Back to blog

    June 5, 2026

    How to tell if your WordPress site has been hacked (and what to do in the first hour)

    Your site looks normal to you. But customers are calling because Chrome is throwing a red "Deceptive site ahead" warning. Or your search results show pharmacy listings you never wrote. Or your host just emailed saying your account is sending spam and they'll suspend you in 24 hours.

    This is the guide I'd hand you if you called me right now. Read it before you start clicking around — what you do in the first hour decides whether this is a four-hour cleanup or a four-day rebuild.

    The signs your WordPress site is actually hacked

    Most "is my site hacked?" panics turn out to be something else — a cache issue, a plugin conflict, a DNS misconfiguration. But these signals are real, and if you see any of them, treat the site as compromised until proven otherwise:

    Google is showing pages you never wrote. Search your own domain with site:yourdomain.com and scroll. If you see Japanese characters, pharmacy keywords, sneakers, essay-writing services, or gambling terms, you have an SEO spam injection. This is one of the most common WordPress infections and it's designed to be invisible to you and visible only to Google's crawler.

    Browsers are warning visitors. "Deceptive site ahead" (Chrome), "Reported attack page" (Firefox), or a Safari red screen all mean Google Safe Browsing has flagged you. This kills traffic instantly and takes days to reverse even after cleanup.

    New admin users you don't recognize. Go to Users → All Users → Administrator. If there's an account you didn't create — admin1, wpsupport, an email at a domain you don't know — assume compromise.

    Your site got slow, suddenly. Cryptominers and spam injectors burn CPU. If response times jumped from 300ms to 800ms+ overnight with no traffic change, something is running that shouldn't be.

    Your host emailed you about outbound spam or abuse. Hosts don't send those notes lightly. They're seeing your account sending mail or making outbound connections you didn't authorize.

    Unexpected redirects. Visitors land on your homepage and get bounced to a sketchy domain — but only sometimes, and only from mobile, or only from Google referrals. That conditional behavior is the giveaway. The malware is checking the user agent and only firing on real visitors, not on you.

    If you're hitting two or more of these, stop reading and skip to the next section.

    What NOT to do (this part matters)

    Before you touch anything, know what destroys the investigation:

    Don't delete suspicious files yet. I know the instinct is "find the bad file, drag it to the trash." But you don't know what the bad file is yet, and you don't know what else it touches. I've cleaned sites where a previous contractor deleted the obvious malware, missed a self-healing backdoor in wp-content/mu-plugins/, and the infection rebuilt itself within 24 hours. Deletion without analysis is how you end up paying twice.

    Don't log into wp-admin from the computer you usually use — at least not yet. If the attacker got in through a stolen admin cookie or a credential stealer on your laptop, every new login from that device hands them fresh keys. Use a different device, ideally one that doesn't share a browser profile.

    Don't restore from backup blindly. If your backup is from last week and the infection started two weeks ago, you just restored the backdoor. Backups are a tool, not a fix.

    Don't change your admin password from inside a compromised site. Same reason as not logging in. Wait until you've isolated.

    Don't email the attacker. Sometimes ransomware-style infections leave a note with a "support" email. Ignore it.

    First-hour triage: the actual steps

    Here's the order. Don't skip ahead.

    Minute 0–10: Get the site into maintenance mode or take it offline.

    You have two options. The cleaner one is to put the site in maintenance mode through your host's control panel or by dropping a .maintenance file in the WordPress root. The faster one is to flip the site offline at the host level — Cloudflare's "Under Attack" mode, or your host's "disable site" button.

    Taking it offline does three things: stops visitor infection, stops outbound spam (which protects your domain reputation), and freezes the crime scene so you can investigate.

    Minute 10–20: Screenshot everything.

    Before you change a single thing, capture evidence:

    • Screenshot the Users list in WP admin (if you can safely log in from a clean device)
    • Screenshot Google search results showing spam pages
    • Screenshot any browser warnings
    • Screenshot the email from your host
    • Save copies of any suspicious URLs or redirect destinations
    • Note the exact time you noticed the issue

    This matters for two reasons. If you need to involve a professional, this saves hours. And if your business has cyber insurance, the carrier will want documentation.

    Minute 20–30: Check Google Search Console.

    Log into Search Console (from a clean device). Go to Security & Manual Actions → Security Issues. Google will often tell you exactly what they detected: "Hacked: Spam," "Malware," "Social Engineering." This is the fastest way to confirm what type of infection you're dealing with.

    While you're there, check Coverage for a spike in indexed pages. A site that should have 40 pages indexed but suddenly has 4,000 has been used as a doorway for spam — that was the situation on a Southern California contractor's WordPress site I worked on recently. The previous person had cleaned what they could see but missed the backdoor regenerating spam posts. We removed 115+ injected posts and killed the self-healing mechanism in the database.

    Minute 30–40: Snapshot the database and files.

    From your host's control panel (not from inside WordPress), take a full backup of:

    • The entire public_html or web root directory
    • A full MySQL database export

    Label it clearly: pre-cleanup-snapshot-YYYY-MM-DD. Download a copy locally. This is your forensic baseline. If cleanup goes wrong, you can compare against this. If you need an incident responder later, they'll need this.

    Minute 40–50: Check the user table.

    In phpMyAdmin (or your host's database tool), run:

    SELECT ID, user_login, user_email, user_registered 
FROM wp_users 
ORDER BY user_registered DESC;

    Look at the most recent registrations. Anything you don't recognize, anything with a date right around when the infection started, anything with a suspicious email — flag it. Don't delete yet. Just note it.

    Then check who has admin rights:

    SELECT user_id, meta_value 
FROM wp_usermeta 
WHERE meta_key = 'wp_capabilities' 
AND meta_value LIKE '%administrator%';

    If the table prefix isn't wp_, adjust accordingly.

    Minute 50–60: Rotate the critical credentials.

    From a clean device, change in this order:

    1. Your hosting account password (and enable 2FA if it isn't on)
    2. SFTP/SSH passwords
    3. Database password (and update wp-config.php to match)
    4. WordPress admin passwords for every legitimate user
    5. Any API keys stored in plugins (Stripe, Mailchimp, etc.)

    Also: review the active plugin list. Anything you didn't install, anything inactive that you don't recognize, anything with a name like wp-feed-cache or wp-security-pro that you never bought — note it. Many backdoors hide as fake plugins.

    When to call an incident responder instead of DIYing

    Some infections you can clean yourself if you're technical. Most you can't. Call a professional immediately if any of these are true:

    The infection comes back after cleanup. This is the single biggest tell that there's a backdoor you haven't found. Backdoors are obfuscated PHP files, sometimes encoded three or four layers deep, sometimes hidden in legitimate-looking files like wp-config-sample.php or buried in mu-plugins. They re-create the malicious files every time you delete them.

    Your host has threatened suspension. You're now on a clock. A suspended site means no email, no orders, no leads, and a recovery process that can take days.

    You see signs of a backdoor. Files with names like wp-feed.php, wp-vcd.php, radio.php, base64-encoded blobs in theme files, or eval() calls in unexpected places.

    Customer data may be involved. If you take payments or store customer info and there's any chance the attacker had database access, the legal and disclosure considerations get real fast.

    The site is generating revenue and downtime is costing you money. Every hour of "let me try one more thing" is an hour your phone isn't ringing.

    A proper incident response engagement isn't just "delete the bad files." It's: identify the entry point, map every modified file and database row, remove the persistence mechanisms, verify the cleanup with a second pass, harden the site so the same vector doesn't work twice, and get you de-listed from Google's blocklist. That last step alone can take 72 hours if you don't know how to request a review properly.

    What "hardened" looks like after cleanup

    Once the immediate fire is out, the goal is making sure it doesn't happen again. The baseline I put on every WordPress site I clean:

    • Disable file editing in wp-config.php: define('DISALLOW_FILE_EDIT', true);
    • Disable plugin/theme installation from the dashboard on production: define('DISALLOW_FILE_MODS', true);
    • Restrict /wp-admin access by IP or behind a Cloudflare Access policy where possible
    • Force 2FA for every admin account
    • Lock down xmlrpc.php (most sites don't need it)
    • Set up SPF, DKIM, and DMARC so a future compromise can't easily spoof your domain
    • Quarterly plugin audit — every plugin is a potential entry point

    None of this is exotic. It's just the stuff that should have been there before the breach.

    The honest summary

    If you've read this far and you're pretty sure your site is compromised, here's the truth: the first hour matters more than the next ten. Get it offline, snapshot everything, change your hosting credentials from a clean device, and decide whether you're cleaning this yourself or calling someone. The worst outcome is a half-cleanup that comes back next week and burns your search rankings while you sleep.

    If you want to see what a real cleanup looks like — including how we found a self-healing backdoor a previous contractor missed — the WordPress malware incident response case study walks through it.

    And if you're staring at a hacked site right now and want it handled today, the malware removal and incident response service is built exactly for this situation: same-day triage, full forensic cleanup, Google de-listing, and hardening so it doesn't happen again. Reach out through the contact form and tell me what you're seeing — I'll tell you straight whether it's something you can handle or something you shouldn't.

    Need help with what this post covers? I do this for a living.

    Book a free 15-min site audit