What Does a Hacked WordPress Site Look Like?

Even with every measure in place, it is hard to completely eliminate the possibility of a site getting hacked. WordPress, in particular, is targeted more than other websites because of its wide use.

To properly maintain a WordPress site you should be:

  • Updating Plugins as soon as updates come out
  • Updating the WordPress Core as soon as feasible, especially incremental security patches
  • Making backups so when the worst happens, it can be fixed

What Happened:

A wpONcall client (we will keep them anonymous) was up to date on all updates and everything was running normally the previous day. The next morning we awoke to a site that was completely hacked, left with this landing page:

The hackers gained entry to the file system and completely removed the entire WordPress install, including theme files and all uploads. We were left with a one-file web page, which contained the hackers message.

I will give the hacker some credit that their page was creatively constructed. All styling and media elements were part of his/her index page so that it was not reliant on any external files. The hacked page contained everything from a Facebook like button to an embedded audio file playing the song, “We Own It” by 2 Chainz & Wiz Khalifa. It was a pretty scary page, to say the least.

Could This Have Been Prevented?

Every measure has been taken to keep the site from being hacked, including proactively updating plugins and WordPress as soon as updates became available. Even with this proactive maintenance, the hacker found a way into the file system of the hosting account. It is hard to say for sure, but the site could have been compromised through the hosting company or through a theme vulnerability (the site was built from a custom theme).

What Did We Do to Fix It?

backupssaveBecause we make weekly backups of all websites, we were quick to respond. The first step was to remove the malicious page and put up a temporary blank page. We retrieved our backup taken a few days previous from our cloud service. After uploading the un-affected site, we needed to clear the site cache and reset permalinks to get everything working again. The last step was resetting all administrator passwords to ensure it was not a password breach to the site.

Is it Likely the Site Will be Re-Hacked?

We typically do not see sites re-infected right after restoration, but we cannot be too careful. wpONcall will keep a close eye on the site and make sure there is no new malware or compromises to the website.

The Lesson:

Always, always make a backup of your site. The hacker deleted everything from the server. There was no fix for this except restoring the site from a recent backup.


Has your site ever been hacked? Did you know what to do to get things back to where they should be?

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *