7 signs you’ve had your WordPress site hacked

Whether you want to talk about it or not, every open source system can be targeted by hackers. While in my experience other systems are far worse (I won’t mention names), it is not unheard of to have your WordPress site hacked.

I’ll be going through security prevention in another post, but there are some very important things you should do to avoid getting hacked in the first place and the mitigate risks if you ever do. Regular upgrades of WordPress plugins, regular backup and security scans should be top of the list.

But for now, let’s look at how you know when your site has been hacked:

1. Your emails start bouncing

This is one of the worst things that can happen when your website is hacked. It works like this:

  • Hackers break into your WordPress site and install scripts that send out thousands of emails from your IP address.
  • People report them as SPAM.
  • SPAM lists like barracudacentral.org and spamhaus.org see the reports and add you to their block lists.

Sometimes you may not even know your site has been hacked, you’ll just notice people aren’t getting your emails. If you have an agency and are hosting websites for others, the ban may even affect your clients’ domains.

2. Bad content is added to your site

If your site is hacked, the hackers may gain access to one of your theme files. If this is the case, they can fairly easily add things into the site.

The impact can range from annoying to devastating. I’ve seen:

  • Sites that have a lot of (bad) invisible code added. This code is visible to crawlers like Google, invisible to the human eye and can slow the site down and ultimately, get your site added to blacklists.
  • Sites that have unwelcome links and content added into the footer on every page.
  • Sites that have been completely replaced with new content (and they tend not to be images of pretty puppies…).

If this happens, you may not know because the content may not always be visible.

3. Your website is slow or crashes

This can happen for a variety of reasons.

One reason may be that the hacker has added so much bad code that the site slows down. Another is that the hacker has added your site into a network of sites or a spam email network where traffic is sent to the site and re-directed.

Either way, this is not good. Hopefully, you will find out about it fairly quickly (assuming people are visiting your site regularly).

4. You are lumped with a big bandwidth bill

I’ve seen this on hosts that charge a lot for bandwidth. In Australia, bandwidth is very expensive and at least 10x at compared to the US as a general rule. It’s not uncommon for hosts to only provide you with a certain amount of bandwidth and when you go over, it is very expensive.

Bandwidth is used when people visit your site or send you emails. When your site is hacked, your bandwidth charges can potentially go through the roof from:

  1. Large files being added to your site, which increases the amount of data downloaded every time you have a visitor.
  2. Malicious scripts added to your server that send out thousands of emails that add to your bandwidth usage.
  3. Huge traffic spikes in the case where your site has been added to a network.

This can happen very quickly, and unless your host is in the habit of warning it’s customers when there are spikes, you may not know before it’s too late.

5. Your traffic plummets

If your site is hacked you might notice that your traffic disappears. This can happen for a few reasons:

  1. If the site has crashed or is slow, people will drop off.
  2. If Google has blacklisted your site, people will see warnings when they search for you in Google and they won’t click through.
  3. Your traffic is re-directed automatically to another site.
  4. Traffic will bounce as soon as they see anything unusual on your site.

Some people don’t actively monitor their website traffic, so it may not be obvious that this has happened.

6. Your traffic surges

A big traffic surge is also possible. In point 3 above, I talked about the situation where your site is added as part of a re-direct network. This could result in huge increases to your traffic in a short time period.

But don’t get excited there’s no benefit to this traffic! It will ruin your analytics reporting, slow your site and increase your chance of being added to a blacklist. Not to mention potentially crashing your server. Either way it kills the site experience for users and being blacklisted is going to result in less targeted traffic and a tarnished reputation.

7. Your website disappears

Sometimes when a site is hacked, a hacker can get into the files and remove the whole site.

I’ve seen it as bad as removing every single site on a server in extreme cases. If your host backs up their sites to the same server you can imagine how devastating that would be.

Do you know anyone who has had their site hacked?

Please tell us in the comments about what happened.

About

Dan Norris is a co-founder at WP Curve and a passionate entrepreneur with an obsession for content marketing.

42 responses to “7 signs you’ve had your WordPress site hacked”

  1. We once had someone interjecting code in a form that eventually changed the php. This allowed for hidden scripts to run. Google shut the site down with a malware warning for every person finding it via google. My boss was a master php guy, and fixed it. But ya, business wasn’t too good for a few hours over the course of a few days until he plugged the loop hole. Thanks for sharing!

  2. We once had someone interjecting code in a form that eventually changed the php. This allowed for hidden scripts to run. Google shut the site down with a malware warning for every person finding it via google. My boss was a master php guy, and fixed it. But ya, business wasn’t too good for a few hours over the course of a few days until he plugged the loop hole. Thanks for sharing!

  3. Dan Norris says:

    Nice! Sounds like you got it quickly. Sometimes it takes a long time to get off these lists, up to a few weeks. It suck when it’s out of your control too. Thanks for commenting.

  4. Dan Norris says:

    Nice! Sounds like you got it quickly. Sometimes it takes a long time to get off these lists, up to a few weeks. It suck when it’s out of your control too. Thanks for commenting.

  5. Kitty Kilian says:

    Number 7 has been happening for a few days at our house. The rest is OK. My Mac is too slow as well but scans show no viruses. Should I call in an expert?

  6. Kitty Kilian says:

    Number 7 has been happening for a few days at our house. The rest is OK. My Mac is too slow as well but scans show no viruses. Should I call in an expert?

  7. Dan Norris says:

    Your website has disappeared?!??! Yes you should!!

  8. Dan Norris says:

    Your website has disappeared?!??! Yes you should!!

  9. Kitty Kilian says:

    It only happens for a short time. So that is what you mean? OK, will do so.

  10. Kitty Kilian says:

    It only happens for a short time. So that is what you mean? OK, will do so.

  11. the one I notice first is Google Webmaster tools – search queries escalate dramatically

  12. the one I notice first is Google Webmaster tools – search queries escalate dramatically

  13. Lisa Buben says:

    Thanks Dan for the info here. I haven’t had it happen but it’s good to know the signs to look for. So many WordPress sites have been affected at one time or another.

  14. Lisa Buben says:

    Thanks Dan for the info here. I haven’t had it happen but it’s good to know the signs to look for. So many WordPress sites have been affected at one time or another.

  15. John Peterson says:

    Great post. I’ve had this happen to a few clients. While its hard to tell exactly how the hackers got in, the hacked sites typically have bad passwords. Like the post says, scan, backup and upgrade the site. Those are your best defenses. On the scan side, I’ve been really happy with Sucuri’s services. One time a site had been hacked and I was notified through IM, email and SMS message all at once. This helped me get a quick jump on repairing the damage. Don’t think the technical fix cleared our name instantly. It still took a week to clear the site’s name with Google.

  16. John Peterson says:

    Great post. I’ve had this happen to a few clients. While its hard to tell exactly how the hackers got in, the hacked sites typically have bad passwords. Like the post says, scan, backup and upgrade the site. Those are your best defenses. On the scan side, I’ve been really happy with Sucuri’s services. One time a site had been hacked and I was notified through IM, email and SMS message all at once. This helped me get a quick jump on repairing the damage. Don’t think the technical fix cleared our name instantly. It still took a week to clear the site’s name with Google.

  17. Mike Taber says:

    Somewhat related to #1 is that people start complaining that you’re spamming them. This is usually an issue that happens before your IP is blacklisted for spamming, but depending on the volume, it can be difficult to catch it in time.

    When I first started working on AuditShark, WordPress integrity checking was one of the things I was thinking about auditing for. It’s still in my radar, but I didn’t get a lot of initial interest in locking down WordPress for some reason. Maybe I was just talking to the wrong crowd.

  18. Mike Taber says:

    Somewhat related to #1 is that people start complaining that you’re spamming them. This is usually an issue that happens before your IP is blacklisted for spamming, but depending on the volume, it can be difficult to catch it in time.

    When I first started working on AuditShark, WordPress integrity checking was one of the things I was thinking about auditing for. It’s still in my radar, but I didn’t get a lot of initial interest in locking down WordPress for some reason. Maybe I was just talking to the wrong crowd.

  19. Dan Norris says:

    Interesting. Thanks mate.

  20. Dan Norris says:

    Interesting. Thanks mate.

  21. Dan Norris says:

    Good to hear :). Yeah I didn’t want to be too negative, it’s certainly not just WordPress. A lot of other systems are worse, mainly because they aren’t as easy to keep patched and secure so people just let them go and they become a target.

  22. Dan Norris says:

    Hey John, yeah I’ll have to do a piece on how to prevent it. Yeah we use Securi for the monthly scans for WP Curve clients. It’s good to be notified straight away. It could have been months rather than weeks!

  23. Dan Norris says:

    Good to hear :). Yeah I didn’t want to be too negative, it’s certainly not just WordPress. A lot of other systems are worse, mainly because they aren’t as easy to keep patched and secure so people just let them go and they become a target.

  24. Dan Norris says:

    Hey John, yeah I’ll have to do a piece on how to prevent it. Yeah we use Securi for the monthly scans for WP Curve clients. It’s good to be notified straight away. It could have been months rather than weeks!

  25. Dan Norris says:

    Hey Mike thanks for commenting. You are dealing direct with hosting companies right? That surprises me, WP Engine seem to be doing very well and I think security is a big part of the appeal (as well as speed etc). The WP multi-site services like Manage WP also have integrated security scanning etc which I think is a popular feature.

    I think managed WordPress hosting is going to emerge as a pretty big category. I was talking to a guy about this on Friday so if you do end up doing something here, let me know.

  26. Dan Norris says:

    Hey Mike thanks for commenting. You are dealing direct with hosting companies right? That surprises me, WP Engine seem to be doing very well and I think security is a big part of the appeal (as well as speed etc). The WP multi-site services like Manage WP also have integrated security scanning etc which I think is a popular feature.

    I think managed WordPress hosting is going to emerge as a pretty big category. I was talking to a guy about this on Friday so if you do end up doing something here, let me know.

  27. Mike Taber says:

    I’m not actually dealing with hosting companies to be honest. They’re not my target market right now. They need different things than business operators and the product isn’t quite there yet.

    Integrated security scanning is great and all, but it can be difficult to know whether or not there were changes you made. There are products out there like Tripwire which can verify that there haven’t been any changes to your site, but it’s still a little difficult to be sure sometimes to know where those changes came from.

    I agree that managed WordPress hosting is going to be a big category. In general, WordPress can get really slow if you’re not making sure that it’s optimized, and it really takes a lot of effort and domain knowledge to get it right. Even after that, you still might be slower than a managed service. That’s exactly why I went with WPEngine myself. I don’t want to waste the time figuring out if I’m doing the right things.

    With AuditShark, I’m doing the same sort of thing, but on the security side. How do you know if you’re doing the right things? The product is intended to help with that because most people aren’t security domain experts, nor should they need to be in order to run their businesses.

    If I take the product down the road of doing something in WordPress, I’ll let you know. The first step would likely be website integrity checking though. ie: have your files changed, and if so, how?

  28. Mike Taber says:

    I’m not actually dealing with hosting companies to be honest. They’re not my target market right now. They need different things than business operators and the product isn’t quite there yet.

    Integrated security scanning is great and all, but it can be difficult to know whether or not there were changes you made. There are products out there like Tripwire which can verify that there haven’t been any changes to your site, but it’s still a little difficult to be sure sometimes to know where those changes came from.

    I agree that managed WordPress hosting is going to be a big category. In general, WordPress can get really slow if you’re not making sure that it’s optimized, and it really takes a lot of effort and domain knowledge to get it right. Even after that, you still might be slower than a managed service. That’s exactly why I went with WPEngine myself. I don’t want to waste the time figuring out if I’m doing the right things.

    With AuditShark, I’m doing the same sort of thing, but on the security side. How do you know if you’re doing the right things? The product is intended to help with that because most people aren’t security domain experts, nor should they need to be in order to run their businesses.

    If I take the product down the road of doing something in WordPress, I’ll let you know. The first step would likely be website integrity checking though. ie: have your files changed, and if so, how?

  29. Dan Norris says:

    Yeah that makes a lot of sense.

  30. Dan Norris says:

    Yeah that makes a lot of sense.

  31. swalberg says:

    I was chasing down a lot of sites that fell under #2 — Google saw stuff that regular people didn’t. I ended up making a site to look for stuff like that, it’s up at http://www.isithacked.com, it’ll do ad-hoc checks and also let you schedule scans that get emailed to you.

  32. swalberg says:

    I was chasing down a lot of sites that fell under #2 — Google saw stuff that regular people didn’t. I ended up making a site to look for stuff like that, it’s up at http://www.isithacked.com, it’ll do ad-hoc checks and also let you schedule scans that get emailed to you.

  33. Dan Norris says:

    Hey man interesting. Good luck with it! Keep us updated with how you get on with it.

  34. Dan Norris says:

    Hey man interesting. Good luck with it! Keep us updated with how you get on with it.

  35. James Hall says:

    just suffered 1st (probable) hack attack. Woke up to find ALL files deleted from server — BUT , db fine. Is this “normal” ? Wouldn’t any hacker take down the db as well? It was wp and obviously all db access info is easily obtainable. Not sure how this could have happened except for rouge ftp access. Server log shows that only my ip has connected via ftp in last 24 hours.

  36. Dan Norris says:

    Yikes sorry to hear that mate. I can’t really give security advice via here but yeah I’ve had that happen before. There doesn’t seem to be a lot of rhyme or reason to hackings, they just take what they can get.

  37. water rafting says:

    hi Dan Norris

    about two weeks ago hackers attack on our server almost 60% website hacked, hackers only replace index.php or index.html files with new hacked data files with same name …. and the other hand few of my website traffic down suddenly i mean on 24 oct attack on server and on 25 oct my google organic trafic down from 2000 to only 10 to 15 per day how recover my website trafic plz help me i am very tired many time search in google but not find solution plz help me

    Thanks

    Hafeez Baig

  38. Dan Norris says:

    Hey mate I can’t really provide WordPress support via the blog sorry mate. Our service helps with this sort of thing or you can find a local developer who is experienced with dealing with issues like this.

  39. mayur says:

    My wordpress site has been hacked.
    only database is increasing.

  40. I monitor client sites pretty closely and we’ve caught several issues like you’ve brought up. The latest thing I have been seeing isn’t actually hacking but is definitely a pita … referral spam, particularly ghost referrals. It’s harder than heck to account for them properly within Google Analytics and it’s a cruddy issue with the analytics.

  41. meconiummm says:

    “While in my experience other systems are far worse (I won’t mention names)”

    Thanks that was very helpful and also reminded me of my little sister when we were small children.

  42. zeeshan says:

    Dan Norris:

    i want to ask 2 questions which antivirus(Plugin) is best for wordpress website.

    Second question is that tell me the name of the best backup plugin. plz help me

Leave a Reply

Your email address will not be published.

WordPress problems?

Our WordPress experts have you covered.

Hyper-responsive 24/7/365 WordPress support, maintenance and small fixes.