11 Signs Your WordPress Site Is Hacked (and What to Do)

A hacked WordPress site doesn't always announce itself with a dramatic defacement. Often it's quieter: a redirect that only fires on mobile, spam links you can't see, or a slow slide in search traffic that you blame on the algorithm. Catching it early saves your rankings, your customers and a lot of money, so this guide lays out the warning signs, the subtle ones people miss, how to confirm a breach, and exactly what to do the moment you suspect something's wrong.

What are the signs your WordPress site is hacked?

The clearest signs are unexpected redirects to spam sites, pop-up ads you didn't add, strange new admin users, content you didn't write, a Google "this site may be hacked" warning, and a sudden traffic or ranking drop. Any one of these means you should treat the site as compromised and act fast.

Here are the warning signs to look for, in roughly the order people tend to notice them.

• Unexpected redirects. Your site sends visitors to a spam or scam page, often only on mobile or only for people arriving from Google.
• Pop-ups and ads you didn't add. Adverts, overlays or "you've won" pop-ups appearing on your own pages.
• Strange new admin users. Accounts in your users list that you never created, often with odd usernames.
• Content you didn't write. New posts, pages or links, frequently in another language or about pharmaceuticals and gambling.
• A Google security warning. A red "this site may be hacked" or "dangerous" notice in search results or the browser.
• A sudden traffic drop. Visitors fall off a cliff because Google flagged the site or buried it.
• You can't log in. Your password stops working because an attacker changed it.
• Your host suspends you. Hosting flags your account for sending spam or serving malware.
• The site is suddenly slow. Malware using your server's resources drags performance down.
• Spam emails from your domain. People reply about emails you never sent.
• Unfamiliar files or scheduled tasks. Odd files in your directories or cron jobs you didn't set.

What are the subtle signs people miss?

The sneaky signs are spam links hidden in your pages that only search engines see, redirects that fire only for first-time mobile visitors, and your server quietly sending spam in the background. The site looks normal to you while your rankings fall and your host gets complaints, so silent hacks need monitoring to catch.

This is what makes WordPress hacks so costly. The smart ones hide from the site owner on purpose, because the longer they stay undetected, the more value they extract. You might only find out when a customer mentions a weird redirect, or when you check Search Console and see pages indexed that you never wrote. By then the damage to your rankings is already underway.

How can a hack hurt rankings without changing what I see?

By showing different content to Google than it shows you. This is called cloaking. The malware serves clean pages to the logged-in owner and spam-stuffed pages to search crawlers, so your site quietly becomes a spam farm in Google's eyes while looking perfect in your browser. Checking Search Console and a logged-out incognito view is how you catch it.

How do you confirm your WordPress site is hacked?

Check it from a logged-out browser and on mobile, run a malware scanner, review Google Search Console for security issues and unfamiliar indexed pages, and look at your users list and recently modified files. If a scan flags malware or you find changes you didn't make, the site's compromised.

Don't rely on how the site looks when you're logged in, that's exactly the view a clever hack wants you to trust. Open an incognito window, visit from your phone, and check Search Console's Security Issues report. A reputable malware scanner gives you a second opinion, and a glance at your file modification dates often reveals files changed at times you weren't working.

What should you do if your WordPress site is hacked?

Act the same day. Put the site into maintenance mode, change all passwords, take a backup of the current state for evidence, then clean the malware from every file, remove rogue users, update everything, and request a review if Google flagged you. If you're unsure, get professional cleanup before the damage spreads.

Speed matters more than perfection here. Every hour a compromised site stays live, it can infect visitors, sink your rankings further and risk a host suspension. Here's the order that limits the damage.

1. Take the site offline or into maintenance mode so it stops harming visitors and your reputation.
2. Change every password, hosting, WordPress admin, database and FTP.
3. Back up the compromised state so you have a record before you start cleaning.
4. Remove the malware at the source, not just the visible symptoms, across all files.
5. Delete rogue users and update everything, then close the hole that let them in.
6. Request a Google review if your site was flagged, to clear the warning.

The trap with do-it-yourself cleanup is reinfection: malware hides in multiple places and creeps back after a partial clean. If you're not certain you've found every instance, our malware removal service handles the full clean and hardening so it doesn't return.

How do you prevent the next hack?

Keep core, themes and plugins updated, use strong passwords with two-factor authentication, run a firewall, take automatic off-site backups, and turn on security monitoring so you catch problems early. Most reinfections happen because the original hole was never closed, so hardening after a clean is essential.

A clean site that isn't hardened just gets hacked again through the same door. The lasting fix is the boring routine: prompt updates, locked-down logins and ongoing monitoring. Our full WordPress security guide walks through the hardening steps, and a care plan keeps that routine running with monitoring on every tier, so the next attempt gets caught before it lands.

Related reading