Back to blog
WordPress Hacked: 18 Signs Your Site is Compromised
SEO

WordPress Hacked: 18 Signs Your Site is Compromised

Bastien AllainMarch 11, 202616 min read
wordpressmalwaresecurityhackinghacked-signs

WordPress powers 43% of all websites worldwide. This dominance makes it the number one target for cyberattacks. In 2025, over 90,000 hacking attempts per minute target WordPress installations according to Wordfence data.

Understanding WordPress Hacking: A Constant Threat

Why WordPress Sites Are Targeted

Several factors explain this systematic vulnerability:

  • Massive popularity: every discovered flaw potentially affects millions of sites.
  • Third-party plugins and themes: the ecosystem of 60,000+ extensions is the primary attack vector. Nearly 97% of WordPress vulnerabilities come from plugins or themes, according to WPScan.
  • Neglected updates: an unpatched site exposes known and documented flaws in CVE databases.
  • Weak passwords: brute force attacks exploit predictable credentials (admin, password123).
  • Shared hosting: a compromised site on a shared server can contaminate its neighbors.

The Different Types of Hacking

WordPress hacking takes various forms, each with distinctive signs:

Hack TypeDescriptionPrimary Sign
Pharma HackInjection of links/pages for medications (Viagra, Cialis) into source code or databaseGhost pages indexed by Google
BackdoorHidden script allowing persistent remote access, even after partial cleanupSuspicious files in /wp-content/uploads/
Malicious RedirectInjected code redirecting visitors to fraudulent sitesVisitors sent to unknown pages
DefacementVisible replacement of the homepage with a hacker's messageModified homepage
SEO Spam (Japanese Keyword Hack)Injection of thousands of Japanese or Chinese pages to parasitize indexingJapanese characters in Google results
CryptominingJavaScript scripts loaded in the background to mine cryptocurrencyExtreme slowdown and high CPU consumption

Identifying the type of malware is the first step to understanding the signs you will observe on your site.

The 18 Unmistakable Signs of a Compromised WordPress Site

Here are the 18 telltale signs that a WordPress site has been hacked. The more you identify simultaneously, the higher the probability of a compromise.

1. Sudden Drop in Organic Traffic

A sudden drop of 30% or more in traffic in Google Analytics or Search Console often signals a hack. Google detects infected sites and deindexes them or displays a "This site may be hacked" warning in search results.

How to check: Open Google Search Console > Security Issues. Also check the "Manual Actions" tab to detect a spam content penalty.

2. Suspicious Redirects to Unknown Sites

Your visitors are automatically redirected to phishing sites, online pharmacies, or adult content. This type of redirect hack typically modifies the .htaccess file, wp-config.php, or injects JavaScript into the database.

How to check: Test your site from an incognito browser. Use a tool like Redirect Checker to trace the redirect chain.

3. Appearance of Foreign Content, Ads, or Spam

Unsolicited pop-ups, links to third-party sites, or foreign language content appear on your pages. SEO Spam (Japanese Keyword Hack) injects thousands of Japanese pages indexed under your domain.

How to check: Type site:yourdomain.com in Google. If Japanese, Chinese pages, or pharmaceutical results appear, your site is compromised.

4. Defaced Homepage

Your homepage is replaced by a hacker's message, often with a pseudonym and a flag. This is the most visible form of hacking, but not the most dangerous as it is immediately detectable.

How to check: Simply visit your site. Defacement is obvious to the naked eye.

5. Unable to Log Into the Dashboard

Admin access is blocked: password rejected, /wp-admin page inaccessible or redirecting to an error. The hacker has changed your credentials or deleted your user account from the database.

How to check: Try password reset. If the email does not arrive, connect via phpMyAdmin to the wp_users table to verify if your account still exists.

6. Unknown User Accounts with Administrator Privileges

New administrator accounts appear in the WordPress user list without you creating them. This is a classic backdoor sign: the hacker ensures permanent access.

How to check: Go to Users > All Users, filter by "Administrator" role. Any unknown account must be deleted immediately.

7. Extreme Slowdown and Abnormal Loading Times

Your site takes more than 10 seconds to load when it used to be fast. Cryptomining scripts, redirect loops, or malicious SQL queries consume server resources excessively.

How to check: Test with GTmetrix or PageSpeed Insights. Also monitor CPU/RAM consumption in your hosting dashboard.

8. Spam Emails Sent from Your Server

Your host alerts you to mass email sending, or your legitimate emails land in spam. Hackers exploit the wp_mail() function or install mass mailing scripts in /wp-content/uploads/.

How to check: Check email sending logs in cPanel (Exim Mail Manager). Verify that your domain is not blacklisted on MxToolbox.

9. WordPress Core File Modifications

Files like wp-login.php, wp-settings.php, wp-includes/, or index.php have been modified recently even though you have not updated WordPress. Malicious code (often base64-encoded) is injected into these files.

How to check: Compare your files with the original using WP-CLI: wp core verify-checksums. Any difference signals an unauthorized modification.

10. Altered or Unknown Plugins and Themes

Plugins or themes you never installed appear in your dashboard. Some have generic names like "updater", "developer-tools", or "cache-manager" to go unnoticed. These fake plugins contain malicious code.

How to check: Compare the list of extensions in /wp-content/plugins/ with what you actually installed. Any unknown plugin folder must be examined and removed.

11. Security Alerts from Google, Browsers, or Your Host

Google Chrome displays a red screen "This site contains malware". Google Search Console sends a security notification. Your host suspends your account. These alerts mean your site has been identified as dangerous by automated detection systems.

How to check: Check the Google Transparency Report (Google Safe Browsing) by entering your URL. Also check notifications in Google Search Console > Security Issues.

12. New Pages or Posts You Did Not Publish

Ghost pages or posts appear in your back-office or in Google's index without you creating them. They typically contain SEO spam content (pharmaceutical, online gambling, counterfeiting) designed to exploit your domain authority.

How to check: In the WordPress dashboard, go to Posts > All Posts and Pages > All Pages. Sort by date to spot recent content not created by your team.

13. Hijacked Search Results

Your pages' meta titles and meta descriptions in Google display foreign language text, pharmaceutical product ads, or links to third-party sites. Your site appears normally in direct browsing, but search results are corrupted.

How to check: Type site:yourdomain.com in Google and examine each result. Also use the URL Inspection tool in Search Console to see what Google has indexed.

14. Suspicious Scheduled Cron Tasks

Automated tasks (cron jobs) have been added to your server or in the wp_options table via wp_cron. These tasks periodically execute malicious code: sending spam, regenerating deleted backdoors, or communicating with a Command and Control (C2) server.

How to check: Inspect server cron jobs with crontab -l in the SSH terminal. On the WordPress side, use the WP Crontrol plugin to list all scheduled tasks and identify those that do not correspond to any legitimate plugin.

15. Unknown or Abnormal Files via FTP or File Manager

PHP files with random names (xkdf7.php, about.php, class-wp-cache.php) appear in unexpected directories like /wp-content/uploads/, /wp-includes/, or the root. These files are often web shells allowing remote command execution.

How to check: Connect via FTP or through cPanel's file manager. Sort files by modification date. Any PHP file in /wp-content/uploads/ is suspicious by default.

16. Abnormally High Server Resource Consumption

Your host reports exceeding CPU, RAM, or bandwidth limits. Cryptomining scripts, DDoS attacks used as distraction, or mass email sending consume resources far beyond normal usage.

How to check: Check resource statistics in cPanel (CPU Usage, Memory Usage) or in your cloud hosting dashboard. Compare with your usual consumption.

17. Intrusive Pop-ups and Unsolicited Advertising Windows

Advertising windows open automatically while browsing your site, often for scams ("Your computer is infected!"), fake contests, or adult sites. Malicious JavaScript is often injected into the theme footer or database.

How to check: Browse your site in incognito mode without browser extensions. If pop-ups appear when you have not installed any pop-up plugin, your site is infected.

18. Unusual Server Errors (500, 503, Database Connection)

500 errors (Internal Server Error) or "Error establishing a database connection" occur intermittently for no apparent reason. Injected malicious code can cause conflicts, infinite loops, or corrupt the MySQL database structure.

How to check: Enable WordPress debug mode by adding define('WP_DEBUG', true); in wp-config.php. Check the debug.log file in /wp-content/ and the Apache/Nginx server error logs.

Beyond the Obvious: Technical Indicators of an Intrusion

Visible signs only represent the surface. A thorough technical analysis reveals compromises invisible to the naked eye.

In-Depth Server Log Analysis

Server access and error logs (Apache, Nginx) are a goldmine of information for identifying an intrusion:

  • Suspicious POST requests to unusual files (/wp-content/uploads/cache.php, /wp-includes/class-wp-xmlrpc.php)
  • Repetitive IP addresses making hundreds of requests in minutes (brute force attack)
  • 200 response codes on non-existent URLs, indicating a malicious file has been created and is accessible
  • Mass access to xmlrpc.php: this file is often exploited for amplification attacks

Useful command: tail -500 /var/log/apache2/access.log | grep POST to filter recent POST requests.

WordPress Database Verification

The MySQL database is an often-overlooked attack vector. Hackers inject code directly:

  • wp_options table: check the values of siteurl and home (redirection), as well as suspicious transient options containing base64-encoded code
  • wp_posts table: search for injected content (iframes, JavaScript scripts, hidden links) in post_content
  • wp_users table: identify recently created administrator accounts with unknown email addresses
  • Custom tables: some malware creates its own tables to store data

Useful SQL query: SELECT * FROM wp_options WHERE option_value LIKE '%eval(%' OR option_value LIKE '%base64_decode(%';

Backdoor and Web Shell Detection

Backdoors are the most critical elements to identify as they enable reinfection even after cleanup:

  • Dangerous PHP functions to look for: eval(), base64_decode(), gzinflate(), str_rot13(), assert(), preg_replace with the /e flag
  • Common locations: wp-config.php, active theme's functions.php, index.php files in each directory, /wp-content/uploads/
  • Obfuscation techniques: concatenated variables ($a = "ev"."al", $$var), hexadecimal encoding, use of chr() to build strings

Useful command: grep -r "eval\|base64_decode\|gzinflate" /var/www/html/wp-content/ --include="*.php" to scan PHP files for suspicious functions.

Using Specialized Security Scanning Tools

Several free and premium tools provide a complete diagnosis of your site:

ToolTypeWhat It Detects
Sucuri SiteCheckFree onlineClient-side malware, blacklists, anomalies
WordfenceWP Plugin (freemium)Server-side malware, modified files, backdoors
MalCareWP Plugin (premium)Deep scan without overloading the server
WP-CLICommand lineCore file checksum verification
VirusTotalFree onlineMulti-engine analysis of your URL

For a complete scan, combine an online tool (Sucuri SiteCheck) with a server plugin (Wordfence or MalCare): the first detects visible symptoms, the second analyzes files on the server.

React Immediately: What to Do If You Identify a Hack

Once signs are confirmed, every minute counts. Here are the 7 emergency response steps to follow in order.

1. Isolate the Site to Limit Damage

Put your site in maintenance mode or temporarily disable it through your host. The goal is to prevent malware from spreading to visitors and stop Google from continuing to index infected pages.

2. Change All Passwords

Immediately change all access credentials:

  • WordPress administrator password
  • FTP/SFTP access
  • cPanel or hosting panel credentials
  • MySQL database password
  • WordPress security keys (AUTH_KEY, SECURE_AUTH_KEY, etc. in wp-config.php)

Use a password generator and enable two-factor authentication (2FA) on every account.

3. Restore a Clean Backup

If you have a recent and uninfected backup, restore it. Check the infection start date to choose an earlier backup. Warning: a backup may itself contain the backdoor if the infection is old.

4. Clean Files and Database

If no clean backup is available, proceed with manual cleanup:

  • Replace WordPress core files with a fresh copy from wordpress.org
  • Remove suspicious plugins and themes, then reinstall official versions
  • Clean the database of injections (iframes, scripts, spam content)
  • Delete unauthorized user accounts

5. Update WordPress, Themes, and Plugins

After cleanup, update everything to the latest versions. Known vulnerabilities in older versions are the most common entry point. Delete unused plugins and themes rather than just deactivating them.

6. Install a Firewall and Strengthen Security

Deploy a Web Application Firewall (WAF) like Sucuri Firewall or Cloudflare to block attacks before they reach your server. Install a security plugin (Wordfence, iThemes Security) for continuous monitoring.

7. Notify Google and Your Host

Once cleanup is complete:

  • Google Search Console: submit a review request in the "Security Issues" section to remove the warning from search results
  • Host: inform them that cleanup is complete to unblock your account if necessary
  • Blacklists: check and request removal of your domain from major blacklists (Google Safe Browsing, Norton Safe Web, McAfee SiteAdvisor)

If you are not comfortable with these technical steps, contact a professional WordPress malware removal service. Expert intervention reduces the risk of reinfection and guarantees a complete cleanup.

Prevention: Avoiding the Next WordPress Hack

A cleaned site without preventive measures will be hacked again within 30 days in 73% of cases according to Sucuri. Prevention is essential.

Regular and Automatic Updates

Enable automatic updates for WordPress core, plugins, and themes. Known security flaws are fixed in patches: every day of delay is a day of exposure.

Strong Passwords and Two-Factor Authentication (2FA)

  • Use passwords of 16 characters minimum randomly generated
  • Enable 2FA on all administrator accounts with an app like Google Authenticator or Authy
  • Limit login attempts with a plugin like Limit Login Attempts Reloaded

Web Application Firewall (WAF) and Security Plugins

A WAF filters malicious traffic before it reaches your server. Recommended solutions:

  • Cloudflare (cloud WAF): blocks DDoS attacks and malicious bots at DNS level
  • Sucuri Firewall (cloud WAF): WordPress-specialized, protection against known exploits
  • Wordfence (application WAF): built-in WordPress firewall with malware scanning

Regular, Automated, and Offsite Backups

Configure daily automatic backups stored off-server (external cloud: Amazon S3, Google Drive, Dropbox). Keep at least 30 days of history to restore a clean version even if the infection is discovered late.

Remove Unused Themes and Plugins

Every installed plugin or theme, even deactivated, is a potential attack vector. Delete everything that is not actively used. Favor extensions with a history of regular updates and an active community.

File and Folder Permissions

Configure correct permissions to limit unauthorized write risks:

  • Files: 644 (owner read/write, group and public read)
  • Folders: 755 (owner read/write/execute, others read/execute)
  • wp-config.php: 440 or 400 (owner read-only)

Frequently Asked Questions

How do I check if my WordPress site has a hidden backdoor?

Backdoors hide in PHP files with innocuous names placed in /wp-content/uploads/, /wp-includes/, or in the active theme's functions.php file. Search for suspicious functions (eval(), base64_decode(), gzinflate()) with the command: grep -r "eval\|base64_decode" /var/www/html/wp-content/ --include="*.php". Also check file modification timestamps: any file modified on a date when you did not perform an update is suspicious. The WP-CLI tool with wp core verify-checksums detects core file modifications.

What free tools do you recommend for detecting a WordPress hack?

Five free tools cover the essentials of diagnosis:

  • Sucuri SiteCheck: online scan detecting malware, blacklists, and client-side anomalies
  • Wordfence (free version): server scan of modified files and backdoors
  • Google Search Console: security alerts and spam content detection in the index
  • WP-CLI (wp core verify-checksums): core file integrity verification
  • VirusTotal: multi-engine analysis (70+) of your URL

Combine an online scan (Sucuri) with a server scan (Wordfence) for complete coverage.

Can my web host help clean my hacked site?

Most hosts detect the infection but do not clean it. Their role is generally limited to:

  • Suspending the account to protect other clients on the shared server
  • Providing access and error logs for forensic analysis
  • Restoring a backup (if included in your hosting plan)

Cleaning infected files, removing backdoors, and hardening remain your responsibility. For a complete cleanup with guaranteed results, a specialized WordPress malware removal service is recommended.

Does a hacked WordPress site permanently damage SEO rankings?

Yes, the SEO impact is significant and can last several months after cleanup:

  • Deindexing: Google removes infected pages from its index, causing an immediate drop in organic traffic
  • Manual penalty: a "Hacked content" manual action in Search Console requires a review that takes 2 to 4 weeks
  • Trust loss: E-E-A-T signals (Experience, Expertise, Authoritativeness, Trustworthiness) are degraded, affecting overall rankings
  • Blacklisting: being listed on Google Safe Browsing displays a warning to visitors, reducing click-through rate by 95%

To minimize damage: clean up quickly, submit a review request in Search Console, and strengthen WordPress security to prevent recurrence. Return to initial rankings takes an average of 4 to 12 weeks after a complete cleanup.

Conclusion: Vigilance Is Your Best Protection

Identifying the signs of a hacked WordPress site is the first step toward resolution. The 18 indicators presented in this guide cover both visible symptoms (redirects, defacement, spam) and technical clues (server logs, backdoors, suspicious cron tasks).

Remember these 3 essential reflexes:

  1. Monitor: install a security plugin with automatic scanning and enable email alerts. See our WordPress security guide for best practices.
  2. React fast: every hour of inaction worsens SEO consequences and data loss
  3. Prevent: follow our WordPress maintenance guide for automatic updates, 2FA, offsite backups, and Web Application Firewall (WAF)

If you suspect an infection or have identified several signs described in this article, do not wait. A professional WordPress malware cleanup with guaranteed results allows you to regain control of your site in under 48 hours.

Want to learn more? Check out our complete WordPress hacked cleanup guide or discover the most common WordPress malware in 2026.

Related posts