How To Tell if Your WordPress Site is Hacked

There are a couple different ways to monitor your site and be notified if your site was acting malicious, which is a sign of being hacked.

On the service side, you can use the Google Webmaster Tools assuming you are signed up for it and Google is indexing your site.

On a local WordPress plugin side, you can use one or more of the following plugins. I say one or more because each plugin behaves a bit differently, and the signatures they use are different as well. I wouldn’t go overboard and install all of them though.

  • Sucuri Security – SiteCheck Malware Scanner – Enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your WordPress site.
  • Exploit Scanner – Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.
  • Look-See Security Scanner – Verify the integrity of a WP installation by scanning for unexpected or modified files.


How to Monitor Your WordPress Site

To monitor your WordPress site for various types of activities, I recommend a few plugins to assist you so that you don’t have to do it manually.

For monitoring the activity of a logged in user, you can use one of the following plugins. They both provide detailed user activity logs such as when they logged in, what did they change, what did they install, etc.

  • Stream – Track and monitor every change made on your WordPress site in beautifully organized detail.
  • WP Security Audit Log – Identify WordPress security issues before they become a problem. Keep an audit log of everything that happens on WordPress including WordPress user activity.

For keeping track of file changes, one plugin stands out to help with this activity.

  • WordPress File Monitor Plus – Monitor files under your WP installation for changes. When a change occurs, be notified via email. This plugin is a fork of WordPress File Monitor.

What Should I Monitor on my System?

Hopefully I convinced you why you should monitor your system activity so the next question becomes, what should I monitor?

Here are a couple common areas to monitor regardless of system function. From webservers to desktops, this list can get you started:

  • What a user did on your system. If you have a system that have multiple users on it, they will likely fall into some sort of typical usage pattern. If it goes beyond that, then you might want to investigate the activity some more.
  • Identifying new files on your system. If you weren’t the one that created those files, then who did? Are those new files malicious at all?
  • Checking for indicators of compromise. Attackers use exploit toolkits and they typically have signatures that you can scan for to identify if you have already been hacked.

Why Should I Monitor My System Activity?

Like many important things in life, security is one of those items that you shouldn’t just “set it and forget it”. Part of having a holistic security system is to monitor your systems for various indicators. You will want to monitor for system activity because you want to be proactive and understand the changes on your system. Don’t put your head in the sand and hope everything will be okay.

Here are some reasons for why you should monitor your systems:

  • What if an attacker was trying to brute force login into your system and you didn’t have a control in place to block them. How would you know if they succeeded or not?
  • What if there was a vulnerability on your site and an attacker uploaded code to have a backdoor in your system. If you didn’t have a system to alert you to changes, how would you know anything changed?
  • What if you were just trying to change a setting and your whole website broke because of a couple changes you did, but you couldn’t remember what you exactly did? If these actions weren’t logged, then you wouldn’t have the ability to go back and review what happened.