Hack Into a WordPress Website

Signs your WordPress website is hacked

Thousands of websites are getting hacked every day, and new malware spreads rapidly amongst unprotected sites.

That first sentence is not meant to scare you, but to make you pay attention. If you run a WordPress website you need to be aware of how to protect your website. WordPress is not immune to attacks.

If you don’t already check your website regularly, consider checking your website after you finish reading this article.

Stealthy malware and attacks

WordPress is a very popular platform, powering over a quarter of the top most visited websites and every day thousands of new WordPress based websites are launched.

WordPress targeted attacks come in all shapes and forms these days, and the speed of new bugs and vulnerabilities does not seem to slow down.

The more aggressive attacks give away more or less immediately by showing massive ads and popups, but not all.

Some of the most aggressive attacks simply change the site URL of your website so every visitor is sent to a scam or virus filled website. Until it gets reported of course, or the website owner or administrator notices the change.

This form of attack is quite obvious and easy to detect, but most attacks are more subtle than that so they do not give the game away too quickly.

Note – The most obvious attack redirects everyone, but more stealthy attacks will not do anything if the script detects the visitor is an administrator, and only redirect regular visitors – making it a bit harder to detect an infection.

If you think your website is too small to be attacked or you think your web host will automatically keep your website safe, you should read Why even small websites are attractive for hackers and malware attacks.

Not all malware or virus is easy to detect

Some malware will install malicious javascript code to mine bitcoin in your site or try to infect visitors or other websites – spreading their code. Other malicious code might act as a flexible tool, able to execute many different kinds of actions, even attacks on other websites.

Other kinds of malware are created with different goals in mind. Let’s take a look at some of the types of malware you can encounter.

WP Security Ninja Pro comes with a malware scanner that helps you detect infections on your website.

We build and sell the plugin here, so we might be a little biased – but we think it is a great solution for protecting your website 🙂

But why me? You might wonder why your website was targeted by a hacker. It wasn’t. Or rather, your website was not targeted specifically by a hacker, it was targeted due to a script made by a hacker.

These hackers will not try to attack websites one by one, that is way too time-consuming. Being specifically targeted is usually only something you should worry about in a huge company or if you sell something that makes you a target for extremists.

However, once your website is online, there are automated systems that take your new website and put it on a list – waiting for it to be scanned for vulnerabilities.

This is where your website will start getting a lot of probing requests, the automated scripts are testing for specific errors or plugins that the script knows allows for a way into your website.

Let’s take a look at some of the reasons a hacker wants your website.

Common kinds of malware attacks

  • Redirects to spammy sites – that contains different types of viruses or trojans to attack your computer.
  • Backdoor attacks – trying to get into your website, to gain control for later.
  • Drive-by downloads – that will install software on your visitor’s computer, spreading even further.
  • “Pharma hacks” – Adds links to vendors of illegal drugs online, trying to boost their ranking quickly.

Someone who is familiar with a hosting environment can manually clean his website from malware. Here is a WordPress malware removal guide that will help go through this process.

Links injection for SEO

Did you find an infection on your website pointing to some very questionable websites? Some successful hacks will inject HTML code in your page, including links to pharmaceutical sites. These links are helpful to promote any malicious website.

There is little or no long-term value in these links, but that does not matter to the people promoting whatever product on the malicious website, they have thousands of other sites that link to them, it is a matter of volume and getting a lot of sales before Google or anyone else notices something is wrong.

Since your website is now linking to spammy or dangerous websites, your website will be penalized or completely blocked by Google. This will force your SEO rankings to plummet and eventually disappear.

Google is not interested in sending their users to your website if it contains bad links or malicious code. Many online stores depend entirely or predominantly from organic SEO traffic, so keeping your website secure is of extreme importance.

This is in itself a problem, but the business cost increases if you rely a lot on organic search engine traffic – SEO.

Cleaning up a hacked WordPress website

A website I was hired to disinfect years ago and the infestation was fortunately benign as such. This hack was only inserting links to spam websites, selling a couple of different pharmaceutical products.

This infection was pretty sneaky however and used obfuscated code that detected the Google bot crawler and only showed the links to Google, and hid them from anyone else, logged in or not.

This not only puts you in a bad position SEO wise because you are linking to some bad websites. Your hacked website is also doing what is called cloaking, by showing different content to different visitors.

Cloaking is something that is considered a violation of Googles Webmaster Guidelines, but fortunately, Google is aware it is a common tactic for hackers.

It is not uncommon for a hacker to use cloaking technology to make the website hack harder to detect

Read more here: Cloaking – Google Search Console Help.

You would only detect these links if you crawl your own site with a crawler emulating the Google bot, or you have set up an external monitoring service to monitor server and website changes.

Malware attacks hurt your SEO work

All major search engines have tools that identify websites that are hacked or intentionally try to do harm and block you from visiting these sites.

The Chrome browser by Google Here is Google’s support page about the feature – Manage warnings about unsafe sites

Google actually warns hacked website owners

If you are signed up with Google Search Console and have verified your site, you will get an automated notification email from Google if they detect you have been hacked or have malicious scripts running on your website.

In case you are not, Google will still try emailing various usual domain administrator emails, such as contact@, info@ or admin@ and so on.

You should have a Google Search Console account set up for your website. It provides a lot of information about your website and any problems that Google finds.

This is a great tool to fix bugs and you can use the tips from Google themselves to improve your website.

Google also provides great advice on how to find and clean your website after a malware attack, and also how to request a malware review by Google. This is the fastest way to get back your search engine traffic.

You should not rely only on Google though, check out this article for telltale signs your website has been hacked.

Malware hurts website owners

"The site ahead contains malware" warning message

This will have a significant impact on your SEO efforts, as Google naturally does not want to send their users to malware- or otherwise infected website.

It is not impossible to regain your SEO positions again, but it will take time and require technical skill. If you are not used to working with SEO, there is a lot of things to learn, and it will take time to gain any position back in Google for your most valuable keywords.

The alternative is to hire an SEO expert to help you but anyone experienced enough to deal with a WordPress website hack will not be cheap. You could try it yourself, but as anyone just starting with SEO will tell you, it can become quite complicated very quickly.

You will lose a lot of customer trust as well if your website has been hacked and it can take a long time to get back.

You will lose customers

Attacks are happening more and more often, so it is no longer a huge deal for customers when a website is hacked. That being said, some customers will want to look for an alternative company and some new customers might refrain from buying from a website that has been hacked.

Fortunately, or rather, unfortunately – these days getting hacked is not that uncommon, so this has much less impact on your business than it would have 10 years ago.


Website monitoring services can help

Companies who care a lot about their website have monitoring systems in place or outsource maintaining their website.

If you do not have someone or something monitoring your website, you might not notice the website directing visitors to a different website for some hours, even a day or two.

Prevent WordPress website hacks

Prevent being attacked, to begin with, is always the best approach.

We build and recommend the Security Ninja plugin, it protects you from hackers and automated scripts, it also comes with tools to detect infections and tools to remove malicious scripts.

Use strong passwords

Take a look 10 Password Management Tips to Help Safeguard Your Website as a good place to start for making sure it is not your weak password that was the reason for getting your website hacked.

Make sure your web host is secure and proactive

Not every web host is the same, some simply do not have the support staff to keep their servers secure and focus their you might be tempted to go for a cheaper solution but if you want to ensure your website is properly protected check out some of our tips for choosing a secure WordPress host.

We recommend our own WordPress security plugin, Security Ninja Pro. With this plugin, you get a lot of protection and tools to disinfect your website should the worst happen.

Want to know how secure your website is?

Check out our FREE Security Ninja WordPress plugin for a full WordPress security check – test for 50+ security issues in less than a minute.

Read more about the author .

We won't spam you. Unsubscribe any time.

Wait! Before you go!

Get 10% discount for any WP Security Ninja plan!


Subscribe to our newsletter for new releases, discounts and general WordPress Security news. Sprinkled with other interesting stuff :-)

10% OFF

Subscribe to our newsletter

* We do not spam or share your email

Discount on any Security Ninja plan

and get

Hi and welcome back :-)