How to identify a compromised WordPress site
A compromised WordPress site most of the times exhibits several symptoms. In this post we will describe what those symptoms are, and give you some tools to identify whether your website is affected by any or all of them.
Symptoms of a compromised WordPress site
Most of the symptoms involve your website behaving in a strange way, as well as odd-looking files and HTML code starting to appear left and right. Let’s view them one by one!
1. Your website starts sending spam
Although it is much easier to identify incoming spam than outgoing, there are a couple of things you can do to see if someone is using your site to send spam:
- Check your mail logs (they are usually under /var/log). Seeing an unusual amount of emails being blocked with a 550 Sender prohibited by SPF error message is regarded as suspicious. Especially if you have SPF records configured for your domain. Then it is definitely a red flag.
- There are various websites, such as MXToolbox and UltraTools RBL Database LookUp that can tell you whether your site has been blacklisted as a spam source. There are several of them available, and you need to search in as many as you can find. Not being blacklisted in one does not mean you are 100% clear.
2. Your website redirects you somewhere else.
This is probably the easiest symptom to spot. When you visit your website, instead of viewing your web page, you get redirected to somewhere strange. First of all, check to see if your DNS records have changed, and now point to a different IP address.
3. Your website contains suspicious iframes.
An iframe is an “embedded” HTML document within another HTML, that is used to display content from another source, usually advertisements. Visible iframes are easy to spot, however, most of them are so small (sometimes taking only a couple of pixels!) that you can easily miss them. Open your HTML file in an editor and look for <iframe> tags that try to connect to unknown or suspicious-looking URLs. Comment them out by putting them inside HTML comment tags <!–. You should not stop there, because probably if you have tampered HTML files, it means that your website is definitely compromised and that there could be other places where your website was tampered with.
4. Your website opens pop-ups on load.
This is also an easy sign to spot. Your website loads pop-up windows that clearly are out of place. Some of them, called pop-unders, are more insidious. These are not visible when you visit your website but are loaded in the background. However, if you minimise your browser, you instantly see them, usually taking up a large portion of your screen.
5. Garbled and strange-looking PHP files.
Discovering PHP files that look seemingly incomprehensible such as the following example is always a definite warning sign that someone has tampered with your website:
The technical term for these types of files is “obfuscated”. Obfuscation is a common technique used by hackers in order to hide the source of a usually malevolent piece of code or make it very difficult to read and understand what its function
6. Backdoors, webshells, admin accounts
Webshells are programs that can be used by hackers to connect remotely and gain full administrative access to your website. These programs allow remote web access to your server’s shell (hence the term webshell) so that anyone connecting to them can execute commands. Chances are that if you find an obfuscated PHP file somewhere, it is a webshell.
Hackers can also create accounts with administrative rights to use them as backdoors. These are relatively easy to find since they are visible in the WordPress backend, or in your database.
Tools to help you identify suspicious activity
There are several tools that can help you identify whether your website has been tampered with. If you think you have been compromised or infected, it is a good idea to check your website by using all of them. In that way, you will get a more rounded view, because not all of these services check the same things. All of the below resources are free to use and require you only to type your website URL.
- Sucuri’s SiteCheck and unmaskparasites. These will check for known malware, whether your website is blacklisted and much more.
- Google Transparency Report. This will show you whether your website is deemed “dangerous to visit” according to Google.
- VirusTotal is a free service that can analyze URLs and files to see whether they contain any malicious content.
- Free Online Website Malware Scanner by PC Risk. Searches your site for ““malicious code, hidden iframes, vulnerability exploits, infected files and other suspicious activities.”
- Quttera’s Free Website Malware Scanner. Searches your site for “suspicious scripts, malicious media and other web security threats hidden into legitimate content and located on websites”. It produces a security report, with each finding categorised according to threat level.
There are also several WordPress plugins that help you keep your WordPress site secure. Make sure to also check this excellent guide to the 7 best WordPress security Plugins by InfoSec.
It is of outmost importance to clean-up your site as soon as you find any malicious content and patch its vulnerabilities. A compromised website means outages or abnormal behaviour that can and will ultimately affect the livelihood of your business!