Make Sure Your WordPress is Not Hacked

by Daniel in — 24 Comments — Updated — Reading Time: 2 minutes

Lately there there seems to be a hacking spree around old versions of WordPress. Most of the times the hacker will edit your theme files to insert spam links. One of my older and non-active blogs got that problem, and I had several friends complaining to me about it as well when chatting over IM.

I would therefore recommend that all of you run a quick check on your WordPress to make sure it has not being compromised.

How do I find if I have been hacked?

The easiest way to identify the spam links is to open your website on a browser and take a look at the source code. Pay particular attention to the header and footer of your HTML, and check if they are links there that were not supposed to be (usually they are related to pharmacy, drugs, credit cards and related).

Page Source Spam Links

If you use Firefox you can also click on “Tools,” then “Page Info,” and then “Links.” This window will show all the outgoing links from the current web page that you are visiting.

Firefox Page Info

Finally, you should also examine all your theme files and your WordPress installation for any file or piece of code that looks suspicious.

How do I fix the problem?

Most of the blogs that get hacked are older versions of WordPress that still have several security bugs open, so the first line of defense that you have is to stay updated with the newer versions. If you have been procrastinating your update to WordPress 2.5 make sure to check the Automatic Upgrade plugin, it makes the process really a piece of cake.

Secondly, you should also secure your WP-Admin folder by allowing access only to certain IP addresses. You can do that by creating a .htaccess file (a simple text file named that way) and by dropping it inside your WP-Admin folder with the code found on the article 3 Must Apply Security Tips for WordPress.

Thirdly, you should also disable the navigation of directories on your whole website, so that people can not view what plugins you are using or other sensitive data. You can do this easily by adding the following line to the .htaccess file located on your root directory:

Options -Indexes

Finally, if for some reason you can’t upgrade your WordPress or secure the access to the WP-Admin folder only to certain IPs, you can still delete your theme-editor.php file from the WP-Admin folder. This solution is far from the optimal, but it should help in protecting your blog from people trying to add spam links to your theme files.

Ah, and don’t forget to change your passwords regularly as well!

Share this article

24 thoughts on “Make Sure Your WordPress is Not Hacked”

  1. Thanks for the Firefox link tips. I’ve never used that feature before.
    I guess you’ve removed all my excuses for not upgrading. I’ll have to check out that plugin.

  2. 1 —- Does the automatic update plug in work ? I did some googling and saw some mentions of things being disabled……………………..2 —- Are all my other plugins, mod rewrites safe ??? or do they require re-installation ? 🙂

  3. Though I rectified the hack, my Google traffic is zero now. I couldn’t find on the web an answer to repair this damage. Do you have any suggestions?

  4. Something similar happened to me and was searching about it, but it seems that just dailyblogtips have about it, and I will send you a BIG thanks for it.
    this is what happened:

  5. Good stuff, I wasn’t aware of some of the items mentioned. I do try and keep EVERYTHING updated…religiously.

    It’s just a shame that some losers waste their time trying their best to be major jerks, when they could use their ‘talents’ towards making things better for all…themselves included.

  6. Well, indeed, this is by far the most helpful article that I have read on the Internet this entire week, out of about 1200 probably. So, thank you on this. I have had both blogs and forums hacked and I’d would like to propose death by hanging as a potential punishment for such crimes?

  7. Yeah if you have dynamic IPs it becomes a problem.

    @Medical Transcriptionist, my blog that got hacked was also hosted on Yahoo!… lame stuff they got over there.

  8. From the security tips above the IP trick to save your wordpress is very important and secure. But the problem is that most of the internet user has a dynamic IP and this process will need a static IP for the htacess file.

  9. Oh, since such adventure exists, I’d better check my blog and see whether it is hacked or not, hope not.

    Thank for sharing this tips!

  10. Daniel, everything is fine but if you secure your WP-Admin folder by allowing access only to certain IP addresses, then you cannot blog from other computers, like from an internet cafe. That may not be a feasible option for all the bloggers because sometimes you may need to use a different computer at a different location to blog.

  11. Thank you. I was just in trouble and your post was in time to bail me out.

    I’m on Yahoo hosting with crappy service, no updates with WordPress and remaining in version 2.0.2, no access to .htaccess file, and inviting all sorts of trouble with no other option than the last one you said.

  12. Nice article! Very helpful.
    I’ve been experiencing this ‘hacking things’ so many times, and it is really annoying.

  13. Thanks for the Firefox link tips. I’ve never used that feature before.

    I guess you’ve removed all my excuses for not upgrading. I’ll have to check out that plugin.

  14. Hey great advice I’ve been on alert with all the hacking thats been going around lately, thanks for the tip.


Leave a Comment