This section describes 10 common symptoms of WordPress being hacked (tampering malware infection).


1 Forced to go to another site when accessing a site or clicking on a link

This is the most common type of tampering with WordPress sites that causes this symptom these days.
Hackers embed scripts in wp-config.php, index.php, or the theme’s header.php, all of which must be loaded by WordPress, to force users to go to a different site.
The sites to which users are forced to jump are often fake sweepstakes sites or fake virus detection software sites.
This symptom is recorded in a cookie and may only occur rarely, such as once a day.

2 Search results pull up pages of shopping sites or information that have nothing to do with your site.

When searching for your (your company’s) site name, a large number of fake pages will be trapped in the search results under your domain. This type of tampering is achieved by altering the sitemap (sitemap.xml), which tells search engines the URLs contained in your site.
Also, fox-c and fox-404 malware are designed to host a large number of malicious pages on the server, and these pages may appear in search results.

The number of accesses to the site may drop dramatically due to the obstruction of search results and inflow of traffic.

3 This site has been hacked in Google search results

If the message “This site may have been hacked by a third party” or “This site may damage your computer” appears in Google search results, it is because Google has detected malware on the site and issued a warning.
In this case, you will need to remove the malware and request a re-examination through Search Console or other means.

4 When accessing the site, a warning appears on a bright red screen.

When you try to access a website with your browser, a bright red screen will appear with a message such as “You are trying to access a fake site,” “The site you are accessing has a dangerous application,” “Scam website warning,” “Warning: This is a dangerous site,” “The site ahead contains a harmful program,” etc. and you are unable to access the site, it indicates that the site has been registered on your browser’s list of dangerous sites due to malware infection.
In this case, it is necessary to remove the malware and request a re-examination of the site through Search Console or other means.

5 Some pages of the administration page have a 403 error.

Some malware nowadays modifies the HTACCESS file to make certain (PHP) files in the admin panel inaccessible.
In this case, only files with a .php extension become inaccessible, and many pages in the WordPress administration screen become inaccessible with a 403 error.

6 Site suddenly becomes inaccessible

Sometimes a server management company detects malware and, in an attempt to stop the malware activity, deletes files or forces file permissions to 000 (make them unexecutable).
As a result, the operation of important WordPress files may be interfered with and the entire site may become inaccessible (blank screen or 500 error).
In this case, you will receive an email from the server administrator informing you of the problem, and you will need to follow the instructions to remove the malware.

7 WordPress is receiving an increasing number of unidentified users.

Some malware can create a user with administrator privileges on WordPress, allowing hackers to log in to the administration screen at will.
This user is generally a random string of user names and email addresses, so it is somewhat discernible.
Removing this unauthorized user does not reassure you; it is more likely that the vulnerability that allowed the user to be created or a hacker entry point, called a backdoor, remains on the server.

8 I receive complaints that I can’t access the site only from mobile phone users.

Some malware targets only smartphone users, sending users to a different site only when they access the site with their smartphone and only once a day, etc., which is rare. Or there are types that try to get the user to download a virus.

The complainant may not be able to reproduce the situation and may be late in responding to or detecting the malware infection. However, in rare cases, such symptoms may be caused by a virus infection of the user’s device.
When we receive such a complaint from a user, we need to ask about the device and the environment in which it was accessed to see if we can reproduce the situation.

9 The site is extremely slow, the layout is corrupted, or users cannot log in to the administration page.

This symptom may be caused by something other than malware, but it may also be caused by malware.
Malware code is often of low quality and can cause the site to behave in ways that hackers do not intend, such as extremely slowing down the site or corrupting the layout.
The type of malware described in section 5 above may also block access to certain files in the theme or block login to the administration panel, causing the site to display incorrectly without loading the stylesheet or making it impossible to log in to the administration panel.

10 Become a spam e-mail distribution source

Some malware has the ability to distribute a large number of spam e-mails. Therefore, if you are infected with malware, you may unknowingly become a spammer.
In this case, even legitimate emails sent by your company may be judged as spam, or the server logs may show that you are sending excessive amounts of email, and your email delivery may be stopped, or you may receive complaints from recipients of spam emails.

How do I eliminate hacking of my WordPress site?

Detecting WordPress hacking and tampering
Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
We encourage you to use the following

Alternatively, WordPress Doctor’s experienced malware removal specialists can remove malware from your site and take security measures on your behalf. Please feel free to send us your inquiries.