Most people have a Hollywood-influenced idea of what it means when your website is hacked. We get the idea that hackers are live villains trying to break down your firewall. In the movies, the hacker's fingers clack at-speed over a keyboard which somehow powers the brute-force password hack, which is somehow the only defence between hackers and the target servers. At the same time, the security team is shouting at each other and trying to form some keyboard-warrior defence. This is not really how website hacks work.
In reality, hackers don't want you to know that the website is hacked at all. Most hackers don't send skull-and-crossbones bragging emails. Most don't even try the ransomware tactic. Instead, they slip some malicious data-stealing code in through a configuration loophole and let the bug do its work. The majority of hacks are more like a phone tap than a castle siege. There's no hammering at the door, alarms don't sound. In fact, today's hackers often find methods to hide the website changes from the eyes of admins - those who would know something is wrong when they see it.
How to Check if Your WordPress Website Has Been Hacked
Detecting Hidden Hacks in Your WordPress Website
Because hackers don't announce themselves with battering rams and blaring alarms, it's up to us to watch out for hacks. A hack can slip in with an image, an uploaded file, or a backdoor found through a plugin. Recently, a payment skimming hack was found to have propagated through a cloned legitimate favicon hosting service. Hackers will try anything to slip malware into your website and keep it hidden while malicious data collection is conducted.
The trick is to look for the signs of hacking constantly - and know how to look. Today, we're talking about how to defend your WordPress website by being aware of hidden hacks and how to spot them.
A Reason to Suspect Hidden Malware
Most website owners start this process when suspicion is raised. Maybe one of your users says they noticed an advertisement that shouldn't be there. Maybe you got an alert from your virus-scanner, or Google issued a warning about your site. These are all serious red-flags in terms of your site's potential for being hacked. Pay attention to the most common sources of hacked website information - users, browsers, and you're be host.
Comments from Users
Listen to your users, their experience of the site may be different from yours. Users often pay closer attention to the ads, details, and unique flow of your website and may notice signs of hacking that you normally would not. For example, your users may mention a loading error during the payment process, or someone might complain of a "too many redirects" browser error. If a hacker has somehow managed to avoid all your automated security measures, your users are a vital perspective on whether you've been hacked.
Alert from Website Security Features
Trust your website security features if you receive a message or alert. On a dashboard or sent in an email, WordPress security plugins are designed to help defend your site. Part of that includes a variety of 'validity' scans. For example, your security features might automatically scan the WordPress documents to ensure all filetypes and settings are as-expected. Suspicious changes or new files will be flagged and you may receive a warning message.
Do not casually ignore security warnings as 'routine'. This might be the first and best chance to nip a malware invasion off at the bud.
Your Browser Gives a Warning
When you navigate to your website, what does the browser have to say? After a certain number of bad-actor pings, browsers like Chrome and Edge will begin warning users before they visit that the site might be hacked. If you see this error, or if a user or fellow admin sees this error, it's time to run your manual virus-scanner and begin a full anti-malware audit.
Your Host Deactivates the Site
The final undeniable alert that your site has been hacked is if your virtual server host deactivates it. As part of the cybersecurity alliance, hosting providers take responsibility for freezing websites that are confirmed to be malicious. If your website has been frozen or deactivated, contact your hosting provider to consult on A) what they detected and B) how you can fix it. The deactivation is not malicious, but rather a quarantine method.
Perform a Weekly Security Check
Websites aware of the hidden hack phenomena should begin performing weekly scans and security checks. The more often you perform checks, the fewer days a hacker has to enter and take advantage of the site. There are many layers to performing a security check, and you don't need to be a web admin expert to go through many of the detection steps. We'll start with the software tools you may have available to scan and audit the website for you.
Run a Software Security Routine
Malware and Virus Scanning
Start with your virus scanner. Let the malware and virus scanning process look over your entire website and the server(s) that host it. Now is also a good time to virus-scan any device that connects and interacts with your website server.
Audit Files and Documents
The files and documents stored on your website are among the most likely to contain hacked code. Remember the payment-skimming favicon trick, even hosted images can carry malware. So run a scan and audit on your website's entire file system including images and hosted assets.
Audit Users and Permissions
Another type of automated audit will check that all your security, permissions, user roles, and similar settings are how they should be. For example, a user account with the wrong permissions or a new role-type with only one user would be flagged as suspicious and possibly a sign of malware letting itself in.
The Non-Admin Test Checklist
Hackers know their adversaries: the website admin accounts. Those who build and manage the website are both the most likely to spot a hack and have the means to stop it. So, many website hackers have started creating hacks that don't appear for users with admin accounts. Any authority in the website role structure will cause the hacked ads, added buttons, or shell payment UI not to appear while non-admins get the hacked site experience.
Of course, they don't stop at just blocking admin accounts. Hackers sometimes use IP address detection, persistent browser caching, and other tricks to keep website authorities from detecting their criminal malware or access. So in each alternate method of access, here's what to look for:
- Unfamiliar Ads
- Unknown Popups
- Site Redirects
- Suspicious UI Changes
Access Your Site with a Common User Account
First, make yourself a fresh account with a common user role. In other words, impersonate one of your casual customers. First, log out of your admin account and explore your website in 'lead mode' as a visitor without a site account to access. Check out the ads you see and walk yourself through the buyer funnel, along with some of your more obscure pages.
Then make an account and log in. Consider using the route (or multiple accounts and routes) most common for users. For example, most of your customers may not make an account with a password until checking out for the first time.
Access Your Site from a New IP Address
Now switch IP addresses and repeat the experiment. There are a few easy ways to swap your IP address. You can connect to a VPN or proxy service. You can switch to the hotspot network from your phone, go to another location with a network, or reset your internet router with an off-period of 5-15 minutes for the IP address assignment to reset.
Once you have a new IP address, your computer will not register as the same to your website. Change devices (and thus mac addresses) to ensure the site sees you as a new visitor. This will, ideally, help you fully escape any admin-targeting hidden malware methods.
Access Your Site Using Opera or Firefox Browser
Change the browser you are using to access the website. Today, our logged-in browsers like edge and chrome link our personal accounts to every site - including the websites you manage. Not only does your account follow you, but so do cached pages. The malware (or your own normal browser caching) could be hiding recent signs of pages being hacked - even if you are officially using a new account.
So open an Opera GX or Firefox browser window and Do Not log yourself into any of the usual accounts. Then access your site and repeat the customer account testing process.
Explore Your Website with a Friend's Phone
Finally, you can change device, network, browser, and account by using someone else's device. Ask a friend (who doesn't use/work on your website) to lend you their phone, laptop, or tablet. Ideally, also use their location and network while performing your new-user test. This is what your friend would see if making an account on your website.
If any of the suspicious signs appear, you have just detected a piece of malware designed to hide from the admins.
Do you suspect or worry that your WordPress website has been hacked? We can help. First, we can ensure that your security plugins are installed and configured both to scan regularly and to send you alerts if anything is suspicious. Second, we can help you establish a regular testing and audit routine so that even sneaky malware that hides from admin detection can be caught before anyone gets hurt. Contact us today for WordPress website design, security, and configuration services.
Stand out from your competition with a Pixel Fish website!