Your homepage looks normal. Your analytics seem fine. But when a customer mentions your site redirected them somewhere strange, or Google slaps a “This site may be hacked” warning on your search listing — that’s when the panic sets in.
The uncomfortable truth about WordPress hacks is that most of them don’t announce themselves. They’re designed to stay hidden for as long as possible, quietly injecting spam links, stealing customer data, or using your server to send phishing emails. By the time you notice, the damage has often been accumulating for weeks.
Knowing what to look for — and what to do when you find it — turns a potential disaster into a recoverable situation.
Signs your WordPress site has been hacked
Not every hack looks the same, but most leave traces. Some are obvious; others require a closer look. Here are the most common warning signs, roughly ordered from most visible to most subtle.
Your site redirects visitors somewhere else
This is the most visible symptom. Visitors type your URL and end up on a pharmaceutical spam page, a fake tech support site, or a phishing page. The redirect often only triggers for new visitors or mobile users, which is why you might not notice it yourself — it specifically avoids redirecting logged-in administrators.
Try visiting your site in an incognito window from a mobile device. If it redirects, you have a problem that needs immediate attention.
Google flags your site with a warning
If Google detects malware, phishing pages, or spam on your site, it adds a warning label to your search results. The dreaded “This site may harm your computer” message effectively kills your organic traffic overnight. Google Search Console sends email notifications when it detects security issues — if you haven’t set up Search Console yet, that alone is worth doing today.
Unexpected new user accounts appear
Check your WordPress user list. If you see administrator accounts you didn’t create — especially with generic email addresses — an attacker has gained enough access to create their own back door. Even if you change your password, they can log in through the account they created.
Your site is suddenly slow or unresponsive
A sudden, unexplained drop in site speed can indicate that your server resources are being used for something else — cryptocurrency mining, sending spam emails, or hosting malicious files. If your site was loading in 2 seconds last week and now takes 12, something changed, and it probably wasn’t your content.
Strange content or links you didn’t add
Attackers frequently inject hidden links into your pages — invisible to visitors but visible to search engines. These “SEO spam” injections piggyback on your site’s domain authority to boost their own rankings. Check your page source code (right-click → View Page Source) and search for pharmaceutical terms, casino links, or anchor text that has nothing to do with your business.
Your hosting provider suspends your account
Reputable hosts monitor for malicious activity. If your site is sending spam, hosting phishing pages, or consuming excessive resources, your host will suspend the account — sometimes without warning. If you receive a suspension notice mentioning malware or abuse complaints, a hack is the likely cause.
Email deliverability drops
If your site’s server is being used to send spam, your domain’s email reputation suffers. Customer emails start landing in spam folders. Contact form notifications stop arriving. This is one of the sneakiest consequences because it feels like an email problem, not a website security issue.
How to confirm a hack
Suspecting a hack and confirming one are different things. Before you start making changes, verify the situation so you know what you’re dealing with.
Run an external scan. Tools like Sucuri SiteCheck (free) scan your site from the outside for known malware signatures, blacklisting status, and injected content. It won’t catch everything — server-level compromises are invisible to external scanners — but it’s a solid first check.
Check Google Search Console. Navigate to the Security Issues report. Google will list specific pages and the type of issue detected. This is one of the most reliable indicators because Google actively crawls your site looking for exactly these problems.
Review recent file changes. If you have SSH or file manager access, check which files were modified recently. Legitimate WordPress updates modify files on predictable dates. If core files were changed on a random Tuesday at 3 AM, that’s suspicious.
Check your plugins and themes. Go to your WordPress dashboard and look for plugins you don’t recognise. Attackers sometimes install their own plugins to maintain access. Check for themes you didn’t install, too.
What to do if your site has been hacked
Discovering a hack is stressful. Having a clear plan makes it manageable. Follow these steps in order.
Step 1: Don’t panic, but act fast
The hack has likely been there for days or weeks already. A few more hours to handle it properly won’t make things worse. Rushing into changes without understanding the problem can make recovery harder.
Step 2: Take your site offline (if possible)
If your site is actively redirecting visitors to malicious pages or distributing malware, take it offline temporarily. Most hosting panels have a maintenance mode option, or you can ask your host to disable the site. This protects your visitors and prevents further damage to your reputation.
Step 3: Change all passwords immediately
Change your WordPress admin password, your hosting control panel password, your FTP/SFTP password, and your database password. Use a password manager to generate strong, unique passwords for each. If multiple people have admin access, change all of their passwords too.
Step 4: Restore from a clean backup
If you have regular automated backups, this is their moment. Restore from a backup that predates the hack. The tricky part is knowing when the hack started — it might be older than you think. Check multiple backup dates and scan each before restoring.
Step 5: If no clean backup exists, clean manually
Manual cleanup means replacing all WordPress core files with fresh copies, removing unfamiliar plugins and themes entirely, scanning every file for malicious code, cleaning your database of injected content, and removing any rogue user accounts. This is time-consuming and error-prone. Attackers routinely plant multiple backdoors so that if you find one, they can get back in through another. For most business owners, this is where professional help pays for itself many times over.
Step 6: Identify the entry point
Cleaning up the hack without finding how they got in means they’ll get in again. The most common entry points are outdated plugins with known vulnerabilities, weak or reused passwords, compromised hosting environments (especially cheap shared hosting), and nulled (pirated) themes or plugins.
Step 7: Harden your site for the future
Once clean, implement the protections that prevent a repeat: update everything, enable two-factor authentication, install a security plugin with a firewall, set up monitoring alerts, and ensure your security fundamentals are in place.
The hidden costs of a hack
The financial impact extends far beyond the cleanup bill. A hacked site typically causes two to four weeks of reduced organic traffic while Google re-evaluates your site. Email deliverability problems can persist for months. Customer trust, once broken, is expensive to rebuild.
For e-commerce sites, the equation is straightforward: every hour your site is compromised is an hour of lost revenue and exposed customer data. For service businesses, a hacked site sends potential clients straight to your competitor.
The average cost of recovering from a small business website hack ranges from €200 to €2,000, depending on severity. Factor in lost revenue, damaged reputation, and the time you personally spend dealing with it, and prevention starts looking like the obvious investment.
Prevention beats recovery — every time
Most WordPress hacks are preventable with basic, consistent security hygiene. Keeping your software updated, using strong passwords with two-factor authentication, choosing a host that takes security seriously, and maintaining regular backups eliminates the vast majority of attack vectors.
The patterns behind most attacks are well-documented and well-understood. The sites that get hit aren’t unlucky — they’re unprotected. A monthly maintenance routine that includes updates, backups, and security monitoring costs a fraction of a single cleanup.
If your site has already been hacked, treat it as a turning point rather than a crisis. Clean it properly, close the entry point, and put real protection in place. If you’d rather not manage that process alone, we’re happy to help you get back on track and make sure it doesn’t happen again.
