How to know if your WordPress is hacked: 10 signs
Not sure your site is clean? Here are 10 concrete signs of a hacked WordPress and how to check each one, before you run a pointless cleanup or let a real infection sit.
You have a hunch, but nothing obvious: the site loads, you can log in, and yet something feels off. Knowing whether your WordPress is hacked isn’t a matter of gut feeling. There are specific, checkable signs that take a few minutes to confirm, and they separate a real infection from a false alarm. Here are the 10 most reliable ones, each with a way to check it yourself.
1. Google shows a warning on your site
If you see “This site may harm your computer” or “Deceptive site ahead” in the Google results, or a full-screen red warning when you visit your page, that’s one of the clearest signals. Google has detected malicious code.
How to check: go to Google’s Safe Browsing test and enter your URL. If your site is listed as dangerous, the infection is confirmed on Google’s side.
2. site:yourdomain.com returns pages you never created
This is the fastest and most telling test. Type site:yourdomain.com into Google (using your real domain name). You should see your actual pages.
How to check: scroll through the results. If you spot titles about casinos, online betting, medications (viagra, cialis), content in Russian, Chinese or Japanese, or products you don’t sell, your site is hosting injected spam pages. Click a few to confirm they really load.
3. Your site redirects to another site
You type your address and land on a betting site, a sketchy store, or a scam page. Often the redirect only fires under certain conditions: from a Google result, on mobile, or for visitors who aren’t logged in as admin. This is called cloaking, and it’s what makes the problem hard to reproduce.
How to check: open your site in a private window, from your phone, and by clicking through from a Google result rather than typing the URL directly. If the redirect shows up in any of these cases, read the casino redirect case to understand exactly how it works.
4. An admin account you don’t recognize
Attackers often create an admin account to keep access, even after you change your password.
How to check: log in to /wp-admin, go to Users, and filter by the “Administrator” role. Look for any account you didn’t create, especially one with a random name, an unfamiliar email address, or a recent registration date. A single suspicious admin is enough to confirm the compromise.
5. Files changed when you didn’t touch anything
WordPress and its plugins don’t rewrite themselves between updates. .php files modified recently for no reason are a red flag.
How to check: connect over FTP (with FileZilla, for example) or through your host’s file manager. Sort files by modification date. Pay particular attention to wp-config.php, index.php, .htaccess, and the files in the root directory. A date that doesn’t match anything you did deserves a closer look. These files often hide a backdoor, see find and remove a backdoor.
6. .php files inside wp-content/uploads
The wp-content/uploads folder holds your images and documents. It has no reason to contain executable code.
How to check: over FTP, open wp-content/uploads and its subfolders (sorted by year and month). Look for .php or .phtml files, or files with odd names like wp-cache-helper.php or a string of random characters. A single .php file in this folder is abnormal and almost always points to a backdoor.
7. Search Console flags a traffic drop or foreign keywords
Google Search Console is an excellent detector. An infection leaves traces in the stats well before you notice anything else.
How to check: in Search Console, look at the Performance report. Two warning signs: a sharp traffic drop over the last few weeks, or the opposite, a spike in impressions on queries you never targeted (betting brand names, pharmaceutical terms, foreign-language words). Also check the Security & Manual Actions tab: a security issue is reported there explicitly.
8. The browser or antivirus blocks access
If Chrome, Firefox, or a visitor’s antivirus stops your site from opening, or if a client writes to say they “can’t reach the site anymore because of a security warning,” don’t shrug it off as a false positive.
How to check: test your site from several browsers and, if possible, from a machine running a different antivirus than yours. Cross-check with the Safe Browsing test from point 1. A consistent block across multiple tools confirms that malicious code has been detected.
9. Your host suspends the site or flags outgoing spam
Hosts monitor activity on their servers. Getting an email about “suspicious activity,” “spam sending detected,” or “site suspended for security reasons” is a direct sign.
How to check: look through your inbox (and spam folder) for any message from your host. In some cases, your domain ends up on an email blacklist. Test your domain with a tool like MXToolbox Blacklist Check. If your IP or domain is listed, your server is probably sending spam without your knowledge.
10. Emails go out from your domain without your action
Your contacts receive strange emails “from you,” or your own messages consistently land in spam. A hacked site is often turned into a mass-sending relay.
How to check: ask a few contacts whether they’ve received unusual messages signed with your domain. Cross-check with the blacklist test from point 9. If your domain is sending things you didn’t write, the server is compromised.
Bonus: an unusually slow site
A sudden slowdown, with no change on your end, can point to malicious scripts running in the background (mining, spam sending, attacks on other sites). It isn’t a sign on its own, but combined with the others, it carries weight. Check your host’s dashboard to see whether server load or CPU usage has climbed for no clear reason.
FAQ
Is one of these signs enough to conclude I’ve been hacked?
Some are. An unknown admin account, casino pages in site:yourdomain.com, a .php file in wp-content/uploads, or a Google warning are each enough proof on their own. Others, like slowness alone, need confirmation from a second sign.
My site works fine for me, does that mean it’s clean? Not necessarily. Cloaking hides the infection from the admin and from direct visitors while showing it to Google and to mobile visitors. That’s why you need to test in a private window and from a phone.
How long can an infection go unnoticed? Weeks, sometimes months. The longer it runs, the more Google de-indexes your pages and the more your domain’s reputation degrades. That’s why a hunch deserves an immediate check, not a wait.
I have one or more of these signs, now what?
If you ticked one or more boxes, don’t start deleting files at random: you risk breaking the site without removing the entry point, and the infection comes back. Follow a complete method instead, from diagnosis to hardening. The guide what to do when your WordPress is hacked walks through every step in order.
If you’d rather not touch it, WP-Detox handles it. A free scan checks in seconds for the signs described above. If an infection is confirmed, cleanup takes about 30 minutes: spam and backdoors removed, access locked down, and a check that the site is off the blacklists. Flat rate of €149, all in, refunded if the cleanup fails.