Signs Your WordPress Site Has Been Hacked
Most WordPress hacks aren’t obvious. The site keeps running, the admin looks normal, traffic stays roughly the same. The compromise is doing its work in the background — sending spam, redirecting search traffic, mining cryptocurrency on visitors’ browsers, harvesting credit card numbers from checkout pages. By the time the symptoms are loud, the damage has been accumulating for weeks or months.
The eleven indicators below cover the most reliable early warning signs. One isn’t proof. Two or more usually is.
1. Google Search Console Shows “Security Issues”
The most direct signal. Search Console → Security & Manual Actions → Security Issues. If anything is listed there, the site is compromised. Google’s detection includes social engineering pages, malware downloads, and unwanted software. Don’t ignore this; the site will get a browser warning attached.
2. Visitors Report a Browser Warning
Chrome, Firefox, and Safari will show a red interstitial warning (“Deceptive site ahead” or “The site ahead contains malware”) on sites flagged by Google Safe Browsing. If anyone tells you they saw this, the site is flagged. Visit through an incognito window to confirm.
3. Search Results Show Pages You Didn’t Create
Search Google for site:yourdomain.com and scan the results. Pages with titles like “buy cheap viagra,” “best online casino,” or any content unrelated to your site indicate a SEO spam injection. The attacker has added pages or modified existing pages to rank for spam keywords, often hidden from logged-in users but visible to Google.
4. Mobile or Logged-Out Visitors Get Redirected
The site loads fine for you (logged into admin) and shows the right content. Open the site on your phone, or in an incognito window — if it redirects to a different domain (porn, scams, fake virus warnings), you have a redirect hack. These specifically exclude logged-in admins to avoid detection.
5. New Admin Users You Don’t Recognize
WordPress admin → Users → All Users. Filter by “Administrator” role. Every admin account should match a real person you know. Unknown admin accounts mean the attacker installed a persistent backdoor. Don’t delete them yet — first investigate what they’ve done and when they were created (the user’s profile shows registration date).
6. The Site Got Slow Suddenly
Sudden, unexplained slowness can indicate cryptomining JavaScript injected into pages, which uses visitors’ CPU to mine cryptocurrency. The site itself feels normal; visitors’ fans spin up and their batteries drain. Run a malware scan and check the browser console on the site for unfamiliar JavaScript.
7. Hosting Provider Notified You
Hosts run scans on customer sites. If they notify you of an infection (often with a deadline to fix before suspension), take it seriously and address it the same day. Hosts suspend infected sites that don’t clean up, and a suspended site is more expensive to restore than a cooperatively-cleaned one.
8. Spam Email Coming From Your Domain
You start receiving bounce notifications for emails you didn’t send. The site’s mail-sending capability has been hijacked to send spam. Less common with modern WordPress (which doesn’t directly send much mail) but more common when a Contact Form 7 or similar plugin is misconfigured and exploitable.
9. Files in /wp-content/uploads/ That Aren’t Media
/wp-content/uploads/ should contain only image, video, document, and similar media files. Any .php, .html, or .js files in the uploads directory are almost certainly malicious — there’s no legitimate reason for executable files to be there. Most security plugins flag this.
10. Unexplained Scheduled Tasks
WordPress has a built-in scheduler (WP-Cron) for tasks like publishing scheduled posts, sending emails, running backups. Attackers add scheduled tasks that re-infect the site after cleanup. Install WP Crontrol (free plugin) and review the scheduled events. Anything unfamiliar — especially scheduled to run every minute or hour — is suspicious.
11. Modified Files You Didn’t Modify
File integrity monitoring (built into Wordfence and Sucuri) catches changes to core WordPress files, theme files, and plugin files. Modifications you didn’t make are red flags. WordPress core files in particular should never change between releases; if they show as modified, they’ve been tampered with.
What to Do When You Spot One
The right immediate steps, in order:
- Don’t delete anything yet. You need to know what happened before you can fix it properly. Removing visible infection without finding the entry point produces immediate reinfection.
- Change passwords: WordPress admin, hosting control panel, FTP, MySQL. Force-reset all user passwords if you have any indication accounts were compromised.
- Take a forensic backup. A snapshot of the compromised state, stored separately. Useful both for evidence and for investigation.
- Run a full malware scan with Wordfence or Sucuri to confirm the infection and identify the scope.
- Decide: DIY or professional. The decision factors are in the Malware Cleanup Guide and below.
When to Call a Professional Immediately
- The site handles customer payment data and the breach has potential legal/disclosure implications.
- You found a credit card skimmer (suspicious JavaScript on the checkout page).
- The host has threatened to suspend the site unless cleaned by a deadline.
- The infection has returned after a previous cleanup.
- The site is generating revenue and downtime is expensive.
Synergetic’s Security & Malware Cleanup is the productized option: fixed price, professional cleanup with hardening to prevent immediate reinfection, scope confirmed via paid diagnostic before any further work. The Emergency WordPress Diagnostic is the lower-cost first step when you’re not sure whether what you’re seeing is actually a hack vs. a different problem.
The Defensive Layer
The cheapest hack is the one you prevent. The combination that actually works:
- Monthly malware scans, automated and reviewed.
- Plugin and theme updates on a weekly cadence.
- File integrity monitoring with alerts.
- Two-factor authentication on all admin accounts.
- Backups stored off-server with verified restoration.
- Limit
/wp-admin/access by IP if practical. - Avoid nulled (pirated) plugins entirely — they’re the #1 infection vector.
A WordPress care plan handles the continuous monitoring and update layer. After a single cleanup, the math on prevention vs. another cleanup cycle is usually decisive.
For the cleanup process itself, see WordPress Malware Cleanup: Step-by-Step Guide.
