Security · 5 min read

9 Signs Your WordPress Site Has Been Hacked (And What to Do Next)

By WP Vanguard Team

9 Signs Your WordPress Site Has Been Hacked (And What to Do Next)

Most WordPress site owners find out they have been hacked weeks or months after the initial breach. By then, the damage is done: search rankings have dropped, visitors are being redirected to spam sites, and Google may have flagged the site as dangerous.

Here are nine signs your WordPress site has been compromised and what to do about each one.

1. Unexpected Redirects

Your site sends visitors to a completely different website, usually a pharmacy spam page, fake tech support scam, or adult content site. Sometimes the redirect only happens on mobile devices or when visitors arrive from Google, making it harder to notice.

Why it happens: Attackers inject redirect code into your .htaccess file, wp-config.php, or theme files. Some use JavaScript injections that only trigger for specific referrers or user agents.

2. Unknown Admin Accounts

New administrator accounts appear in your Users list that nobody created. These accounts often have generic names like "admin2" or random strings.

Why it happens: Once attackers gain access, they create backdoor admin accounts so they can return even if you change your password or remove the original entry point.

3. Suspicious Files in Your Uploads Folder

PHP files appearing in wp-content/uploads/ is a major red flag. This directory should only contain images, PDFs, and other media files, never executable PHP.

Why it happens: Attackers upload web shells disguised as image files or exploit upload vulnerabilities to place backdoors in the uploads directory, which is typically writable by the web server.

4. Modified Core Files

WordPress core files like wp-includes/version.php or wp-admin/includes/class-wp-screen.php have been modified. You can check by comparing your files against the official WordPress release using wp core verify-checksums.

Why it happens: Injecting malware into core files makes it harder to detect since most site owners never look at these files. The malware survives theme and plugin updates since core file changes persist until the next core update.

5. Slow Performance or High Server Load

Your site suddenly takes much longer to load, or your hosting provider warns about resource usage spikes. This can happen even when traffic has not increased.

Why it happens: Crypto miners, spam email scripts, and DDoS bots running on your server consume CPU and memory. Some malware runs intensive operations like sending thousands of spam emails through your mail server.

6. Google Search Console Warnings

Google Search Console shows security issues, manual actions, or a sudden spike in crawl errors. Google may flag your site as "This site may harm your computer" in search results.

Why it happens: Google's SafeBrowsing system detects malicious content, phishing pages, or spam on your site. This tanks your search rankings and drives away visitors who see the warning.

7. Spam Content You Did Not Create

New pages or posts appear on your site containing pharmaceutical keywords, gambling links, or Japanese/Chinese characters (Japanese SEO spam). These pages are often hidden from the admin dashboard but visible to search engines.

Why it happens: Attackers create thousands of spam pages to hijack your site's domain authority for their SEO campaigns. The pages are often cloaked, showing normal content to logged-in users and spam to search engines.

8. Email Deliverability Problems

Emails sent from your site (like password resets or contact form submissions) stop arriving, or your domain gets blacklisted by email providers.

Why it happens: Spammers use your server to send thousands of emails, causing email providers to blacklist your domain and IP address. This affects all legitimate email from your site.

9. Altered wp-config.php or .htaccess

These critical configuration files have been modified with code you did not add. Common additions include base64-encoded PHP, dynamic code execution statements, or unusual require/include directives.

Why it happens: wp-config.php controls database access and security keys, and .htaccess controls URL routing. Modifying these files gives attackers persistent access and control over your site's behavior.

What to Do If You See These Signs

Step 1: Confirm the Compromise

Run a security scan before taking action. A surface scan from WP Vanguard takes 30 seconds and catches the most visible signs: malicious scripts, suspicious redirects, exposed configuration files, and known vulnerabilities.

For a thorough check, the $1 deep scan connects via SSH to inspect files, databases, user accounts, and cron jobs from inside the server.

Step 2: Do Not Panic

A hacked site feels like an emergency, but rushing the cleanup causes more damage. Do not delete files randomly, do not reinstall WordPress without backing up the database first, and do not change all passwords before understanding how the attacker got in. Otherwise, they will just get back in through the same hole.

Step 3: Get Professional Cleanup

If malware is confirmed, you have two options: clean it yourself (risky if you are not familiar with WordPress internals) or use a professional cleanup service.

WP Vanguard offers malware cleanup for $49 with a 24-hour turnaround. The first cleanup is free for new users. The service includes malware removal, backdoor elimination, security hardening, and a post-cleanup scan to verify everything is clean.

Step 4: Harden Your Site

After cleanup, take these steps to prevent re-infection:

Prevention Is Cheaper Than Cleanup

Regular scanning catches problems before they escalate. Run a free scan at wpvanguard.com to check your site right now. Thirty seconds now could save you days of downtime and thousands in lost revenue later.

wordpress-security malware hacked-site cleanup

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog