Is My WordPress Site Hacked? Twelve Signs to Check

If something feels off about your WordPress site, the worst thing you can do is panic and start changing things. Most of the work is in the diagnosis. Once you know whether you've actually been compromised, what to do next is mostly a known sequence.

This post covers the twelve signs I'd check, in roughly the order I'd check them. Some you can rule in or out from the front end of the site in seconds. The later ones need access to your hosting and your logs. Work through them top to bottom.

1. Visitors are seeing content you didn't write

The most obvious sign, and the one most often reported by someone other than you. Pages of pharmacy spam, casino redirects, or content in a language your site has never used. Sometimes it appears on the front end. Sometimes it only appears to visitors arriving from Google, which is a known cloaking technique designed to keep the site owner from spotting it.

Open your site in a private browsing window. Then open it again with ?utm_source=google on the end of the URL. If the two look different, that's a strong signal something is wrong.

2. Google Search Console has flagged your site

If Google's safe browsing system thinks your site is serving malware or phishing, you'll see a warning in Search Console under Security Issues. Visitors arriving via search will also see a red interstitial warning before they reach your site, which kills your traffic instantly.

Search Console is the first place to look any time something feels off. If there's nothing flagged, that's reassuring but not conclusive, because Google's detection runs on its own schedule.

3. New admin users you don't recognise

Log in to WordPress and go straight to Users. Look for any administrator accounts you didn't create. Check the registration dates and the email addresses. Pay particular attention to existing admin accounts where the email has been changed to something unfamiliar, because that's a quieter way for an attacker to maintain access than creating a new account.

If you find one, don't delete it yet. Note the email, the username, and the created date first. You may need that later when you're working out how the attacker got in.

4. Files in places they shouldn't be

The wp-content/uploads directory is for media files. It should not contain .php files. Ever. If it does, that is almost always a webshell.

If you have SSH access, run:

find /var/www/html/wp-content/uploads -name "*.php" -type f

If anything comes back, treat it as a confirmed compromise.

While you're there, check for recently modified PHP files anywhere in the install:

find /var/www/html -name "*.php" -newer /var/www/html/wp-config.php -type f

If files have changed and you didn't change them, that's another strong sign.

5. Your site is sending spam

Customers complaining about spam from your domain, your IP showing up on email blacklists, or your hosting provider warning you about outbound mail volume. All of these point to your site being used to send mail it shouldn't.

Most often this is a compromised contact form being abused, or a malicious script that's been planted to send mail directly through PHP's mail() function. Either way, the site is the source.

6. Your hosting provider has emailed you

Hosts run their own scans, and they tend to be conservative. If your provider has emailed you about malware, suspicious processes, or excessive resource use, take it seriously. They are seeing something on the server that you can't see from inside WordPress.

The exception is the occasional false positive on a legitimate plugin file that happens to match a malware signature. But assume it's real until you've proven otherwise.

7. Unexpected redirects

Visitors clicking links on your site end up somewhere else entirely. A page on your site briefly loads then bounces to a completely different domain. Search results for your pages take users somewhere unrelated.

Redirects can be added in .htaccess, in PHP files, in the database, or via injected JavaScript. The pattern that gives them away is that they often only fire under specific conditions: only for traffic from search engines, only for mobile users, only on the first visit. That's why owners often don't see them themselves.

If a customer or contact tells you they got redirected, believe them and investigate.

8. Posts or pages you didn't publish

Open your Posts and Pages screens in WordPress and sort by date. If anything has been published recently that you didn't write, that's a clear sign someone else has access. The injected content is often hidden, set to draft status, or backdated to bury it in old content. Sort by modified date as well as published date to catch that.

A specific pattern: dozens of new posts created in a short window, often with foreign language titles or blocks of unrelated keywords. That's a content injection attack designed to get your site ranking for spam terms in search.

9. Your site is suddenly slow or unstable

Compromised sites use server resources for the attacker's purposes. Cryptocurrency mining, sending spam, scanning other sites, hosting phishing pages. All of it costs CPU and memory.

If your site has become noticeably slower without you changing anything, or it's hitting resource limits it never used to hit, that's worth investigating. Check your hosting dashboard for CPU and memory usage trends. A sudden step change in baseline load is a classic compromise signature.

10. Strange entries in your access logs

This one needs hosting access, and it's the single best signal you have. Your server access log records every request that came in. Look for:

POST requests to obscure file paths you don't recognise
Repeated requests to wp-login.php from the same IP
Requests to .php files in wp-content/uploads/
Bursts of traffic at unusual hours from unfamiliar countries
Requests for files like shell.php, c99.php, wso.php, or anything else that sounds like a tool

Logs don't lie. If something has been hammering your login page from one IP for the last three days, that's right there in the log waiting for you to look.

11. Your monitoring is showing things you didn't do

If you have an audit log plugin like Simple History or WP Activity Log installed, this is where it earns its keep. Look for plugin installations you didn't perform, theme file edits, settings changes, user role changes, or content edits attributed to admin accounts at times when nobody was supposed to be working on the site.

If you don't have an audit log installed, that's something to fix once the current question is resolved. You can't catch what you can't see.

12. Search results have gone wrong

A subtle one, but a useful tell. Search Google for site:yourdomain.com and look at what comes back. If the results include pages you didn't create, titles in languages your site doesn't use, or descriptions that look like spam, your site has been used as a content host for something else.

This often persists in Google's index for weeks after the actual files are removed, so it's both a sign of a current compromise and sometimes a relic of an older one.

Working out the verdict

Any one of these on its own might have an innocent explanation. New admin user? Maybe your developer added one and forgot to mention it. Sudden slowness? Could be a plugin update. A few signs together is when the picture becomes clear.

If you have one or two soft signs and no hard evidence, the right move is usually to investigate without panicking. Run a Wordfence scan. Check your logs. Audit your users.

If you have hard evidence, files in places they shouldn't be, admin accounts you didn't create, content you didn't publish, your site is compromised. Don't start cleaning up at random. The order you do things in matters, and the recovery walkthrough goes through it step by step.

The harder question

Most people reading this post are doing so because something has already gone wrong. The harder question, once the immediate situation is resolved, is how to make sure it doesn't happen again.

The Protect My WP handbook covers the configuration that closes off the common entry points before they get used. Hosting choices, file permissions, login hardening, firewalls, backups, and the ongoing maintenance habits that catch things early. If you've worked through this checklist and want the picture of what should have been in place from the start, that's where to go next.

Get the book for £19.