Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

12 Signs Your WordPress Site Is Hacked (Expert Tips)

But how can you tell if your site has been compromised? While hackers can be sneaky, they often leave behind subtle clues.

This guide will equip you with the knowledge to:

  • Identify Common Signs of a WordPress Hack: We’ll uncover the red flags that indicate your site might be in danger, from suspicious redirects to unfamiliar user accounts.
  • Take Immediate Action: We’ll outline crucial steps to regain control of your site, secure your data, and minimize potential damage.
  • Strengthen Your Defenses: Learn how to proactively protect your WordPress site from future attacks and keep hackers at bay.

Don’t wait for the worst to happen. Empower yourself to detect and address WordPress security threats head-on!

As a website owner, the security of your WordPress site should be a top priority. A hacked website can lead to data breaches, SEO disasters, and irreparable damage to your reputation.

We’re often asked how to tell if a WordPress site has been hacked. Well, there are some common telltale signs that may help you figure out if your WordPress is hacked or compromised.

In this article, we will share some of the most common signs that your WordPress site is hacked and what you can do to clean it up.

Signs to look for when your WordPress website is hacked

1. Sudden Drop in Website Traffic

If you look at your analytics reports and see a sudden drop in traffic, even though Google Analytics is set up properly, then this could be a sign that your WordPress site is hacked.

A sudden drop in traffic can be caused by different factors.

For instance, malware on your website may be redirecting non-logged-in visitors to spam websites.

Another possible reason for the sudden drop in traffic could be that Google’s safe browsing tool is showing warnings to users regarding your website.

Google safe browsing malware warning

Each day, Google blacklists around 10,000 websites for malware and thousands more for phishing. That’s why every website owner needs to pay serious attention to their website security.

You can check your website using Google’s safe browsing tool to see your safety report.

2. Bad Links Added to Your Website

Data injection is one of the most common signs of a hacked WordPress site. Hackers create a backdoor on your WordPress site, which gives them access to modify your WordPress files and database.

Some of these hacks add links to spammy websites. Usually, these links are added to the footer of your website, but they could be anywhere. Deleting the links doesn’t guarantee that they won’t come back.

You will need to find and fix the backdoor used to inject this data into your website. See our guide on how to find and fix a backdoor in a hacked WordPress site.

3. Your Website’s Homepage Is Defaced

Defaced WordPress website

This is probably the most obvious one, as it is clearly visible on the homepage of your website.

Most hacking attempts do not deface your site’s homepage because they want to remain unnoticed for as long as possible.

However, some hackers may deface your website to announce that it has been hacked. Such hackers usually replace your homepage with their own message. Some may even try to extort money from site owners.

4. You Are Unable to Log In to WordPress

login error username not registered on site

If you are unable to log in to your WordPress site, then there is a chance that hackers may have deleted your admin account from WordPress.

Since the account doesn’t exist, you will not be able to reset your password from the login page.

There are other ways to add an admin account using phpMyAdmin or via FTP. However, your site will remain unsafe until you figure out how the hackers got into your website.

5. Suspicious User Accounts in WordPress

Suspicious user accounts in WordPress

If your site is open to user registration, and you are not using any spam registration protection, then spam user accounts are just common spam that you can simply delete.

However, if you don’t remember allowing user registration and you are still seeing new user accounts in WordPress, then your site is probably hacked.

Usually, the suspicious account will have the administrator user role, and in some cases, you may not be able to delete it from your WordPress admin area.

6. Unknown Files and Scripts on Your Server

Suspicious files

If you’re using a site scanner plugin like Sucuri, then it will alert you when it finds an unknown file or script on your server.

To find the files, you need to connect to your WordPress site using an FTP client. The most common place where you will find malicious files and scripts is the /wp-content/ folder.

Usually, these files are named similarly to WordPress files so that they can hide in plain sight. To recognize them yourself, you will need to audit the file and directory structure. However, deleting these files will not guarantee that they won’t return.

7. Your Website Is Often Slow or Unresponsive

Slow or unresponsive website

All websites on the internet can become the target of a random denial of service or DDoS attacks. These attacks use several hacked computers and servers from all over the world using fake IP addresses.

Sometimes, they are just sending too many requests to your server, while other times, they are actively trying to break into your website.

Any such activity will make your website slow, unresponsive, and unavailable. You can check your server logs to see which IPs are making too many requests and block them, but that may not fix the problem if there are too many or if the hackers change IP addresses.

It is also possible that your WordPress site is just slow and not hacked. In that case, you should follow our guide to boost WordPress speed and performance.

8. Unusual Activity in Server Logs

Server logs

Server logs are plain text files stored on your web server. These files keep a record of all errors occurring on your server as well as all your internet traffic.

You can access them from your WordPress hosting account’s cPanel dashboard under Statistics or Metrics.

These server logs can help you understand what’s going on when your WordPress site is under attack.

They also contain all the IP addresses used to access your website, so you can block suspicious IP addresses.

They will also indicate server errors that you may not see inside your WordPress dashboard and may be causing your website to crash or be unresponsive.

9. Failure to Send or Receive WordPress Emails

Email issues

Hacked servers are commonly used for sending spam. Most web hosting providers offer free email accounts with your hosting. Many WordPress site owners use their host’s mail servers to send WordPress emails.

If you are unable to send or receive WordPress emails, then there is a chance that your mail server is hacked to send spam emails.

10. Suspicious Scheduled Tasks

WordPress cron control

Web servers allow users to set up cron jobs. These are scheduled tasks that you can add to your server. WordPress itself uses cron to set up scheduled tasks like publishing scheduled posts, deleting old comments from trash, and so on.

A hacker can exploit cron jobs to run scheduled tasks on your server without you knowing it.

To learn more about cron jobs, see our guide on how to view and control WordPress cron jobs.

11. Hijacked Search Results

Search results hijacked

If the search results from your website show incorrect titles or meta descriptions, then this is a sign that your WordPress site is hacked.

Looking at your WordPress site, you will still see the correct title and description.

The hacker has again exploited a backdoor to inject malicious code that modifies your site data in a way that it is visible only to search engines.

12. Popups or Pop Under Ads on Your Website

Spam popups

These types of hacks are trying to make money by hijacking your website’s traffic and showing them their own spam ads.

These popups do not appear for logged-in visitors or visitors accessing a website directly.

They only appear to the users visiting from search engines. Pop-under ads open in a new window and remain unnoticeable by users.

13. Core WordPress Files Are Changed

Core WordPress files changed

If your core WordPress files are changed or modified in some way, then that’s an important sign that your WordPress site is hacked.

Hackers may simply modify a core WordPress file and place their own PHP code inside it. They may also create files with names similar to WordPress core files.

The easiest way to track those files is by installing a WordPress security plugin that monitors the health of your core WordPress files. You can also manually check your WordPress folders to look for any suspicious files or scripts.

14. Users Are Randomly Redirected to Unknown Websites

Spam redirects

If your website is redirecting visitors to an unknown website, then that’s another important sign that your website may be hacked.

This hack often goes unnoticed as it does not redirect logged-in users. It may also not redirect visitors accessing the website directly by typing the address in their browser.

These types of hacks are often caused by a backdoor or malware installed on your website.

Securing and Fixing Your Hacked WordPress Site

If you’d like to learn how to clean up your site on your own, then you can take a look at our beginner’s guide on fixing a hacked WordPress site.

But cleaning up a hacked WordPress site can be incredibly painful and difficult. This is why we recommend you let experts clean up your website.

Security experts normally charge anywhere between $100 to $250 per hour which is outrageous for a small business or solo-entrepreneur.

A more affordable option is to use Sucuri. It comes with 24/7 website monitoring and a powerful website application firewall, which blocks attacks before they even reach your website. Most importantly, they clean up your website if it ever gets hacked.

Or if you value your time, you’re not tech-savvy, or if you just want peace of mind, then you can use our Hacked Site Repair service for a one-time payment of $249.

WPBeginner Pro Services Hacked Site Repair

Our dedicated experts at WPBeginner Pro Services have been cleaning and securing WordPress websites for over a decade, so you can be confident your site is in good hands.

Our service includes malicious code removal, software and security updates, premium files determination, and a cleaned site backup. We guarantee to fix your site or give your money back.

We cover your website for 30 days after the repair, so we’ll fix it for you if you get hacked again.

Keeping Your WordPress Website Secure from Future Attacks

Once your website is clean, you can secure it by making it extremely difficult for hackers to gain access to your website.

Securing a WordPress website involves adding layers of protection around your website. For instance, using strong passwords with 2-step verification can protect your WordPress admin area from unauthorized logins.

Similarly, you can block access to important WordPress files to protect them or set WordPress files and folder permissions correctly.

For more details, see our ultimate WordPress security guide, which will walk you through all the steps you should take to make your WordPress site secure.

We hope this article helped you learn the signs to look for in a hacked WordPress site. You may also want to see our guide on how to get a free SSL certificate or our expert comparison of the best business phone services for small business.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

20 CommentsLeave a Reply

  1. Dennis Muthomi

    WOW! I have learned something new just from reading this!

    The section on “Sudden Drop in Website Traffic” was particularly eye-opening.
    As a small business owner, I experienced this issue last year and initially attributed it to algorithm changes.
    This article made me realize it could have been a security breach.
    Big Thanks WPBeginner

  2. Hajjalah

    I have ever experienced this issue when my blog was hacked via XML-RPC . I had not taken serious security measures because I thought new blogs are not targeted by hackers. But I was so surprised that a low average number of visitors per day, my blog was also a target.
    Sadly, I had to destroy the blog and start from scratch because the website core files were severely damaged and many of my users received spam emails from my blog. This taught me that security must be a priority even if a website is new.

    • WPBeginner Support

      We hope in in the future that you also ensure you have proper backups prepared should the worst happen but the security steps are a great step to preventing it from happening again!

      Admin

    • Mrteesurez

      I can relate to this experience. When I started my first blog, I didn’t think it would be a target either, given its small audience. But I quickly learned the hard way that hackers don’t discriminate based on traffic. After a security breach, I had to rebuild from scratch as well. It was a tough lesson, but now I prioritize security from day one, no matter the size of the site.

  3. Moinuddin Waheed

    I have faced this issue with one of my clients website and I was clueless what to do at that time.
    I had to make the entire website from scratch again and it was painful experience.
    The first thing I did after making the new website was to make up a backup file with the help of updraft plus and then it felt like I can revert any changes whatsoever if happens.
    Having a security plugin that checks all these is the go to option.

  4. Jiří Vaněk

    The best defense against hacking is primarily backing up the website. Unless it’s a site that undergoes dramatic changes every day (specifically a blog), it’s a very good practice to create a backup the moment the website is finished and fully functional. In case of issues, hacked content can be immediately deleted and replaced within minutes by a fully functional website. This often resolves many hours spent searching for solutions on an already compromised website.

    • WPBeginner Support

      Backing up a site is most definitely a very important step for every type of site to help keep it safe.

      Admin

      • Jiří Vaněk

        Exactly. That’s also why I learned to use Duplicator thanks to you. I set up automatic backups to cloud storage, and since then, I’ve not only had regular and automatic backups but also peace of mind. And all of this is thanks to you, because I tried out Duplicator and found your excellent guides on how to use it. So, you have my heartfelt thanks for helping me sleep easier.

  5. Ariyasankha

    Amazing! thank you so much. you make us aware of risks.

    • WPBeginner Support

      Glad our guide was helpful!

      Admin

  6. Tanya

    Hi I have just found out that my blog site seems to have been hacked as it takes me to some competition prize page. I have two sites and this is the case with both. They ate pretty inactive as I haven’t done much with them, where do i start in fixing them? What should i do and look for? Thank you

  7. Umesh

    The last one is for my because on-click ads show when someone clicks on my blog, I checked my header and footer file but (on-click ads) script and codes both are not found on my blog
    What I can do for protection
    H.E.L.P

  8. Elizabeth McGlone

    Great tips.. only bad thing about deleting old plugins is that you lose the data. I have an old CTT plugin and now use another… so I thought, I will deactivate the plugin.. and now I notice that my old CTT aren’t working right… so I have to keep it… or replace ALL of those old CTT’s… ugh. Otherwise, excellent! Oh, on spam, not much we can do on those ghost referrals either.

  9. M.Ikramullah Sayeed

    Hi,
    Good day!
    Two things have been noticed:
    1. After coming to wordpress from blogger visitor have been reduced a great deal.
    2.Now a days after I forget me password can not can not get a mail from my site admin.
    Please advise.
    Thanks and regards,

  10. Pragati

    My website is drop ranking as well as traffic suddenly. Can you suggest me my site hacked or not?

  11. carlos correa

    i need thats articles in spanish please

  12. Barbara Walker

    When I clicked on You can check your website using the Google’s safe browsing tool to see your safety report, I received a 400 Error page. I’m sure you’d like to fix this and I’d like to test my client’s website. Thanks!

    • WPBeginner Support

      Hi Barbara,

      The link is working fine at our end. Please try again, may it was a temporary glitch.

      Admin

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.