How To Tell if Your WordPress Site is Hacked

There are a couple different ways to monitor your site and be notified if your site was acting malicious, which is a sign of being hacked.

On the service side, you can use the Google Webmaster Tools assuming you are signed up for it and Google is indexing your site.

On a local WordPress plugin side, you can use one or more of the following plugins. I say one or more because each plugin behaves a bit differently, and the signatures they use are different as well. I wouldn’t go overboard and install all of them though.

  • Sucuri Security – SiteCheck Malware Scanner – Enables you to scan your WordPress site using Sucuri SiteCheck and verify the integrity of your WordPress site.
  • Exploit Scanner – Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.
  • Look-See Security Scanner – Verify the integrity of a WP installation by scanning for unexpected or modified files.


How to Monitor Your WordPress Site

To monitor your WordPress site for various types of activities, I recommend a few plugins to assist you so that you don’t have to do it manually.

For monitoring the activity of a logged in user, you can use one of the following plugins. They both provide detailed user activity logs such as when they logged in, what did they change, what did they install, etc.

  • Stream – Track and monitor every change made on your WordPress site in beautifully organized detail.
  • WP Security Audit Log – Identify WordPress security issues before they become a problem. Keep an audit log of everything that happens on WordPress including WordPress user activity.

For keeping track of file changes, one plugin stands out to help with this activity.

  • WordPress File Monitor Plus – Monitor files under your WP installation for changes. When a change occurs, be notified via email. This plugin is a fork of WordPress File Monitor.

How to Restrict WordPress Access

Here is some tactical advice for you to implement in your WordPress site so that you can restrict access and put better controls on your system.

  1. Create an author or editor role for yourself and use this account for all your posting.
  2. Don’t use the admin role for posting content. Only use the admin role for specific administrative functions such as upgrades.
  3. Only allow your WordPress web server to access the WordPress database. Don’t allow everyone on the internet to even be able to get to the front door of your database and attempt a login.
  4. Restrict login attempts and protect your site against brute force attacks with a plugin. Limit Login Attempts works well for this.

How to Backup Your WordPress Site

As your WordPress site is your online presence, you want to make sure you have a backup of all the key items. Those items are likely the custom file modifications, and the database. WordPress core, plugins, and themes could all be downloaded again if you needed to, which is why I consider them a nice to have in the backup process.

There are multiple ways to create backups of these files from manual, to plugin automation, to vendor provided solutions.

Manual: Who wants this? It is time consuming and a hassle to login to multuple locations, download files, and archive them.

WordPress Backup Plugins: These will automate the process and save you time and frustration.

  • BackWPup (free plugin) – Can save to multiple locations such as directory, ftp, dropbox, amazon s3, etc.
  • BackUpWordPress (free plugin) – Saves backup locally.
  • BackupBuddy (paid plugin) – Can save to multiple locations such as directory, ftp, dropbox, rackspace cloud, amazon s3, etc.
  • VaultPress (paid plugin + monthly service) – Does everything you want and provides the storage space as well so you don’t have to worry about where to backups are stored either.

Also note that some web providers / hosts perform backups on your behalf already, so you might want to investigate the built in options at a server and host level too.

Finding Secure WordPress Plugins

Having an updated WordPress core site doesn’t do anything for security if you are running plugins that are not secure. Plugins run at the same authority as WordPress itself and it only takes one bad plugin to risk your whole site’s security so you want to be sure that the plugins that you have are not risky. While there is no good assurance for plugin security other than a security code review which could be very costly, there are some basic due diligence items that you can research and determine a plugin’s stance in relation to security and vulnerabilities.

  • Review the author’s homepage and background. Do they have a history of secure code? Do they have independent 3rd parties review the code for security vulnerabilities? Do they state that the code is secure?
  • Identify who is behind the plugin. Is it a professional plugin author that has time and expertise to create a secure plugin and maintain it? Is it someone that is learning how to code by providing a neat plugin?
  • Are there any open vulnerabilities for the plugin? Use your favorite search engine and search for [plugin name] + vulnerability or [plugin name] + exploit. Not every plugin will have a vulnerability so don’t be fearful if you don’t find anything.
  • Review the plugin’s changelog. Does it involve patching of security vulnerabilities? Once again, not every plugin will have a vulnerability so don’t be fearful if nothing is listed.
  • Determine if the plugin is maintained. If the author(s) don’t update it to maintain compatibility or feature updates, then it might be abandoned and in the case of a security issue were to come up, you would be out of luck for a provided fix and left to address it yourself.
  • Review the user ratings and comments. Are they responsive and have high support levels? While this is not specifically a security question, it does provide insight into the responsiveness and professionalism of a company. It could translate into security responsiveness if an issue were to come up.

What other due diligence review items do you go through?

How to Maintain WordPress Software Security

Just as your desktop software, you should keep your WordPress software up to date as well. With WordPress running a majority of websites now, more attackers are looking for vulnerabilities as it would have a high return rate for them. There have been various vulnerabilities identified with WordPress in the past, and they have a good track record of addressing them in a timely manner.

If you have a recent WordPress installation (3.7 or above),  then you likely have automatic updates for WordPress core already going. That is certainly good news as its one less thing to remember, but I generally don’t like automatic updates because it doesn’t give you the ability to test and make sure your site is fully working.

As to your plugins and themes, you will want to make a habit out of logging into the WordPress admin panel and check for updates at least on a monthly basis (just as you should be doing with your normal desktop updates). Or if you want to take the automatic updates approach for plugins and themes as well, there is a plugin called Advanced Automatic Updates which will do that activity for you.

Also note that some web providers / hosts perform updates on your behalf already, so you should understand the built in options at a server and host level.