In Security

How to identify a hacked WordPress site

April 13, 2017

By Yorgos Fountis

Share
How to identify a hacked WordPress Site

A hacked WordPress site most of the times exhibits several symptoms. In this post we will describe what those symptoms are, and give you some tools to identify whether your website is affected by any or all of them.

Symptoms of a hacked WordPress site

Most of the symptoms involve your website behaving in a strange way, as well as odd-looking files and HTML code starting to appear left and right. Let’s view them one by one!

1. Your website starts sending spam

Although it is much easier to identify incoming spam than outgoing, there are a couple of things you can do to see if someone is using your site to send spam:

  • Check your mail logs (they are usually under /var/log). Seeing an unusual amount of emails being blocked with a 550 Sender prohibited by SPF error message is regarded as suspicious. Especially if you have SPF records configured for your domain. Then it is definitely a red flag.
  • There are various websites, such as MXToolbox and UltraTools RBL Database LookUp that can tell you whether your site has been blacklisted as a spam source. There are several of them available, and you need to search in as many as you can find. Not being blacklisted in one does not mean you are 100% clear.

2. Your website redirects you somewhere else.

This is probably the easiest symptom to spot. When you visit your website, instead of viewing your web page, you get redirected to somewhere strange. First of all, check to see if your DNS records have changed, and now point to a different IP address.

If your DNS records seem fine, then it is highly probable that there is something in your HTML page causing that redirect. Try to disable your browser’s Javascript support, and see again if your website is redirecting you. If the redirect persists, then it is a sign that other areas of your website are most probably tampered with (either your database, your website’s .htaccess file, or your web server configuration).

3. Your website contains suspicious iframes.

An iframe is an “embedded” HTML document within another HTML, that is used to display content from another source, usually advertisements. Visible iframes are easy to spot, however, most of them are so small (sometimes taking only a couple of pixels!) that you can easily miss them. Open your HTML file in an editor and look for <iframe> tags that try to connect to unknown or suspicious-looking URLs. Comment them out by putting them inside HTML comment tags <!–. You should not stop there, because probably if you have tampered HTML files, it means that your website is definitely compromised and  that there could be other places where your website was tampered with.

4. Your website opens pop-ups on load.

This is also an easy sign to spot. Your website loads pop-up windows that clearly are out of place. Some of them, called pop-unders, are more insidious. These are not visible when you visit your website but are loaded in the background. However, if you minimise your browser, you instantly see them, usually taking up a large portion of your screen.

5. Garbled and strange-looking PHP files.

Discovering PHP files that look seemingly incomprehensible such as the following example is always a definite warning sign that someone has tampered with your website:

<?php eval(“\145\166\141\154\050\142\141\163’==QfgsDdphXZgsTKog2c1xmZgszJ+QHcpJ3Yz  […]

The technical term for these types of files is “obfuscated”.  Obfuscation is a common technique used by hackers in order to hide the source of a usually malevolent piece of code or make it very difficult to read and understand what its function

6. Backdoors, webshells, admin accounts

Webshells are programs that can be used by hackers to connect remotely and gain full administrative access to your website. These programs allow remote web access to your server’s shell (hence the term webshell) so that anyone connecting to them can execute commands. Chances are that if you find an obfuscated PHP file somewhere, it is a webshell.

Hackers can also create accounts with administrative rights to use them as backdoors. These are relatively easy to find since they are visible in the WordPress backend, or in your database.

Tools to help you identify suspicious activity

There are several tools that can help you identify whether your website has been tampered with.  If you think you have been compromised or infected, it is a good idea to check your website by using all of them. In that way, you will get a more rounded view, because not all of these services check the same things. All of the below resources are free to use and require you only to type your website URL.

In particular, if you think you are infected with malicious iframes, popups, redirects and other javascript beasts, the following websites will let you know immediately:

  1. Sucuri’s SiteCheck and unmaskparasites. These will check for known malware, whether your website is blacklisted and much more.
  2. Google Transparency Report. This will show you whether your website is deemed “dangerous to visit” according to Google.
  3. VirusTotal is a free service that can analyze URLs and files to see whether they contain any malicious content.
  4. Free Online Website Malware Scanner by PC Risk. Searches your site for ““malicious code, hidden iframes, vulnerability exploits, infected files and other suspicious activities.”
  5. Quttera’s Free Website Malware Scanner. Searches your site for “suspicious scripts, malicious media and other web security threats hidden into legitimate content and located on websites”. It produces a security report, with each finding categorised according to threat level.

There are also several WordPress plugins that help you keep your WordPress site secure. Make sure to also check this excellent guide to the 7 best WordPress security Plugins by InfoSec.

It is of outmost importance to clean-up your site as soon as you find any malicious content and patch its vulnerabilities. A compromised website means outages or abnormal behaviour that can and will ultimately affect the livelihood of your business!

 

JOIN HUNDREDS OF BUSINESSES THAT USE PRESSIDIUM TO SCALE THEIR WORDPRESS SITES

Did you like this article?

Subscribe to our blog and get awesome WordPress content straight to your inbox.

SUBSCRIBE
Share