How is my wordpress website hacked?
Change of your homepage
There are many ways of being hacked. One of them is having your website home page changed by the hacker content.
How could I get hacked?
There are infinite reason for how your website can get hacked. The major reasons are as follows:
- Outdated wordpress cores, plugins and themes
- Bruteforce attacks
- Hosting is not secure
- File permission not set correctly
- Your passwords were stolen
Reduce vulnerabilities
For reducing vulnerabilities, keep your website including core, plugins and themes updated.
Remove unused plugins and deactivated themes. And keep the number of plugins limited.
To reduce brute-force attacks, you can limit login attempts, choosing strong password, adding captcha to the login forms, adding two-factor authentication.
You should also ensure that your website is using a valid SSL and http urls always redirect to https protocol. You also never access your server via FTP and you use SFTP instead.
Identifying the root cause
The first step is to check how your website follows the hacker. Is your website redirecting to another page or is it displaying the hacker content on the same URL as your website?
Is the hack via wordpress or via the nginx.
Is the hack via rewriting the index.php file or is it via a more delicate method?
To identify the URLs used for scanning your website, use the nginx access logs.
Sometimes, the hacker remove the logs of a certain period. To list the nginx logs sorted by date, follow this command:
sudo ls -ltr /var/log/nginx/*access*
On your wordpress root folder, check what files have been changed recently:
ls -l --full-time
If you are able to identify the date and time of hacking, check what has happened on your system around that time:
sudo journalctl --since "2025-02-21 08:00:00" --until "2025-02-21 9:00:00"
Another important question is does your server update properly? To check the update dates, follow this command:
cat /var/log/apt/history.log | grep 'Start-Date'
In addition, list all SSH logins via auth.log with commands such as
sudo grep 'Accepted' /var/log/auth.log sudo zgrep 'Accepted' /var/log/auth.log.4.gz
Mysql access is another concern to be considered:
sudo grep 'mysqld' /var/log/auth.log sudo zgrep 'mysqld' /var/log/auth.log.4.gz
Scan for vulnerabilities
There are Wordpress plugins to scan for security issues and report it. Two of these well known Wordpress plugins are
- Wordfence
- Sucuri
There is also a WordPress security scanner tool called WPScan that can check your Wordpress website from the view point of your local computer. Please note that scanning the websites of other people that you are not permitted is unethical and illegal! Use this tool only for checking your own website.
To install this tool on Ubuntu via RubyGems:
gem install wpscan
or run it via docker
sudo docker pull wpscanteam/wpscan sudo docker run -it --rm wpscanteam/wpscan --url https://mywebsite.com/ --enumerate u
Replace https://mywebsite.com/ with the name of your website.
Another tool to check your website to identify vulnerabilities and weaknesses is Burp Suite.
What to do after being hacked?
gem install wpscan
Don't panic but there is not much you can do. Just throw away all your server as you do not know how much the hacker has penetrate to your server machine and whether your server is already used for attacking someone else.
Your database and your codes are now potentially infected. You must use a database backup and code backup to restore your database and codes on a new server instead of the current database or code.
What to do before being hacked?
Take a regular daily/monthly/yearly backup. And you keep a copy of them off the website. Thus, when website is infected, the backup copies are safe.
Always keep your server up to date.
Keep your WordPress website and its theme and plugins updated and remove what you do not use.
Scan your website with the above-mentioned scanners to identify any vulnerability.