A website is often the result of a lot of labour which involves brainstorming and a lot of development hours. However, like any property in real life, a website needs to be well looked-after from a security viewpoint to protect WordPress from malicious attackers. Online security threats are constantly evolving and adapting to measures taken by webmasters.

Detecting If Your WordPress Website Has Been Hacked

protect wordpressAs a WordPress website owner, you should always be on the lookout for any potential signs that point to a hacked website. For example, if your installation has been hacked, Google’s Chrome browser will flag any visitors that the website they are accessing has been subject to a phishing/malware attack.

Web hosting providers scan hosted websites on their servers on a frequent basis. If a scan alerts to a compromised website, the web host will usually take the site down altogether so that the infection does not spread to other websites stored on the same server. The site owner will get an email notifying them of the hack and the take down as a result. In this case, it is important that you have the latest backup ready at hand.

Hackers will often use compromised websites as part of a larger scheme of serving malware to internet users. Unsuspecting users will be served with “phishing links” which will direct them to web pages where the hacker will ask them for important information like credit card numbers, social security and so on. It is always a good idea to have a notice on your website which tells users about the information your website collects. Encourage users to contact you in case they notice some irregular behaviour.

Monitor your Website

Google’s Search Console (previously known as Google Webmaster Tools) is an effective way of keeping track of the security of your website. It is free and easy to setup, so if you have not already, set up the Search Console for your website immediately. It will notify you via email if Google detects malware or any compromising piece of code on your website.

A few best practices for detecting potential hacks are:

  • Keep an eye on customer/visitor complaints
  • Analyse your website traffic for any unusual spikes or drops in traffic
  • Check the load times of your website regularly. If it shows non-routine behaviour, investigate the cause
  • Scan the content on your website regularly for any suspect links and unauthorised changes
  • See if your site is flagged as infected by Google’s Transparency Report

Protect WordPress

Source code scanners such as Wordfence are extremely effective at detecting a hack before it is noticed by either your customers, Google or any third party. They regularly scan the code of your website and compare it with a secure version of it. The source code scanner will even point out the infected pieces of code for you so that it is more convenient to diagnose the problem and remove it.

CloudFlare is a nice addition in the security toolkit. For small websites the basic version is completely free. It protects against denial of service attacks, shields your website’s IP and can speed up your website by caching it for you on their servers. So visitors would rarely touch your real site. Service like these are called CDNs or content delivery systems.

To make it harder for a hacker to break into your site you can add additional layers of security:

WordPress Security Plugins
Google Authenticator – Two Factor Authentication (2FA) By miniOrange (free / paid) Duo Two-Factor Authentication (free / paid)
Wordfence (free / paid) Sucuri (paid)
Shield Security (free) iTthemes Security (formerly Better WP Security)
Bulletproof security Vaultpress (paid)
WordPress Shield Hosting (paid) discontinued NinjaFirewall (WP Edition)
All In One WP Security & Firewall Disable XML-RPC (not WP Plugin page)
Loginizer SecuPress
Malcare (Paid) Cerber Security, Antispam & Malware Scan
WPS Hide Login Page Google reCAPTCHA to protect forms

Non Technical Rules to Safeguard WordPress

  • Choose long complicated passwords which cannot be guessed and keep them a secret.
  • Don’t use public WiFi without trustworthy VPNs to login to WordPress. Hackers can spy your password if your connection is unencrypted.
  • Don’t use public computers. There might be key loggers on them.
  • Keep WordPress updated, even if the design should break. Then you need to fix it. A site that is not patched invites hackers.
  • Give your admin password only to a developer whom you trust.
  • Do backups regularly.
  • Keep your Antivirus software update and run it daily.
  • Logout after your work is done.

What to do after detecting the hack

If your WordPress website has been compromised, it is best not to panic as you can have it running as it was before the hack following some simple steps. The best way of website recovery is by using a recent backup. A good practice is to make backups regularly and store them on a cloud service such as Dropbox, Google Drive and such. This ensures that even if your web host has been infected, your backups will be clean and secure. If your website is constantly being updated with new content, it is best to take regular backups to ensure minimal loss of data.

A useful and free WordPress plugin for backing up your website is UpdraftPlus. UpdraftPlus can be configured to backup your website at intervals as small as 4 hours and send the backup files to your Dropbox. What’s more, it can store backups in the cloud, so even if your host is infected, your backups will be secure and you can simply redeploy them to have your website up and running. A few other backup plugins/services worth a look are:

An additional step you can take in order to determine the source of infection is by running a free virus scan from one of these websites:

Become a WordPress Hero!

WordPress runs on PHP too.

Get Help from Professionals

If there are no apparent irregularities detected, it is time to call the professionals for help. Service providers such as Wordfence ($149) provide comprehensive infection cleaning services for (usually) a nominal fee and their experts will not only clean the infection from your website but will investigate and notify you of the way the hackers were able to infiltrate it. A few other WordPress infection cleaning services worth looking into are:


You should now have a fair idea of how to deal with a hacked WordPress website. For the most convenient and cheapest solution, it is highly recommended creating regular backups of your website, running free virus scans on it using VirusTotal and a good security plugin. These are vital precautionary measures to ensure none of your visitors is served with an infected website!

However, you should be aware that despite all the precautions a skilled hacker who dedicates a lot of effort to hack your site still can break in. Security issues like Zero Day Exploits, bugs like heartbleed and bad programming are discovered every day which enable attackers to just walk around your security measures.