How do I know if my WordPress site has been hacked?
December 26, 2012
We’ve all heard that WordPress is ‘vulnerable’ to attack (that is–it’s vulnerable if you don’t take care of it). There are times when it might not be immediately obvious if your WordPress site has been hacked, but there are some common clues which could tip you off:
- Files you don’t recognize in your filesystem
- Strange WordPress behavior
- New, unrecognized WordPress users
- Records you don’t recognize in your database
This isn’t specific to WordPress, but oftentimes code which is hacked includes base64_encoded code which is then decoded and evaluated, so you would end up with code executed as follows:
eval(base64_decode("long base64 string with code"));
You might also find this code in the database. So, running a query like the following might help you find hacked code:
SELECT * FROM wp_options WHERE (option_id LIKE '%base64_decode%' OR blog_id LIKE '%base64_decode%' OR option_name LIKE '%base64_decode%' OR option_value LIKE '%base64_decode%' OR autoload LIKE '%base64_decode%') order by option_id
Try navigating for hacked code and running the above query on your WordPress database to see if you’ve been compromised.