9 Signs Your WordPress Site Has Been Hacked (And What to Do Next)
By WP Vanguard Team
Most WordPress site owners find out they have been hacked weeks or months after the initial breach. By then, the damage is done: search rankings have dropped, visitors are being redirected to spam sites, and Google may have flagged the site as dangerous.
Here are nine signs your WordPress site has been compromised and what to do about each one.
1. Unexpected Redirects
Your site sends visitors to a completely different website, usually a pharmacy spam page, fake tech support scam, or adult content site. Sometimes the redirect only happens on mobile devices or when visitors arrive from Google, making it harder to notice.
Why it happens: Attackers inject redirect code into your .htaccess file, wp-config.php, or theme files. Some use JavaScript injections that only trigger for specific referrers or user agents.
2. Unknown Admin Accounts
New administrator accounts appear in your Users list that nobody created. These accounts often have generic names like "admin2" or random strings.
Why it happens: Once attackers gain access, they create backdoor admin accounts so they can return even if you change your password or remove the original entry point.
3. Suspicious Files in Your Uploads Folder
PHP files appearing in wp-content/uploads/ is a major red flag. This directory should only contain images, PDFs, and other media files, never executable PHP.
Why it happens: Attackers upload web shells disguised as image files or exploit upload vulnerabilities to place backdoors in the uploads directory, which is typically writable by the web server.
4. Modified Core Files
WordPress core files like wp-includes/version.php or wp-admin/includes/class-wp-screen.php have been modified. You can check by comparing your files against the official WordPress release using wp core verify-checksums.
Why it happens: Injecting malware into core files makes it harder to detect since most site owners never look at these files. The malware survives theme and plugin updates since core file changes persist until the next core update.
5. Slow Performance or High Server Load
Your site suddenly takes much longer to load, or your hosting provider warns about resource usage spikes. This can happen even when traffic has not increased.
Why it happens: Crypto miners, spam email scripts, and DDoS bots running on your server consume CPU and memory. Some malware runs intensive operations like sending thousands of spam emails through your mail server.
6. Google Search Console Warnings
Google Search Console shows security issues, manual actions, or a sudden spike in crawl errors. Google may flag your site as "This site may harm your computer" in search results.
Why it happens: Google's SafeBrowsing system detects malicious content, phishing pages, or spam on your site. This tanks your search rankings and drives away visitors who see the warning.
7. Spam Content You Did Not Create
New pages or posts appear on your site containing pharmaceutical keywords, gambling links, or Japanese/Chinese characters (Japanese SEO spam). These pages are often hidden from the admin dashboard but visible to search engines.
Why it happens: Attackers create thousands of spam pages to hijack your site's domain authority for their SEO campaigns. The pages are often cloaked, showing normal content to logged-in users and spam to search engines.
8. Email Deliverability Problems
Emails sent from your site (like password resets or contact form submissions) stop arriving, or your domain gets blacklisted by email providers.
Why it happens: Spammers use your server to send thousands of emails, causing email providers to blacklist your domain and IP address. This affects all legitimate email from your site.
9. Altered wp-config.php or .htaccess
These critical configuration files have been modified with code you did not add. Common additions include base64-encoded PHP, dynamic code execution statements, or unusual require/include directives.
Why it happens: wp-config.php controls database access and security keys, and .htaccess controls URL routing. Modifying these files gives attackers persistent access and control over your site's behavior.
What to Do If You See These Signs
Step 1: Confirm the Compromise
Run a security scan before taking action. A surface scan from WP Vanguard takes 30 seconds and catches the most visible signs: malicious scripts, suspicious redirects, exposed configuration files, and known vulnerabilities.
For a thorough check, the $1 deep scan connects via SSH to inspect files, databases, user accounts, and cron jobs from inside the server.
Step 2: Do Not Panic
A hacked site feels like an emergency, but rushing the cleanup causes more damage. Do not delete files randomly, do not reinstall WordPress without backing up the database first, and do not change all passwords before understanding how the attacker got in. Otherwise, they will just get back in through the same hole.
Step 3: Get Professional Cleanup
If malware is confirmed, you have two options: clean it yourself (risky if you are not familiar with WordPress internals) or use a professional cleanup service.
WP Vanguard offers malware cleanup for $49 with a 24-hour turnaround. The first cleanup is free for new users. The service includes malware removal, backdoor elimination, security hardening, and a post-cleanup scan to verify everything is clean.
Step 4: Harden Your Site
After cleanup, take these steps to prevent re-infection:
- Update everything including WordPress core, all plugins, and your theme
- Remove unused plugins and themes since deactivated plugins can still be exploited
- Reset all passwords for WordPress admin, database, FTP, and hosting panel
- Regenerate security salts in wp-config.php to invalidate all existing sessions
- Disable file editing by adding
define('DISALLOW_FILE_EDIT', true);to wp-config.php - Review user accounts and delete any you do not recognize
Prevention Is Cheaper Than Cleanup
Regular scanning catches problems before they escalate. Run a free scan at wpvanguard.com to check your site right now. Thirty seconds now could save you days of downtime and thousands in lost revenue later.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.