WordPress site has been hacked

Even as you read this post, there will probably have been some access attempts on your site – hacking is a real threat to all websites, but if yours is properly set up, you can avoid it.

Protecting your site from hackers is very important. If you do get hacked it can take your site down and result in a security warning appearing in the search results and when people visit your site. A worse case scenario is when the hackers leave the site live, but add malware to send out 1000s of emails from your site. You might not even know this is happening and it can go on for weeks, resulting in your site being blacklisted and your placement in the search suffering.

Common types of WordPress hack.

Malware is by far the most common WordPress site hack. You’ll often know if your WordPress site has been hacked by a warning in Googles Search Console (webmaster tools), a huge red warning screen when you visit the site using Chrome, or your hosting company taking the site down for you.

Other types of hack can involve scripts creating additional pages on your site, that you might not even know about. Often, this sort of hack goes on unnoticed until you start seeing Google penalties for having a spammy site. The longer this type of hack goes on, the longer it takes to recover from the damage.

Site takeovers can also happen when malicious scripts hijack the home page of your WordPress site and replace it with something else. These hacks can also be quite sneaky as on desktop your site might look fine, but on mobile, the script runs, replacing your home page, or redirecting the visitor to another site (and these sites aren’t often nice).

Why has your WordPress site been hacked?

Because they can. It’s that simple. At the time of writing this, one of Toast’s sites had blocked 70,000 malicious access attempts. They are out they 24/7 trying to gain access to your site, and there are lots of ways that hackers can get in.

Rubbish Passwords

Password1 is not a good password. Neither are dictionary words. Weak passwords allow brute-force access to your site. Hackers visit your site and try 100s of different passwords to get access.

Guessable usernames

Never leave the default Admin username – you’re giving the hackers fifty percent of the puzzle – they’ll always try using the Admin username first. If you use it, you’re making it easier for them.


Does your site have a red circle with a number in it next to the Plugins section? Yes? Then you are opening yourself up for trouble. There’s a reason plugins need to be updated – to fix backdoor security issues and to stay up-to-date with everything else. Outdated plugins can allow hackers access to your site.

WordPress core files

Always make sure that your WordPress install is up to date. The WordPress team spend a lot of time improving the software to stay ahead of the hackers. If your install is old, you’re going to attract hackers that will exploit known security issues.

What to do if you’ve been hacked.

There is a lot of information out there on what to do if your WordPress site has been hacked, so we’re not going to list it all here – a simple google will find everything you need.

However, if, like a lot of people, the technical side of cleaning a hacked WordPress site is not your forte, Toast can help you sort it.

We do this a lot, so we can quickly get your site back up and running, make sure it’s clear of infected files and keep it that way.

If your WordPress site has been hacked and you’d like help sorting it out, just get in touch via the link below.

We can help with all things WordPress.

If you need to improve your existing site or are looking to commission a new website, call us on 01295 266644 or complete the form - we'll get in touch!