currently installed files.

To check WordPress plugins, run:

wp plugin verify-checksums --all

Browse the files and code manually

Here you can see a list of all WordPress core files:


Browse the files of your website and compare files with the ones on the link above.

image 65 - How to Identify if My WordPress Website is Hacked?
strange wp files

BONUS: 5 (Less known) WordPress Security Tips to keep your website safe from hackers 💁

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.