10 Warning Signs to Check Right Now
Most hacked WordPress sites don’t announce themselves. There’s no big red warning, no ransom note on your homepage — at least not straight away. Instead, things just start feeling a little off. Pages load slowly. You get a strange email about a password reset you never requested. A visitor tells you your site is showing something weird.
By the time the damage is obvious, it’s usually been going on for a while.
The truth is, hackers don’t always want you to know they’re there. A compromised site is valuable to them precisely because it looks legitimate. They use it to send spam, host phishing pages, distribute malware to your visitors, or quietly redirect traffic to their own sites. The longer it stays undetected, the more useful it is to them.
So if something feels off with your site, don’t wait. Here are ten warning signs that your WordPress site may have been hacked — and what to do about each one.
1. Google Is Flagging Your Site as Dangerous
This is one of the clearest signs something is wrong. If visitors are seeing a “Deceptive site ahead” or “This site may harm your computer” warning from Google Chrome, your site has been flagged by Google Safe Browsing.
This happens when Google’s crawlers detect malware, phishing pages, or suspicious scripts on your site. It’s serious because not only does it destroy visitor trust instantly — it also tanks your search rankings.
Check your site’s status at Google’s Safe Browsing tool (search “Google Safe Browsing site check”). If it’s flagged, the site needs to be cleaned and a review request submitted before the warning gets lifted.
2. Your Hosting Provider Has Suspended Your Account
A sudden account suspension with a message about “suspicious activity” or “malicious content” from your host is a very strong indicator of a hack.
Hosting companies monitor their servers for malware and spam because an infected site on their platform affects other customers too. When they detect something, they act fast — often faster than you’ll notice anything yourself.
Don’t just ask them to reinstate the account. Ask specifically what they found, where it was located, and request a copy of any scan results. That’s useful information for whoever is cleaning the site.
3. You’re Seeing Content You Didn’t Create
New pages appearing in your site’s navigation. Blog posts you never wrote. Strange links tucked into your footer or sidebar pointing to pharmacy sites, gambling platforms, or adult content.
This is called SEO spam, and it’s one of the most common things hackers inject into compromised WordPress sites. The goal is to piggyback on your site’s authority to rank their own content in Google.
Sometimes you’ll only notice it if you search Google for your site’s URL and see unusual results in the index. Other times visitors will mention it. Either way, it needs immediate attention — every day it sits there, it’s damaging your SEO and potentially your reputation.
4. Your Admin Password Stopped Working
You go to log in to your WordPress dashboard and your credentials just… don’t work. You haven’t changed them. Nothing unusual has happened. But you’re locked out.
This often means an attacker has gained access and changed your admin password to lock you out of your own site — a classic move that gives them time to do further damage while you’re scrambling to get back in.
The first step is to use the “Lost your password?” link to try resetting via email. If the email doesn’t arrive, or the reset link doesn’t work, you’ll need to access the database directly via phpMyAdmin or contact your host. Get help with this quickly.
5. Your Site Is Redirecting Visitors Somewhere Else
Someone clicks a link to your site and ends up on a completely different website — usually something sketchy. Sometimes the redirect only happens on mobile, or only for visitors coming from Google, so you might not notice it yourself for a while.
Malicious redirects are injected into your site’s .htaccess file, your theme files, or directly into the database. They’re specifically designed to target traffic from search engines while leaving direct visitors alone — which is why site owners are often the last to find out.
If someone tells you your site is redirecting, take it seriously immediately. This kind of infection spreads fast and gets your site blacklisted quickly.
6. Your Site Has Slowed Down Dramatically
A site that used to load in two seconds is now taking eight to ten. Nothing has changed on your end. No new plugins, no big images, nothing.
Unusual slowdowns can indicate that your server is being used for something it’s not supposed to be — sending spam emails, running scripts as part of a botnet, or mining cryptocurrency. All of these consume server resources, which slows everything else down.
Run your site through a speed testing tool and check your server resource usage in your hosting control panel. If CPU or memory usage is spiking for no obvious reason, it’s worth investigating.
7. New Admin Users Have Appeared
Log in to your WordPress dashboard and go to Users. If you see admin accounts you don’t recognise — especially accounts with administrator-level access — your site has almost certainly been compromised.
Attackers create backdoor admin accounts so they can maintain access even if the original vulnerability gets patched. This is one of the main reasons a proper clean involves more than just deleting suspicious files.
Delete any unrecognised admin users immediately, change all passwords, and check your login logs if your security plugin provides them.
8. Google Search Console Is Sending You Warnings
If you have Google Search Console set up for your site — and you should — Google will send you an email notification if they detect malware or security issues.
These emails come to the address registered with your Search Console account, so make sure that’s an inbox you actually check. The messages are specific: they’ll often tell you which pages are affected and what type of issue Google found.
This is one of the best early warning systems available, and it’s completely free. If you’re not set up on Search Console yet, it’s worth doing today.
9. Your Emails Are Going to Spam
Your contact form confirmations, order notifications, and customer emails are all landing in junk folders. Your email deliverability has suddenly fallen off a cliff.
When a server gets used to send spam — which often happens after a WordPress hack — that server’s IP address gets blacklisted by email providers. This affects all email sent from that server, including your legitimate business emails.
Check whether your domain or IP is on any email blacklists using a tool like MXToolbox. If it is, the underlying server issue needs to be resolved first, and then you’ll need to request removal from the blacklists.
10. Your Security Plugin Is Alerting You to Changed Files
A good WordPress security plugin like Wordfence or iThemes Security monitors your core files and alerts you when something changes that shouldn’t. If you’re getting alerts about modified WordPress core files, unknown files in your plugins folder, or changes to your theme files that you didn’t make — pay attention to them.
These alerts aren’t always a hack. Sometimes a legitimate update triggers them. But if you can’t account for the change — if you didn’t update anything and a file has been modified — that’s a red flag worth investigating immediately.
Don’t dismiss security plugin alerts as noise. They exist for a reason.
What to Do If Your Site Has Been Hacked
First — don’t panic, but do act quickly. The longer an infection sits, the more damage it does and the harder it gets to clean.
Here’s what the process looks like when I handle a hacked WordPress site:
- Put the site in maintenance mode or take it offline temporarily if visitors are being exposed to malware or redirects.
- Take a backup of the current state — even the infected version. This preserves evidence and gives you a rollback point if needed.
- Run a full malware scan using a tool like Wordfence or Sucuri to identify infected files and injected code.
- Clean the infection manually by reviewing and restoring compromised files. Automated cleaners catch a lot, but human eyes catch what they miss.
- Check for backdoors including unknown admin users, suspicious plugins, and code injected into theme or function files.
- Update everything once the site is clean — WordPress core, all plugins, all themes.
- Change all passwords including WordPress admin, FTP, hosting control panel, and database.
- Request removal from blacklists if Google or email providers have flagged your site.
It’s a thorough process and it takes time to do it properly. But done right, it gets your site back to a clean, secure state — not just “looks okay on the surface.”
How to Stop It Happening Again
Once you’ve been through a hack, you never want to go through it again. The good news is that most WordPress hacks are entirely preventable with the right habits in place:
- Keep WordPress core, plugins, and themes updated at all times
- Use strong, unique passwords and enable two-factor authentication on admin accounts
- Remove plugins and themes you’re not actively using
- Run regular malware scans — not just when something feels wrong
- Use a reputable security plugin and actually review its alerts
- Make sure someone is checking your site is actually working, not just loading
Most of these things come standard with a proper WordPress maintenance plan. The sites I look after get checked regularly, updated carefully, and scanned for issues before those issues become emergencies. It’s genuinely not complicated — it just requires consistency.
Think Your Site Might Be Compromised?
If any of the warning signs above look familiar, don’t sit on it. The sooner an infected site gets cleaned, the less damage gets done — to your SEO, your reputation, and your visitors.
Get in touch and I’ll take a look. I offer malware scanning, full site cleaning, and ongoing maintenance to make sure it doesn’t happen again. Check out my WordPress Maintenance Plans or send me a message directly.
Have a question about your WordPress site’s security? Drop it in the comments below.