We would like to talk about whether hacking (tampering) with a WordPress site can lead to a case for damages for users who access the site, based on our experience.

Will users who access a hacked website be compensated for damages?

We have detected and removed malware from hacked websites of large and small companies, government offices, and politicians, and we have never heard of any damages incurred by the users (users who accessed the website) of such websites.

We will explain the reason for this.

The operator of the hacked site is also a victim.
When a site is defaced, the site operator is also a victim, and the hacker is often an overseas person. It is extremely difficult to identify the hacker, and therefore, it is extremely difficult to recover damages from the hacker.
Reference
When WordPress is hacked, do you know the cause and date of the hack?

Information Leakage from WordPress Sites
Most WordPress sites do not contain much information beyond what is displayed on the site, even if the entire database or data is compromised (including the administrator’s password). (Admin user passwords are also encrypted.)
Therefore, hackers do not hack for the purpose of leaking information, and the number of sites that may be liable for damages for information leaks is small in absolute terms.

However, if you are using WordPress to run your e-commerce site such as Woocommerce, it is possible that your customer’s address or purchase data may be leaked due to a database leak. For this reason, we recommend that e-commerce sites (sites that record personal information such as customer information on WordPress) take particularly strong security measures, such as plug-ins.

Reference
Five free WordPress security measures

Free WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]

Installation of unauthorized software or theft of login passwords
There is a possibility that a user may install a virus or other software from a hacked website. In most cases, however, such software is not installed on your server, but is instead hosted on another site that has been defaced to direct users to your site. Although you should avoid creating an indirect cause of damage to users, this is another case where hackers are the main actors and perpetrators of unauthorized access.

Recently, malware that displays a fake login screen to users and steals login IDs and passwords from Google, etc., is also spreading. In most cases, these fraudulent login screens are also hosted on other sites that have been altered to induce users to visit your company’s site. The illegally obtained information is also sent to the hacker, and in this case, too, the hacker is the illicit gainer, the subject of the unauthorized access, and the perpetrator.

It is important to remove malware and tampering as soon as possible to minimize the possibility of secondary damage to the user.

If your site is infected with malware, it is important to remove the malware as soon as possible to prevent secondary damage to users visiting your site, and to restore the site and take security measures to prevent similar hacking damage in the future.

Cases in which malware infection of a website led to a lawsuit

There was one case in which a site we were contracted to remove malware developed into a lawsuit. This case is introduced at the end of this article.

In this case, the management company that had a maintenance contract with the site was sued by the site company. (In other words, the site creator was sued, not the users who accessed the site.)

In this case, the company that operates and maintains the site, despite the fact that the site’s owner complained of symptoms of malware infection, informed the user that there was no malware infection and left the site unattended without taking any countermeasures. As a result, the site did not appear in searches due to malware infection, and the company suffered significant damages.

In order to avoid such a case, we recommend that you perform malware inspection and disinfection of suspected malware-infected sites as promptly as possible.

Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].