To tell if your WordPress site is hacked, look for spam redirects, a Google warning, unknown admin users, mystery pages in other languages, login lockouts, strange traffic, host or security alerts, links injected into your content, rogue scheduled tasks, modified theme files, unauthorized outbound email, and pop-ups that only real visitors see. Google flags around 10,000 websites for malware every day. Most site owners discover the attack days or weeks after it started. Here are all twelve signs, how to check each one in minutes, and what to do.
A hacked WordPress site is not always obvious. Modern infections hide deliberately: in more than 6 out of 10 cleanups we have handled, the malware only activated for real visitors arriving from Google, never for a logged-in owner clicking around. Database-level injections were present in 9 out of 10 cases, including on sites where a previous cleanup had already been attempted. In one coordinated attack we responded to, a single server-level compromise quietly added over 1,000 hidden gambling pages to each of 25 different law firm sites, all before anyone noticed. We have personally recovered more than 50 hacked WordPress sites. These are the twelve signs we look for first.
| # | Sign | How to check | Urgency |
|---|---|---|---|
| 1 | Spam redirects | Private window + mobile | Critical |
| 2 | Google warning | GSC Security Issues | Critical |
| 3 | Locked out of admin | Contact host or phpMyAdmin | Critical |
| 4 | Unknown admin users | WP Users panel | Critical |
| 5 | Mystery spam pages | site:yourdomain.com in Google | High |
| 6 | Traffic spike or drop | GA4 + GSC together | High |
| 7 | Host or security alerts | Read the alert | High |
| 8 | Links injected in content | View-source + Google cache | High |
| 9 | Rogue cron jobs | WP Crontrol plugin | High |
| 10 | Modified theme files | Wordfence file scan | High |
| 11 | Server sending spam email | cPanel email logs | Medium |
| 12 | Visitor pop-ups you cannot see | Private window + mobile | High |
Contents
- 1. Your site redirects to spam
- 2. Google flagged your site
- 3. You are locked out of admin
- 4. Unknown admin users
- 5. Mystery pages and posts
- 6. Sudden traffic spikes or drops
- 7. Host or security alerts
- 8. Malicious links in your content
- 9. Rogue scheduled tasks
- 10. Modified theme files
- 11. Your server is sending spam email
- 12. Visitors see pop-ups you cannot reproduce
- How to check if your site is hacked
- What to do if you see these signs
1. Your Site Redirects to Spam
You type your address and land on a pharmacy, casino, or sketchy store. This is a redirect hack, one of the most common WordPress infections. Attackers inject code that sends real visitors (and sometimes only visitors coming from Google or on mobile) to their affiliate spam. We cover this in detail in why your WordPress site redirects to spam. How to confirm: open your homepage in a private window and again from your phone. If it sends you to a pharmacy or casino page there but looks fine when you are logged in, that is a conditional redirect hack.
2. Google Flagged Your Site
A red This site may be hacked or Deceptive site ahead warning in search results or the browser means Google Safe Browsing found something. It scares away nearly every visitor. See Google flagged my WordPress site, now what for the recovery steps. How to confirm: open Google Search Console and check Security Issues, or run your URL through Google Safe Browsing. Both tell you exactly what Google found.
3. You Are Locked Out of WP-Admin
Your password suddenly stops working, or your account is missing or downgraded from administrator. Attackers often lock owners out to keep control of the site. Do not assume you forgot your password, especially if other signs are present. How to confirm: check your Users table in the database (phpMyAdmin) or ask your host. If your admin account is gone or downgraded and you did not change it, treat it as a breach.
4. Unknown Administrator Users
Open Users in your dashboard and look for accounts you did not create, often with odd names and no email. These are backdoor admin accounts. They are a clear sign of compromise and a common re-entry point even after a partial cleanup. How to confirm: in Users, look for any administrator you do not recognize, especially ones with no posts and a strange email. Deleting them is not enough, you also have to find how they got in.
5. Mystery Pages and Posts
Pages or posts you never wrote start showing up, frequently in another language and selling casino, pharma, or replica goods. They are created to rank in Google and trade on your domain reputation. You may only see them in search results, not in the dashboard. How to confirm: search Google for site:yourdomain.com and look for pages in other languages or selling casino, pharma, or replica goods. Spam pages are often shown only to Google, so search is where you will see them.
6. Sudden Traffic Spikes or Drops
A strange surge in traffic from countries you do not serve can mean your site is hosting spam. A sudden drop can mean Google has de-indexed you for malware. Either way, an unexplained change in your analytics is worth investigating. How to confirm: open Google Analytics and Search Console and look at the source. Traffic from countries you do not serve, or a sudden drop next to a Security Issues notice, both point to a hack.
7. Host or Security Alerts
Your host suspends the site, your outgoing email starts landing in spam, or Wordfence or MalCare flags malicious files. These automated alerts are often the first official warning, and they should never be ignored. How to confirm: read the alert. A Wordfence or MalCare scan result, a host suspension notice, or your email landing in spam all name the problem. Do not dismiss them as false alarms.
8. Malicious Links Appear Inside Your Existing Content
Attackers inject invisible links to casino, pharma, or spam sites into your existing posts and pages. These links are hidden from you using CSS but are crawled and indexed by search engines, letting the attacker borrow your domain authority to rank their own spam. How to confirm: open a published post and use Ctrl+U (or Cmd+U on Mac) to view the raw page source, then search the source for links you did not write. Also check the cached version of a key page in Google by clicking the three-dot menu next to a search result. Any links pointing to gambling, pharma, or foreign-language spam domains that you did not place there are injected malware.
9. Your Scheduled Task List Has Hundreds of Entries You Did Not Create
WordPress uses scheduled tasks, called cron jobs, for routine things like checking for plugin updates or publishing scheduled posts. A healthy installation typically has 10 to 20 of these. Attackers add their own cron entries to keep the infection regenerating automatically, even after a partial cleanup. In one compromised site we cleaned, we found 22,433 attacker-planted cron entries, all running at short intervals with randomized names. How to confirm: install the free WP Crontrol plugin and open Tools, Cron Events. If you see hundreds or thousands of scheduled events, or entries firing every few seconds with gibberish names, that is attacker pollution and the site is still compromised.
10. Your Theme Files or WordPress Core Files Were Modified
The most common file-level attack we encounter injects malware directly into the active theme’s functions.php file. In the 25-site network we recovered in May 2026, every single infected site had exactly 614 lines of attacker code injected at the very top of that file. The malware read its instructions from hidden rows in the WordPress database and rebuilt itself whenever the files were cleaned without also cleaning the database. How to confirm: run a full Wordfence scan with the “Scan core files against repository” option enabled. It will flag any modified file and show you the exact change. You can also connect via SFTP and open wp-content/themes/your-active-theme/functions.php to look at the first 20 lines manually. Base64-encoded strings, eval() calls, or obfuscated code you did not write are malware.
11. Your Server Is Sending Email You Never Wrote
When an attacker gains server-level access, your hosting account becomes a spam relay. They use your domain reputation to deliver phishing messages, spam campaigns, or account-takeover emails to thousands of addresses. The typical first warning is your hosting provider suspending your outbound email, or users beginning to mark your domain as spam, which damages your email deliverability long after the hack is cleaned. How to confirm: log into cPanel or your hosting control panel and open Email Statistics or the Sent Mail section. A sudden spike in outbound message volume, or bounce messages arriving from addresses you have never contacted, means your server is being abused as a relay.
12. Visitors Report Pop-ups or Redirects That You Cannot Reproduce
Conditional malware activates only for specific visitors: people arriving from a Google search, people on mobile devices, or anyone who is not currently logged in to WordPress. You visit your site every day, logged in, and see nothing wrong, while every real visitor gets sent to a gambling site or shown a pop-up. This is the most common pattern in our redirect cleanups, appearing in more than 6 out of 10 infections we have handled. How to confirm: open your site in a private browsing window on your phone, without logging in. Ask someone who has never visited the site before to open it on their device. If they see a redirect or pop-up that you cannot reproduce while logged in, that is conditional malware targeting your real visitors.
How Do You Check If Your WordPress Site Is Hacked?
To check if your WordPress site is hacked, scan it from the outside, then from the inside. Start with a free external scan, check Google Search Console for security issues, then log in and review your users, files, recent changes, scheduled tasks, and sent mail logs. Most owners can run this full check in under twenty minutes. In the 50+ cleanups we have handled, the seven steps below have caught the infection every time.
- Run a free external scan. Put your URL through Sucuri SiteCheck and VirusTotal. They flag known malware, spam, and blacklist status without touching your site.
- Check Google Search Console. Open Security Issues. If Google found malware or spam it lists sample URLs, so you know exactly what to clean. See Google flagged my WordPress site, now what for the next steps.
- Scan from the inside. Install Wordfence or MalCare and run a full scan. They read your actual files and compare WordPress core against the official versions to catch injected or changed files.
- Review your users. In wp-admin, open Users and delete nothing yet, just look. Any administrator you did not create is a backdoor account and a sign the site is still open.
- Check for file changes. Look in wp-content/uploads for .php files (there should be almost none), and scan wp-config.php and index.php for code you do not recognize. Unknown files with random names are a classic backdoor.
- Look at cron jobs and logs. A hacked site often has scheduled tasks it should not, and access logs full of hits to xmlrpc.php or odd .php files in uploads. Your host logs and a plugin like WP Crontrol show these.
- Compare what Google has indexed. A site:yourdomain.com search that returns casino, pharma, or foreign-language pages you never wrote means spam is already indexed, even if your dashboard looks clean.
If any scan comes back dirty, do not start deleting at random. Our Hacked Site Rescue cleans infected sites within 72 hours, same day on the priority tier, and closes the entry point so it does not come back.
What Should You Do If Your Site Is Hacked?
Do not panic, and do not start deleting files at random, which can make recovery harder. Take a backup, stop sharing logins, and get the site scanned. If you would rather not handle it yourself, our Hacked Site Rescue service cleans infected WordPress sites fast, closes the entry point so it does not return, and you pay only after the site is clean. We clean most sites within 72 hours, and every cleanup includes a 30-day reinfection warranty, so if the same hack returns we fix it free.
Can a hacked WordPress site be saved?
Almost always, yes. The vast majority of hacks are recoverable without losing your content or design. Rebuilding from scratch is rarely necessary.
How did my WordPress site get hacked?
The most common cause is an outdated plugin or theme, followed by weak admin passwords. Closing that entry point is the most important part of any cleanup.
Should I just delete the site and start over?
No. That loses your content and SEO history, and the attacker often gets back in if the entry point is not fixed. A proper cleanup is faster and safer.
How fast can a hacked site be cleaned?
Most sites are clean and back online within 72 hours, same day with priority service.
How do I know if my WordPress site is hacked?
Look for the twelve signs above: spam redirects, a Google warning, admin users you did not create, mystery posts, login lockouts, strange traffic, host or security alerts, injected links, rogue cron jobs, modified theme files, spam email from your server, and pop-ups that only your visitors see. To be sure, run a free Sucuri SiteCheck scan and check Google Search Console Security Issues. Either confirms an infection in minutes.
Can I check if my WordPress site is hacked for free?
Yes. Sucuri SiteCheck, VirusTotal, and Google Safe Browsing are free external scans, and Search Console shows any security issues Google found. A free Wordfence or MalCare scan from inside wp-admin goes deeper. Free tools are enough to detect a hack, the full cleanup is the harder part.
Can a hacked site look completely normal to me?
Yes, and it usually does. Most modern infections use conditional code that only activates for real visitors arriving from search engines or on mobile. You can log in and browse your site every day and see nothing wrong while thousands of visitors are being redirected to spam. Always test in a private browsing window on a mobile device to see what your actual visitors experience.
My site was cleaned once but the hack came back. Why?
Because the cleanup only removed the files. Attackers plant hidden admin accounts and malicious settings directly in the WordPress database, where file scanners never look. Even after a thorough file cleanup, those database entries let the attacker log back in and rebuild the infection within days. A complete cleanup must clear the database and the files at the same time, then close the entry point so the same path cannot be reused.
Think your site is hacked?
We clean infected WordPress sites fast and lock them down. Pay only after it is fixed.
