Has my WordPress site been hacked?

I’ve been looking at my WordPress files and noticed that my PHP files look a little bit bigger than they used to be before. Has my site been hacked?

Inflated files are certainly one way to find out if something is going on with your site. If you’re seeing bigger files the chances are that you’ve been infected by some form of malware. Here’s a quick way you can find out whether this is the case. If you look in your wp-content folder, there’s usually a file called index.php that’s just a placeholder. If should only be a few bytes long and if you open it up you should see this:

Screenshot 2016-06-08 22.08.24

If it’s much larger you probably have been a problem on your hands. Here’s what an infected file looks like:

Screenshot 2016-06-08 22.08.52

That code you’re looking at is obfuscated PHP, encoded in a way that hides what it does. Different types of malware work in different methods, but most times they scan for other PHP files and infect them too. They normally also have a different payload that appends content to the site, opens attack vectors to other sites, sends spam or some other nefarious purpose.

If you do find something like this you’ll need to start cleaning up your site, removing infected files and either cleaning them manually or replacing them with original copies. Hopefully the infection wouldn’t have spread too far.

So, how do you avoid this sort of thing happening. The key is to make sure your site is always updated. WordPress updates, theme updates, plugin updates; all of these need to be applied as soon as possible. Yes, there’s a risk that some of the site functionality may be compromised or impacted in some way; but dealing with that issue is preferable to having to clean up a messed up site, believe me I’ve cleaned up a number of these. Anyway, if you need help cleaning one up, just leave me a comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.