Skip to content
WordPress Security / Tips

How to Tell If Your WordPress Site Has Been Hacked (And What to Do Next)

8 min read
Warning symbol on a WordPress dashboard showing signs of a hacked website

You probably won’t get a notification that says “Your site has been hacked.”

Most WordPress hacks don’t announce themselves. There’s no alarm, no flashing red screen, no dramatic shutdown. Instead, the signs are subtle. A page loads a little differently. A customer mentions something odd. An email bounces.

By the time most site owners realize something is wrong, the hack has been active for days or even weeks. During that time, it may have stolen customer data, redirected your visitors to spam sites, or gotten your domain blacklisted by Google.

Here are eight warning signs that your WordPress site may have been compromised, and exactly what to do if you spot them.

1. Your Site Redirects to a Strange Website

This is one of the most common signs of a hack. You type in your URL and end up on a completely different site, often one selling counterfeit products, pushing fake antivirus warnings, or hosting adult content.

The sneaky part is that this redirect often only affects visitors who aren’t logged in. If you’re logged into your WordPress dashboard, the site might look perfectly normal to you. Meanwhile, every customer and search engine bot is being sent elsewhere.

How to check: Open your site in a private or incognito browser window. Better yet, ask a friend to visit your site from their phone. If they end up somewhere unexpected, you have a problem.

2. Google Shows a Warning Next to Your Site in Search Results

When Google’s systems detect malware or suspicious behavior on a website, they add warnings directly in search results. You might see labels like “This site may be hacked” or “This site may harm your computer.” Browsers like Chrome can also display a full-page red warning before allowing visitors to proceed.

This doesn’t just scare visitors away. It actively tanks your organic traffic. Google reports that it flags thousands of sites every single day for malware or phishing activity, and most site owners only discover it after their traffic has already collapsed.

How to check: Search for your site on Google by typing “site:yourdomain.com” and look for any warning labels. You can also check your site’s status using Google’s Safe Browsing transparency report at transparencyreport.google.com.

3. You Can’t Log Into Your WordPress Dashboard

If your usual login credentials suddenly stop working and resetting your password doesn’t help, someone may have changed your admin password or deleted your user account entirely.

Hackers frequently create new admin accounts with generic usernames like “admin2” or “support” and then remove the original owner’s access. This gives them full control while locking you out.

How to check: Try resetting your password through email. If that doesn’t work, contact your hosting provider and ask them to help you access your database directly so you can check the user table for unfamiliar accounts.

4. There Are Admin Users You Don’t Recognize

Even if you can still log in, take a look at your user list. Go to Users in your WordPress dashboard and check for any accounts you didn’t create, especially ones with Administrator privileges.

Attackers create these backdoor accounts so they can regain access even after you change your passwords or clean up infected files. These accounts often have random-looking email addresses or use temporary email services.

How to check: Review every user in your WordPress admin panel. If you see a username you don’t recognize with admin rights, remove it immediately. But don’t stop there. An unfamiliar admin account is a symptom, not the root cause. The underlying vulnerability still needs to be found and fixed.

5. Your Site Is Suddenly Very Slow

A sudden and unexplained drop in performance can be a sign that your server is being used for something you didn’t authorize. Hackers often use compromised servers to send spam emails, mine cryptocurrency, or launch attacks on other websites.

All of this consumes your server’s resources. Your legitimate visitors experience slower page loads, timeouts, or errors. If your hosting provider sends you a warning about unusually high resource usage, take it seriously.

How to check: Look at your hosting control panel for CPU and memory usage spikes. If your traffic hasn’t increased but your server load has, something is running in the background that shouldn’t be.

6. Your Hosting Provider Suspended Your Account

Many hosting companies actively monitor for malware. If they detect suspicious scripts, outbound spam, or phishing pages on your account, they may suspend your site to protect other customers on the same server.

Receiving a suspension notice from your host is a strong indicator that your site has been compromised. Don’t ignore it and don’t simply ask them to re-enable the account without investigating the cause.

What to do: Contact your host and ask for specific details about what triggered the suspension. Most providers will tell you which files or directories contain the malicious code. Use that information to guide your cleanup.

7. Spam Content or Links Appear on Your Pages

If you notice pages, posts, or links on your site that you didn’t create, your site has almost certainly been compromised. A common variant of this is the “pharma hack” where attackers inject hidden links to pharmaceutical spam into your content. These links are often invisible to you when viewing the page normally, but they show up in search engine results.

Another sign is Japanese or foreign-language text appearing in your Google search results for pages you never created. This is a well-known SEO spam technique where hackers create hundreds of spammy pages on your domain to piggyback on your site’s authority.

How to check: Search Google for “site:yourdomain.com” and scroll through the results. Look for any pages with titles or descriptions that don’t belong to you. Also check your posts and pages in WordPress for hidden content, especially near the footer or in older posts.

8. Your Security Plugin or Scanner Flags Issues

If you have a security plugin installed and it sends you an alert about modified core files, new unknown files in your uploads directory, or suspicious database entries, do not dismiss it as a false positive without investigating.

Attackers often hide malicious PHP files inside your uploads folder, disguised as image files. They modify core WordPress files to insert backdoors that survive plugin and theme updates. These are the kinds of changes that a good security scanner will catch.

How to check: Run a full scan with your security plugin. Also manually check your uploads directory for any PHP files, since there should be no executable code in that folder under normal circumstances.

What to Do If You Think Your Site Is Hacked

Finding out your site is hacked is stressful. But acting quickly and calmly makes a real difference. Here’s a clear sequence to follow:

  1. Don’t panic, but act fast. The longer malware stays active, the more damage it does to your reputation and SEO.
  2. Put your site in maintenance mode. This prevents visitors from encountering malware or phishing pages while you work on the cleanup.
  3. Change all passwords immediately. WordPress admin, hosting panel, FTP, and database passwords should all be reset.
  4. Check for unknown admin accounts and remove any that don’t belong.
  5. Restore from a clean backup if you have one. This is the fastest path to recovery if you have a recent backup from before the infection.
  6. Scan and remove malware. Use a security plugin or hire a professional to scan every file and database table.
  7. Update everything. Outdated plugins, themes, and WordPress core are the most common entry points. Update them all after the cleanup.
  8. Request a review from Google if your site was flagged in search results. Once the malware is removed, submit a review through Google Search Console to get the warning lifted.

Prevention Is Always Cheaper Than Recovery

Cleaning up a hacked site can take hours or even days, depending on the severity. It often costs significantly more than the ongoing maintenance that would have prevented it in the first place.

The most effective protection is boring but reliable: keep WordPress, plugins, and themes updated. Use strong passwords. Run regular backups. Monitor for suspicious activity. Remove plugins you don’t use.

If that sounds like a lot to manage on top of running your business, it is. That’s exactly why WordPress care plans exist.

Let MaintPress Protect Your Site

MaintPress offers Malware Removal & Site Cleanup as a standalone service for sites that are already compromised. We also offer WordPress Security Hardening to lock things down after a cleanup.

For ongoing protection, our Full Care+ plan includes security monitoring, automated backups, safe updates, and malware cleanup coverage, so problems are caught early and handled before they cause real damage.

Already hacked? We can help. → Contact Us

Want ongoing protection? Choose a care plan. → Pricing

Tags: Hacked Website Malware Removal Website Recovery WordPress Maintenance WordPress Security

Leave a Comment

Your email will not be published. Required fields are marked *

Gravatar profile