WordPress31 March 202615 min read

WordPress Site Defaced: How Hackers Replace Your Homepage and How to Detect It Instantly

You wake up on a Monday morning and check your phone. A customer has texted a screenshot of your website. Instead of your homepage, there is a black background with green text: "Hacked by [name]." Your company name is gone. Your products are gone. Your credibility is gone. And you have no idea how long it has been like this — because your uptime monitor says the site is up.

How WordPress site defacement actually works

A defacement attack replaces your visible website content with the attacker's message. It is the digital equivalent of someone spray-painting over your shop front. The site still loads. The server still responds with a 200 status code. Every uptime monitor in the world says your site is fine. But your visitors see a hacker's message where your business used to be.

There are three primary ways attackers replace your WordPress homepage, and understanding each one is critical to knowing how to prevent and detect them.

Attack vector 1: Admin credential compromise

The most straightforward defacement method. The attacker gains access to a WordPress administrator account and simply edits the homepage content through the WordPress editor. They can change text, replace images, modify the theme, or switch the homepage to a completely different page.

How they get your credentials:

  • Brute force — automated scripts try thousands of password combinations against your wp-login.php. If your admin password is "admin123" or "password2026," they are in within minutes.
  • Credential stuffing — data breaches from other services leak email and password combinations. If your WordPress admin uses the same email and password as a service that was breached, attackers try those credentials on your site.
  • Phishing — you receive an email that looks like a WordPress update notification or a hosting provider alert. You click the link, enter your credentials on a fake login page, and the attacker now has your password.
  • Weak or shared hosting — on poorly configured shared hosting, another compromised site on the same server can sometimes access your files or database credentials.

Once inside, the attacker does not need any technical skill. They open the WordPress page editor, delete your content, paste their message, and click Publish. The entire attack takes less than 30 seconds after login.

Attack vector 2: File injection via vulnerable plugins

This is the most common attack vector for WordPress defacement. A vulnerable plugin allows the attacker to upload files to your server or execute arbitrary code without ever logging into wp-admin. The attacker does not need your password. They exploit the plugin directly.

The attack typically works like this: a plugin has a file upload vulnerability — it does not properly validate the file type, or it allows unauthenticated uploads. The attacker uploads a PHP web shell — a small PHP file that gives them full control of your server through a browser. From the web shell, they can modify any file on your server, including your theme's index.php, header.php, or front-page.php.

Some recent examples of plugin vulnerabilities that have been used for defacement:

  • Arbitrary file upload in contact form plugins that do not validate file types
  • Remote code execution in page builder plugins through unsanitised shortcode attributes
  • SQL injection in analytics or SEO plugins that allow writing to the database
  • Unauthenticated REST API endpoints in plugins that expose write access to posts and pages

The WordPress REST API itself was the target of a mass defacement campaign in 2017 when a privilege escalation vulnerability allowed unauthenticated users to modify any post or page. Over 1.5 million pages were defaced before the patch was widely applied. Similar vulnerabilities continue to appear in third-party plugins.

Attack vector 3: Theme file modification

Instead of modifying content through the WordPress database, some attackers modify your theme's template files directly on the server. This is harder to detect because the WordPress page editor still shows your original content — the defacement is happening at the PHP template level.

The attacker modifies index.php, header.php, or front-page.php in your active theme directory. They add a PHP block at the top of the file that outputs their defacement message and calls die(), which prevents the rest of the template from executing. Your WordPress admin panel shows the correct page content, but when visitors load the homepage, the modified PHP file executes first and displays the hacker's message.

This type of defacement is particularly dangerous because:

  • Checking the page content in wp-admin shows the original, correct content
  • The modification survives cache clears because it is in the PHP source, not the cache
  • Restoring the page content through WordPress does not fix it — the theme file is still modified
  • If you do not check your theme files specifically, you might assume the defacement is in the database and waste hours looking in the wrong place

Why you usually discover a defacement from a customer

Here is the painful truth about most WordPress defacement attacks. The site owner is the last person to find out. The discovery timeline usually looks like this:

  1. The attacker defaces the site at 2 AM when no one is watching.
  2. Early morning visitors see the defacement but most do not contact you — they just leave and go to a competitor.
  3. A few hours later, a loyal customer, a business partner, or a friend texts or emails to ask if your site has been hacked.
  4. You panic, check the site, confirm the defacement, and begin trying to fix it.
  5. By this point, the defacement has been live for 6 to 12 hours. Every visitor during that time saw the hacker's message instead of your business.

Your uptime monitor did not alert you because the site was technically up. The server returned a 200 status code. The page loaded in a normal amount of time. The SSL certificate was valid. By every metric that standard monitoring checks, your site was healthy. It just was not yours anymore.

How Uptrue keyword monitoring detects defacement in minutes

The logic is simple: if your brand name disappears from your homepage, something is very wrong. Uptrue's keyword monitoring checks whether a specific word or phrase exists on your page. If a hacker replaces your homepage content, your brand name, your headline, your product names — they all disappear. Uptrue detects the missing keyword and alerts you immediately.

Step 1: Set up a keyword monitor for your brand name

  1. Sign up at uptrue.io/signup (free plan available)
  2. Click Add Monitor from your dashboard
  3. Select Keyword as the monitor type
  4. Enter your homepage URL
  5. Set the keyword to your brand name or company name
  6. Set the check type to "Page must contain"
  7. Set the check interval to 1 minute
  8. Configure alerts — Slack, email, or Microsoft Teams

If a hacker replaces your homepage with their own message, your brand name disappears from the page. Uptrue detects this within 60 seconds and alerts you. Instead of discovering the defacement from a customer 8 hours later, you know about it within a minute.

Step 2: Add a negative keyword monitor for hacker signatures

  1. Click Add Monitor
  2. Select Keyword
  3. Enter your homepage URL
  4. Set the keyword to "hacked"
  5. Set the check type to "Page must NOT contain"
  6. Set the interval to 1 minute

Most defacement attacks include the word "hacked" in the message. This monitor catches any defacement that includes that keyword. You can add additional negative keyword monitors for common defacement terms like "pwned," "defaced," or "owned by."

Step 3: Monitor your key inner pages

Defacement does not always target the homepage only. Some attackers modify multiple pages, or target your most visited pages according to your sitemap. Set up keyword monitors on your top pages:

  • Homepage — monitor for your brand name
  • About page — monitor for your company description
  • Contact page — monitor for your email address or phone number
  • Product pages — monitor for product names
  • Any page receiving significant organic traffic

Step 4: Add HTTP monitoring as a safety net

  1. Click Add Monitor
  2. Select HTTP/HTTPS
  3. Enter your homepage URL
  4. Set expected status to 200
  5. Set the interval to 1 minute

Some attackers take the site offline entirely after defacement, either intentionally or because their modifications cause PHP errors. HTTP monitoring catches complete outages that keyword monitoring cannot.

Step 5: Configure alerts for 24/7 coverage

  • Slack — instant notification in a security-focused channel
  • Email — documented record for incident response
  • Microsoft Teams — visibility for the full team
  • Webhook — trigger automated incident response workflows

Check if your WordPress site is compromised

Instant health score across uptime, SSL, DNS, security headers, and performance. See vulnerabilities before attackers exploit them.

Check Your Website Score

How to harden WordPress against defacement attacks

Detection is critical, but prevention reduces the risk in the first place. The WordPress hardening guide is the definitive reference. Here are the most impactful measures:

Secure your admin credentials

  • Use a unique, randomly generated password of at least 20 characters
  • Enable two-factor authentication on every admin account
  • Never reuse a password from any other service
  • Limit login attempts — lock out IPs after 5 failed attempts
  • Change the default wp-login.php URL with a login URL plugin
  • Disable XML-RPC if you do not use it — it is a common brute force target

Keep everything updated

  • Update WordPress core as soon as security patches are released
  • Update all plugins within 24 hours of a security update
  • Update your theme — even if you use a child theme, the parent theme's vulnerabilities still apply
  • Delete any plugins and themes you are not actively using — deactivated plugins can still be exploited

Harden file permissions

  • Set directory permissions to 755 and file permissions to 644
  • Set wp-config.php to 440 or 400
  • Disable the WordPress theme and plugin file editor by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php
  • Prevent PHP execution in the wp-content/uploads/ directory

Install a security plugin

A security plugin like Wordfence, Sucuri, or iThemes Security adds a firewall, malware scanning, and login protection. These are not perfect — determined attackers can bypass them — but they significantly raise the bar for opportunistic attacks. Use them as one layer of defence, not the only layer.

How to recover from a WordPress defacement

Immediate response — first 30 minutes

  1. Take a screenshot of the defacement for your records and potential law enforcement report.
  2. Take the site offline. Enable maintenance mode through your hosting panel (not through WordPress, since the attacker controls WordPress).
  3. Change every password: WordPress admin, database, FTP/SFTP, hosting panel, and any connected API keys or third-party services.
  4. Check your user list for unknown administrator accounts. Delete any you did not create.

Restore and clean — next 2 to 4 hours

  1. If you have a known clean backup from before the attack, restore it. This is the fastest and most reliable recovery method.
  2. If you do not have a clean backup, you need to manually inspect and clean every file. Compare your WordPress core files against a fresh download. Check every plugin and theme file against the official versions. Look for unfamiliar PHP files, especially in wp-content/uploads/, which should only contain media files.
  3. Check the database for injected content. Look at the wp_posts table for modified page content. Check wp_options for modified site URL, admin email, or active plugins. Check wp_users for rogue admin accounts.
  4. Update all plugins, themes, and WordPress core to the latest versions.

Verification — before going live

  1. Set up Uptrue keyword monitoring before bringing the site back online.
  2. Bring the site online and verify the homepage shows correct content.
  3. Check 5 to 10 inner pages to confirm they are clean.
  4. Monitor Uptrue for the next 48 hours — attackers often have backdoors and may re-deface the site after you clean it.

The reputation damage you cannot undo

The technical damage of a defacement is fixable. Restore a backup, change passwords, patch the vulnerability. But the reputation damage lingers. Every visitor who saw the hacker's message now associates your brand with being insecure. Every customer who screenshots your hacked site and shares it on social media is amplifying that association. Google may flag your site with "This site may be hacked" in search results, which can persist for weeks after you clean the site.

The difference between a defacement lasting 60 seconds and 12 hours is the difference between a minor security incident and a brand crisis. Uptrue keyword monitoring gives you that 60-second detection window. Your brand name disappears from your homepage, and you know about it before the first customer screenshot hits Twitter.

Detect defacement in 60 seconds, not 12 hours

Free plan available. Keyword monitoring that alerts you the instant your homepage content changes. Slack, email, Teams, and webhook alerts. No credit card required.

Frequently asked questions

How do hackers change my WordPress homepage?

The most common method is compromising an administrator account through brute force attacks, credential stuffing from leaked password databases, or phishing. Once inside wp-admin, the attacker can change the homepage content directly through the page editor. The second most common method is exploiting a vulnerability in a plugin or theme that allows arbitrary file upload or remote code execution. The attacker uploads a web shell or modifies theme files like index.php or header.php directly on the server, bypassing WordPress entirely. The third method is SQL injection through a vulnerable plugin, which lets the attacker modify page content directly in the database.

How can I tell if my WordPress site has been hacked?

Visible signs include your homepage content being replaced with a hacker message, unexpected redirects to other websites, new admin users you did not create, unknown files in your WordPress directory, and Google showing "This site may be hacked" in search results. Less visible signs include your site sending spam emails, new pages you did not create appearing in Google search results, your server using unusually high CPU, and your hosting provider suspending your account. The most reliable method is external keyword monitoring that checks whether your brand name and expected content still appear on your homepage.

What should I do immediately if my WordPress site is defaced?

First, take a screenshot for evidence. Then take the site offline by enabling maintenance mode or asking your host to temporarily suspend it — this prevents visitors from seeing the defacement and prevents the attacker from doing more damage. Change all passwords immediately: WordPress admin passwords, database password, FTP and SFTP passwords, hosting control panel password, and any API keys. Do not try to clean the hack while the site is live. Restore from a known clean backup if you have one. If you do not have a clean backup, you will need to manually clean every modified file.

Can monitoring detect a WordPress site defacement?

Standard uptime monitoring cannot detect defacement because the hacked homepage still returns a 200 status code. The page loads — it just shows the wrong content. Keyword monitoring is the solution. If you monitor for your brand name, your company name, or a specific heading on your homepage, and the hacker replaces the page content, the keyword disappears and you are alerted within minutes. This is significantly faster than finding out from a customer, a Google search result, or a social media post about your hacked site.