WordPress Security: How to Check if your Website is Clean

In view of recent high profile cyber attacks I have updated the information in this article.

WordPress is a hugely popular content management system (CMS) and it currently powers over 450 million websites (!). Unfortunately the sheer volume of websites also makes WordPress an attractive target for hackers. Their goals are usually related to monetary gain, e.g. by promoting their own products (usually pharmaceuticals or adult content), redirecting a website domain to their own website, or stealing data to resell.

This can of course lead to loss of income for business owners and loss of customer trust. It is usually very difficult to unhack a website as the hacks are quite complex these days and often involve code back doors which allow hackers to get back in even if you think you have cleaned it all up. If a website has been hacked, it sometimes has to be wiped as it is frequently impossible to clean it up. Ideally you would have a clean backup from before the hacking occurred, but if this is not the case, the website may have to be rebuilt from scratch.

website security

WordPress itself is a robust and secure software, but it does need to be updated regularly to keep it secure, and you need to take some precautions such as installing a security plugin. Click here for more information on how to keep your WordPress website secure.

These days hacked websites are not always obvious as hackers become smarter at concealing their hacks to increase the time a hacked website is live on the internet. The hacks may be so well hidden that you might not notice them for months. Here are some examples that I have seen over the last few years:

  • On some websites hackers had left the website intact but somehow created hundreds of additional, hidden pages on the domain. The additional pages promoted pharmaceuticals that they were trying to sell.
  • One website looked completely fine on desktop but had adult content showing in the mobile view
  • The home page of some websites looked fine but certain sub pages showed hacked content
  • On one website only one particular page and the website logo at the top linked to an external website promoting Viagra

Sometimes the first you know of your website is being hacked is because Google shows a message below your website link saying “this website may have been hacked”. Not a good look! By then your website will already be blacklisted by Google.

This also means that any clean backups may be several months old by the time you realize what is happening, so you would lose any newer content when the hacked website is deleted and the backup is restored.

There are several ways to keep an eye on your website and make sure you find out quickly if it does get hacked. A combination of methods is usually best:

  • Install a security plugin such as WordFence. Set it up to run regular malware scans and alert you if anything fishy goes on.
  • Register your website with Google Search Console. This can also pick up on malware and alert you if Google believes that your website was hacked.
  • You can also use this tool (by Google) to check whether any website has been listed as compromised: https://transparencyreport.google.com/safe-browsing/search
  • Check your website regularly and have a bit of a click around to make sure everything looks ok visually.

If we have built your website then we would have usually set up WordFence on it already, and we also always submit websites to Google Search Console so we would receive alerts from them.

Of course this is all great to know but really by the time you find out your website was hacked, the horse has already bolted! So what can you do to prevent hacking in the first place? Click here to read my tips: “How to Outsmart Website Hackers and Keep Your WordPress Website Secure”