Is my WP site being hacked?

My process for cleaning a hacked site includes

  • changing all credentials (user/pass) on hosting, FTP, WP (don’t use an admin-level user called ‘admin’)
  • updating everything- from the repository – WP, themes, plugins. Remove old/unused plugins and themes
  • use FTP of file manager to check every folder for files that look out of place (look at the datestamp of the files; since you updated everything, the bad files should be easily visible)
  • look at the generated pages source for things that shouldn’t be there.

There is guidance all over the googles about cleaning hackedsites. And I wrote up a procedure that I use here: https://securitydawg.com/recovering-from-a-hacked-wordpress-site/

It can be done, just takes a bit of work.

Related Posts:

  1. Could a user account with a stolen password compromised entire WP site?
  2. Verifying that I have fully removed a WordPress hack?
  3. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  4. Where to securely store API keys and passwords in WordPress?
  5. Why are passwords exportable as plain text in WordPress?
  6. Tips for finding SPAM links injected into the_content
  7. How is password strength calculated?
  8. Make password invalid once logged out of password-protected page
  9. What should I do about hacked server?
  10. How can I find security hole in my wordpress site?
  11. Can’t reset WordPress password
  12. Is the “lost password” feature truly a vulnerability?
  13. How to prevent bot or someone to modify any file automatically?
  14. Frontend Password change
  15. Is it possible to reduce the minimum character length for passwords?
  16. wp-config.php modified?
  17. Is there any point setting the keys and salts in wp-config.php?
  18. Suspicious Files
  19. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  20. When is wp_set_password() called or how to capture a password
  21. Moving away from MD5: Where to declare the custom global $wp_hasher?
  22. How to get WordPress to send Password Reset Link Email instead of New Password?
  23. Malware script in database post table only? [closed]
  24. Verifying that I have fully removed a WordPress hack?
  25. How can I safely hide the fact that my website runs on WordPress? [closed]
  26. My WordPress Websites are always under attack
  27. How to find exploited wordpress plugin [closed]
  28. Basic password protection without using users and roles
  29. How can I force a specific password?
  30. Can a WordPress administrator see other users’ passwords?
  31. Any known bugs that could cause disappearance of the wp_users table?
  32. On new server, site got hacked, permissions a bit strange? Please help
  33. Replace domain in database
  34. Remove hacked code – out of ideas! [closed]
  35. After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
  36. WordPress Database Re-installed (Hacked)
  37. Verifying that I have fully removed a WordPress hack?
  38. Password-protect feed and make it usable in major aggregators
  39. how to find the way they hacked my WP site
  40. How to set custom validation for WordPress Passwords?
  41. How to stop repeated hack on header.php of custom theme? [closed]
  42. My WP site and password was hacked, what to do? [closed]
  43. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  44. WordPress Hacks/Defacing [closed]
  45. How to get real password (before encrypt) when register a user?
  46. Directory to store secure file
  47. Can you alter the default wordpress strong password requirements?
  48. SSL Error: unable to get local issuer certificate
  49. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  50. Why does the URL http://a/%%30%30 crash Google Chrome?
  51. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  52. Can an attacker use inspect element harmfully?
  53. WordPress 4.7.1 REST API still exposing users
  54. Should I escape wordpress functions like the_title, the_excerpt, the_content
  55. Why does WordPress need my private ssh key to update?
  56. When to use esc_html and when to use sanitize_text_field?
  57. Will there be security updates for 3.1 once 3.2 is released?
  58. multi page password protection
  59. WordPress it’s cleaning a custom query_var to avoid sql injections?
  60. Can someone explain the use cases of esc_html?
  61. Is WordPress vulnerable to the httpoxy?
  62. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  63. Is there a security risk giving someone temporary access to my blog’s code?
  64. How to properly sanitize/secure a WP Query coming from the front end
  65. Website is being flooded [closed]
  66. password protected post policy
  67. Security issues with WP sites
  68. Where to store OAuth 2.0 client id and secret?
  69. Security – Shortcode injection attack
  70. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  71. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  72. Would it be dangerous to send all the wp_options to javascript file?
  73. Changing Table Prefixes – once done, am I good to go going forward?
  74. Force user to change their password on the frontend at the first login and password policy
  75. How can I display nickname instead username in links
  76. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  77. Secure WordPress: Change admin
  78. Changing the default header name
  79. Is it safe to use a global wp nonce per user instead of a nonce per action?
  80. Wordfence detects change in wp-admin/includes/upgrade.php
  81. Password minimum length in personal subscription [closed]
  82. Will there be security updates for WordPress 4.9.9
  83. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  84. 404/500 error on content images if Referer header is from another domain [closed]
  85. Content-Security-Policy blocks WordPress check boxes from being activated
  86. Restrict Access without Creating Users
  87. Switching between security plugins is a risk?
  88. How to obfuscate wp-config.php or code
  89. Are major WordPress updates mandatory for security?
  90. i moved wp-config.php outside of public html and this broke my website
  91. Is it safe to use the basic administration with reduced rights for private member space
  92. How can I stop other plugins from using my class’ sensitive methods?
  93. wordpress security (only one part of the site)
  94. Folder Permissions + Security Concerns
  95. Malware/Permission bug removal?
  96. What techniques can a user employ to achieve a password rated “strong” in the WordPress password checker
  97. is this code properly secured
  98. nginx + wordpress: Best practices for configuring it to be secure, reliable, and fast? [closed]
  99. SSH keypair generation: RSA or DSA?
  100. WordPress – tracking options