Hackers don't announce themselves. Most WordPress malware operates quietly for weeks or months before site owners notice anything wrong.
Here are the seven warning signs that your site has been compromised — and exactly what to do about each one.
Sign 1: Visitors Are Being Redirected
Your site loads normally when you visit it, but visitors are ending up on spam pages, fake pharmacy sites, or phishing pages. This is one of the most common infection types.
Hackers target mobile users or first-time visitors while leaving logged-in admins alone — which is why you may never see it yourself.
What to do: Scan immediately using a free WordPress security scanner. Check site redirect behavior from a private browser window using a mobile connection.
Sign 2: Google Shows a "This Site May Be Hacked" Warning
Google's Safe Browsing detects and flags compromised sites. Once flagged, your site gets a warning in search results and in Chrome — devastating for traffic and trust.
What to do: Check google.com/transparencyreport/safebrowsing/ for your domain. If flagged, clean the malware and submit a review request via Google Search Console.
Sign 3: Your Hosting Account Was Suspended
Hosting providers actively scan for malware. If your account was suspended without warning, malware is the most likely cause.
What to do: Contact your host for the specific files identified. Don't just delete them — understand the infection vector, or it will return.
Sign 4: Unknown Admin Accounts Appeared
Log into wp-admin and check Users → All Users. If you see admin accounts you didn't create, your site has been compromised. Attackers create backdoor accounts to maintain access even after security plugins are installed.
What to do: Delete unauthorized accounts immediately. Change all passwords. Check for persistent backdoor files in wp-content and wp-includes.
Sign 5: Search Results Show Spam Content
Search Google for site:yourdomain.com. If you see pages about Viagra, casino games, or designer knockoffs — your site has been hit with SEO spam injection.
What to do: Use Search Console to identify indexed spam URLs. Remove injected content from your database. Scan for the source backdoor.
Sign 6: Your Site Suddenly Got Very Slow
A sudden, unexplained performance drop can indicate your server is being used for spam sending, cryptocurrency mining, or DDoS participation.
What to do: Check server load in your hosting panel. Review currently running PHP processes. Scan all uploaded files.
Sign 7: Your Security Plugin Was Disabled
If you had a security plugin and it suddenly deactivated, it's a sign an attacker has admin access and is covering their tracks.
What to do: Assume full compromise. Change all passwords immediately, re-enable the plugin, and run a full malware scan.
Immediate next step: Run a free scan at wp-scan.org — it takes 60 seconds and checks for all of the above automatically.
Rajan Gupta — security researcher, wp-scan.org
Top comments (0)