How can you recognize a hacked website? What distinguishes a malicious attack from an administrator’s backend bumbling? There are several key differences, and we explore them here.
What are the symptoms of your WordPress site’s disorder? Is it an error message? A wacky redirect? The dreaded “white screen of death”?
In any case, your first thought is probably “OMG, my site’s been hacked!”
More than likely, though, it was probably unknowingly broken by another administrator.
BTW, that’s one more reason to limit the number of persons with admin access to your site. Allowing just anybody to mess with your website’s backend is a sure-fire invitation to disaster.
Limit access to your website’s sensitive administrative functions to trusted personnel experienced with WordPress. Monitor security, backups, and updates yourself, or allow modifications by well-qualified professionals only.
Most of the common WordPress errors are easily fixed if you can access your site’s admin dashboard. Otherwise, you will need to communicate with your broken website using an FTP/SFTP client program.
Here’s what to do about the three most common WordPress errors.
White Screen of Death
It’s as if your site has ceased to exist! Where your snazzy design and compelling content once lived, there’s now literally NOTHING. A blank screen with no information. Why, and what to do?
This usually happens when a plugin or theme compatibility issue causes an error in the PHP code or the database.
If you have access to the admin dashboard, immediately deactivate all your plugins. Then reactivate them individually so you can determine which one is causing the problem. You’ll then need to deactivate, remove, and replace that plugin with a better solution.
No plugin issues? Check your site’s theme for concerns, especially if you learn that someone else has recently activated an update. Just reactivate the default WordPress theme instead to verify that it’s your theme that’s at fault. Again, you’ll want to remove it and use a different theme.
If the theme’s directory is missing or has been renamed, you’ll see an error message on the site’s front end. If you can log in to the dashboard, switch themes.
Quite frankly, though, you will probably not be able to access your admin dashboard in any of these scenarios. Using an FTP/SFTP client will give you access to the appropriate folders (wp-content/plugins or wp-content/themes) or directory to rename them.
Once the suspected folder/directory is disabled, you can follow up with the suggestions above.
Internal Server Error
You’re trying to log in but instead get an onscreen “Internal Server Error” message. There could be any number of reasons for this, including a corrupted .htaccess file. In that case, simply rename it “.htaccess-old” and reload the site. Resetting your permalinks will generate a new .htaccess file, and the old one can be deleted.
Again, plugin/theme incompatibility could be at fault. Deactivate your plugins or reactivate the default theme as above.
You’ll need to increase PHP memory if you don’t have enough. Although there are several methods for handling this, I’ve been successful by adding the following line to the wp-config.php file using a code editor: “define(‘WP_MEMORY_LIMIT’, ‘256M’)” or whatever number you need the new limit to be.
If corrupted wp-admin or wp-includes folders are the cause of your site’s issues, re-upload the appropriate file from a fresh WordPress install.
Error Establishing Database Connection
The onscreen message “Error establishing a database connection” is usually caused by a problem with your wp-config.php file. Use your FTP/SFTP client to confirm that the database name, username, password and host are all correct.
Also, check with your web host. It could be that their server is down, or your database is suffering a quota overage.
Or they might confirm the unimaginable: Your site was disabled due to infection.
Recognize a Hacked WordPress Website
Most likely, a hacker won’t announce their presence. They don’t want you to know they’re using your compromised website as a Trojan Horse to redirect your users to spam sites, secretly steal their credentials and private information, or other nefarious activity.
So how can you tell that your site’s been hacked?
Most browsers will display a warning page to deter users from accessing the site. You’ll also need to be on top of your website’s usual traffic and analytics to help determine if your site’s been compromised.
A change in traffic patterns could signal that your visitors are being redirected elsewhere. If your site seems unusually slow or is often unresponsive, you could be suffering brute force attacks. Suspicious user accounts are another clue to unauthorized activity on your site.
So despite your best efforts, a malicious actor has somehow gained entry to your site and hacked it up.
First of all, don’t panic! Your content can likely be salvaged. And taking the following action steps will substantially increase your chances of recovery.
Repair a Hacked WordPress Website
Take a deep breath and dive right in.
Start with an incident report documenting all the issues you’re experiencing and every step you take to repair it. Don’t neglect to include the results of each action.
Then use Sucuri’s SiteCheck, a free website scanner, to check for known malware, blacklisting status, website errors, and out-of-date software. Also run a virus check on your computer to be sure it wasn’t compromised in the attack on your website.
Next, check in with your web host. If you’re sharing space with other websites, you may not be the only one affected. Your provider can let you know what’s going on if that’s the case.
Before going any further, reset all your passwords and enable two-factor authentication. Use a trustworthy security plugin like WordFence or Google Authenticator from the WordPress repository. In addition to your wp-admin, be sure to generate new strong passwords for FTP/SFTP, cPanel, and MySQL.
Then, if you can, reinstall a recent backup. This is probably the first and best choice in any hacking scenario. If you have content that will be lost, though, you may prefer to remove the hack manually.
In either case, delete unused/inactive plugins/themes, and disable any plugins you hope to continue using.
Locate the hack via malware scan if it hasn’t already been detected. It will generally be found in your theme/plugin directories, uploads directory, wp-config.php, wp-includes, or .htaccess file. Also check index.php, header.php. footer.php and function.php for malicious code.
Go ahead and replace the corrupted files with the original theme/plugin or WordPress core file (except wp-content, where your content resides). Delete any suspicious users you found, or update all user permissions as needed.
Now that your site is clean, change all those passwords yet again! This protection is especially vital moving forward. And, most importantly, implement additional security measures to prevent future attacks.
Request a Google site review to clear your site’s good name and remove any red flags that were set up to discourage visitors from using it.
Check out the WordPress support forums for more details and answers to specific questions that weren’t addressed here.
According to Google, compromised passwords, missing security updates, and insecure themes/plugins are among the top ways sites get hacked. So monitor your website’s security, use strong passwords and change them frequently, and only install reputable plugins and themes to help harden your website.
Has your website ever been hacked? How did you handle it? Let us know in the comments below!