Sites getting hacked is a never-ending possibility – the best you can do is continue to keep updated about the new and old security threats while reviewing your security infrastructure and modifying wherever required. WordPress sites are common victims of admin panel hacks, pharma attacks, SEO spam, etc.
Of these, WordPress admin hacks are very dangerous as they can involve complete loss of control of one’s website, data theft, and compromising the security of all those who use or access the site – this makes the admin panel of your WordPress site the most important, and the most vulnerable, point of your security strategy.
Symptoms of WP-Admin hack
1. Login credentials not working
The first thing hackers do after taking over your website is that they change your current admin and other user passwords. If you are unable to login to your website with your current set of passwords and you are sure you are not entering the wrong passwords, your website is most likely hacked. Hackers can also change the admin URL for your website, so your present website URL throws an error. All this accounts for a WordPress admin hack situation.
2. Bad links and spam pages added onto your site
One of the more common signs that your WordPress site has been hacked is the presence of data with questionable functions. Sometimes, they could be links that redirect the traffic to illegal sites selling medications or fake branded products. Visitors to your site who click on these links will be exposed to the dangers of malicious content and malware.
This can also include backdoors to your admin panel so that even if you temporarily delete files that are causing issues, they’ll have a way back into the system. Once they gain control of the admin panel, hackers can place these bad links anywhere on the site, usually in the footer, with possible code for regeneration even if you delete it a number of times.
There’s also a possibility that spam pages will be added onto your site – once search engines like Google detect this, they will blacklist your site and index it to warn visitors.
3. Unknown users added to the admin panel
First, you need to check if your site is open to user registration and/or lacks spam registration protection, as the spam accounts you see on the admin panel are probably ones you can simply delete.
It becomes an issue if you don’t remember setting up this option for your site, as the addition of new user accounts to the site probably means you’re hacked. This is especially important to clarify – and take steps to resolve – if the spam accounts have administrator roles as this gives them full-scale privileges and may make it difficult to delete their accounts as well.
4. Sudden fluctuations in the website traffic
If you’re checking your Google Analytics Report and see suspicious fluctuations in the website traffic numbers for no explainable reason, this is a good indicator that your site has been compromised.
Fixing the WP Admin hack
Before proceeding with any steps, it is recommended that you take a backup of the site for restoration purposes. This will save the content of the site and your preferences in extensions, themes or plugins, making it easier to make your site functional again.
1. Looking for file modifications
Admin hacks place their strength majorly on modified core files, which means your first step should be to check the root of the server or “/wp-admin” folder for files that haven’t been created by you, or ones that have been recently changed.
Examples of some filenames that mistakenly look important but are actually the source of the hack include ‘admin.php’, ‘db_.php’, etc.
Make sure that you check the ‘index.php’ file in WordPress, as this can be the target of the admin hack. Malicious code will usually serve the purpose of regenerating hacked or defaced pages of the WordPress site that will be visible to the site’s visitors such as SEO spam pages, fake pharma pages, etc.
2. Change all login credentials
Update all WordPress passwords, including cPanel, MySQL, and FTP details – use strong passwords according to the given guidelines and with the right combination of letters, numbers, special characters, and symbols. If a lot of users access your site daily, ensure that the password is reset for all of them.
3. Check out the unknown admin accounts
You can get a lot of information by tracking the unknown admin accounts added to the panel, one of the important details being the backdoor script that generates these accounts with admin privileges. This functions as a backdoor to the WordPress site whenever the hacker wants, so finding and erasing this provision is crucial.
4. Malware scan
A final malware scan with a good security plugin – like the one offered by Astra Security – will let you know if your site is free of malicious files, questionable themes or plugins, security loopholes like backdoors, and search the uploads directory for questionable material.
For each hacked WordPress site, there could be more or fewer steps done for confirming the removal of the hack, and to prevent the recurrence of such a situation. If this seems to get out of your hands, you can always take help from security experts like Astra Security.