Detecting a WordPress site hack is one of the most important skills every web admin should have. With WordPress powering over 43% of the world’s websites, it’s a prime target for hackers and cybercriminals. In 2026, WordPress vulnerabilities increased by 68% year-over-year, and AI-powered attacks have made it harder than ever to detect a breach. In this comprehensive guide, you’ll learn 15+ signs that your WordPress site has been hacked, advanced detection methods, recovery steps, and prevention techniques.
Summary (TL;DR)
- Key signs of a hack: redirects to suspicious sites, sudden drop in traffic, creation of anonymous admin users, changes to the site’s content or appearance, and Google security warnings.
- 2026 detection tools: Wordfence (endpoint firewall), Sucuri (cloud firewall), Google Search Console, and manual scanning of server files.
- Immediate actions: Cut off public access, change all passwords, identify and delete infected files, restore from a healthy backup, and update all plugins/templates.
- Prevention: Two-factor authentication (2FA), regular updates, use secure WordPress hosting, WAF firewall, and daily backups.
Why do WordPress sites get hacked?
Before we look at the signs of a hack, it’s important to understand why WordPress is a prime target for hackers. According to Patchstack’s 2026 report, over 64,782 vulnerabilities were identified in the WordPress ecosystem, with 96-97% related to plugins.
The main reasons why WordPress sites are hacked
- Vulnerable plugins: 96% of attacks are carried out through plugins that are out of date or have security bugs
- Weak passwords: Brute force attacks are still one of the most common methods of intrusion
- Nulled templates: Illegal templates often contain backdoors and malware
- Insecure hosting: Cheap hosting without proper security puts the site at risk.
- Not using SSL: Unencrypted communications are vulnerable to eavesdropping and MITM attacks.
- AI-Driven Attacks: In 2026, hackers will use AI tools to scan for vulnerabilities and generate polymorphic malware automatically.
Shocking WordPress Security Statistics 2026
| Index | Statistics 2026 | Change from previous year |
|---|---|---|
| New vulnerabilities per year | ۱۰,۶۰۰+ | +۶۸٪ |
| Plugins' share of vulnerabilities | ۹۶-۹۷٪ | Proven |
| Dominant attack type (XSS) | ۵۳.۳٪ | +۱۲٪ |
| Sites without a recovery plan | ۷۳٪ | -۵٪ |
| Average time to detect a hack | 120 days | +15 days |
| Using 2FA | ۶۰٪ | +۴۵٪ |
15+ Signs to Recognize a Hacked WordPress Site
Signs of a site being hacked can be divided into two categories: obvious signs that are immediately visible, and hidden signs that require closer inspection.
Obvious signs of being hacked
1. Unwanted redirects to suspicious sites
One of the most obvious signs of a hack is when users are redirected to phishing, gambling, or fake shopping sites. This type of malware is usually clever and redirects visitors from Google, while direct entries and logged-in users see normal content.
Warning: If your users report that your site is redirecting them elsewhere but you don’t see this problem, your site has probably been hacked. Log in to your site from incognito mode and search Google to see this redirect.2. Google and Browser Security Warnings
Google blocks around 20,000 sites per week for malware and 50,000 sites for phishing. If users encounter the following messages, your site has been hacked:
- “Deceptive site ahead “
- “This site may be hacked.” – This site may be hacked.
- “This site contains malware.” – This site contains malware.
- “This site has been reported as unsafe.” – This site has been reported as unsafe.
Use the Google Safe Browsing Tool to check the status of your site.
3. Changing the appearance of the home page (Defacement)
Some hackers change a site’s homepage as a show of power or for political purposes. This type of attack is usually accompanied by messages such as “Hacked by…“ Although this type of hack is the most obvious, it is not the most dangerous; professional hackers prefer to remain hidden.
4. Unable to log in to the WordPress dashboard
If your password doesn’t work and you can’t recover it via email, a hacker has likely deleted or changed your admin account. In this case, you’ll need to access the database via phpMyAdmin or SSH and create a new admin user.
5. Create anonymous admin users
Go to the WordPress Users section and check the list of users with the Administrator role. If you see a user with an unknown email or a strange username (like admin123, support, or user1) that you didn’t create, this is a sure sign of a hack.
6. Displaying pop-ups and unwanted advertisements
If you see pop-ups, banners, or redirects on your site that you didn’t add yourself, your site is connected to a malicious ad network. This type of malware is usually only displayed to non-logged-in and mobile users.
Hidden and professional signs of hacking
7. Sudden decrease in site traffic
If you notice a sharp drop in traffic in Google Analytics (50%+ in a week), there are the following possibilities:
- Google has removed your site from the results due to malware.
- Malware redirects traffic to another site
- Hackers have injected spam content into your site, and Google has given a penalty.
Check the Security Issues section in Google Search Console.
8. Injecting spam links (SEO Spam)
One of the most common attacks in 2026 involves injecting spam links into site content. Hackers add links to gambling, pharmaceutical, or counterfeit product sites in the footer, widgets, or even inside posts. These links are sometimes hidden with CSS and are only visible in the source code.
grep -r “viagra\|casino\|cialis\|payday” /var/www/html/wp-content/
# Search for links with display: none
grep -r “display:none\|visibility:hidden” /var/www/html/wp-content/themes/
9. Japanese SEO Spam Attack (Japanese Characters)
This is one of the most sophisticated SEO Spam attacks. Hackers create new pages with Japanese or Chinese content that are only visible to search engines (cloaking). In Google results, you will see that your site pages are indexed with Japanese titles.
To check, search Google for site:yourdomain.com and see if any anonymous pages appear in foreign languages.
10. Unknown files and scripts on the server
Hackers place backdoor files in various locations. These files often have names similar to the main WordPress files:
| Usual place | Suspicious names | Explanation |
|---|---|---|
| /wp-content/uploads/ | wp-tmp.php,cache.php | PHP files should not be in uploads. |
| /wp-includes/ | wp-vcd.php,class-wp-cache.php | Files added to WordPress core |
| /wp-content/themes/ | footer2.php,social.php | Additional files in the template |
| root | radio.php, diff.php, about.php | Unknown files in root |
find /var/www/html/wp-content/uploads -name “*.php” -type f
# Find recently changed files
find /var/www/html -name “*.php” -mtime -7 -type f
# Search for base64 codes (common in malware)
grep -r “base64_decode\|eval(” /var/www/html/wp-content/ –include=”*.php”
11. Slow site speed and high consumption of server resources
If your site suddenly slows down or becomes unavailable, it may be:
- DDoS attack: sending multiple requests to turn off the server
- Cryptomining: Using server resources to mine digital currency
- Spam Email: Sending bulk emails from your server
- Botnet Activity: Using your server to attack other sites
Use the following commands to check resource usage:
top -c # Check CPU usage by PHP
ps aux | grep php | sort -k3 -nr | head -10
# Check network connections
netstat -an | grep ESTABLISHED | wc -l
12. Unusual Activities in Server Logs
Checking server logs can reveal attacks and intrusions. Look for the following in the logs:
- High number of 404 requests to unknown PHP files
- POST requests to unusual files
- Unusual traffic from specific IPs
- Access to the wp-config.php or .htaccess files
grep “wp-login.php” /var/log/nginx/access.log | grep “POST”
# Find the IPs with the most requests
awk ‘{print $1}’ /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -20
# Search for SQL Injection attacks
grep -E “union|select|insert|update|delete|drop” /var/log/nginx/access.log
13. Problems sending and receiving emails
If WordPress emails (such as password resets or notifications) are not reaching their destination or are going to spam, it is possible that:
- Your server IP is blocked.
- Hackers are using your server to send spam.
- SMTP settings have been tampered with.
Use the MXToolbox Blacklist Check tools to check the server IP status.
14. Changing Google search results
If your page titles and descriptions are showing up differently in Google results than you’ve set, hackers may have changed your meta tags. This technique, known as “cloaking,” displays different content to users and search engines.
15. Suspicious Scheduled Activities (Cron Jobs)
Hackers use the server’s wp-cron or crontab to execute malicious code regularly. These tasks may include sending spam, recovering deleted backdoors, or harvesting data.
crontab -l
cat /etc/crontab
# Check wp-cron events in WordPress
wp cron event list –path=/var/www/html
16. Presence of unknown plugins
In 2026, a type of malware called “Fake Plugin“ became very common. This malware installs a fake plugin, such as “Modern Recent Posts“ or “WP-VCD,” which appears in the plugins list but runs malicious code.
17. Modify WordPress core files
Core WordPress files, such as wp-includes/version.php or wp-admin/includes/class-wp-filesystem-direct.php, are sometimes modified by malware. To check the integrity of the files:
wp core verify-checksums –path=/var/www/html
# Check the integrity of plugins
wp plugin verify-checksums –all –path=/var/www/html
Comparison of common types of attacks on WordPress
Understanding the types of attacks will help you identify the type of threat more quickly and respond appropriately:
| Type of attack | Hacker's goal | Main symptoms | Severity of danger |
|---|---|---|---|
| SEO Spam | Spam site rankings | Hidden links, Japanese pages | Medium |
| Backdoor | Permanent access | Anonymous PHP files | Top |
| Malvertising | Earn money from advertising | Pop-ups and advertisements | Medium |
| Phishing | Stealing user information | Fake login pages | Top |
| Cryptomining | Cryptocurrency mining | High CPU usage | Medium |
| Defacement | Destruction or political message | Change home page | Down |
| Ransomware | Blackmail | File encryption | Very high |
| Data Theft | Information theft | Database access | Very high |
| Parrot TDS | Smart Redirect | Redirect only from Google | Top |
Quick Hack Detection Checklist
Use this checklist to check your site’s security status quickly:
WordPress site security review checklist
Quick Checks (5 minutes):
- ☐ Does the site open properly in incognito mode?
- ☐ If you enter the site via Google search, are you not redirected?
- ☐ Does Google Safe Browsing show the site as safe?
- ☐ Can you log in to the WordPress dashboard?
- ☐ Is the admin user list healthy?
Medium reviews (15 minutes):
- ☐ Is there no security warning in Google Search Console?
- ☐ Are there no PHP files in the uploads folder?
- ☐ Are there any unknown plugins installed?
- ☐ Is the site traffic normal?
- ☐ Are WordPress emails being sent correctly?
Full Reviews (30+ minutes):
- ☐ Full scan with Wordfence or Sucuri
- ☐ Check the integrity of core files with wp core verify-checksums
- ☐ Check server logs for suspicious activity
- ☐ Check system and WordPress cron jobs
- ☐ Compare files with a healthy backup
Hack detection tools in 2026
Choosing the right tool for scanning and detecting malware is very important. In this section, we introduce the best tools of 2026:
1. Wordfence Security
Wordfence is the most popular WordPress security plugin with over 5 million active installations. It offers an Endpoint Firewall that runs directly on your server:
- Endpoint Firewall: Server-level firewall, non-bypassable
- Malware Scanner: Deep scan of files for malware
- Login Security: Two-factor authentication and login attempt limit
- Real-time Threat Intelligence: Instant security updates (Premium version)
2. Sucuri Security
Sucuri is a cloud-based security platform that filters traffic before it reaches your server:
- Cloud WAF: Cloud firewall to block attacks
- CDN Integration: Improve speed along with security
- Malware Removal: Unlimited malware removal services on paid plans
- DDoS Protection: Protection against DDoS attacks
3. Free online tools
| Tools | Address | Facilities |
|---|---|---|
| Sucuri SiteCheck | sitecheck.sucuri.net | Malware scanning, blacklisting, and outdated software |
| Google Safe Browsing | transparencyreport.google.com | Checking the security situation from Google's perspective |
| VirusTotal | virustotal.com | URL scanning with 70+ antivirus engines |
| Quttera | quttera.com | Detect malware and suspicious links |
Step-by-step guide to recovering a hacked site
If your site has been hacked, stay calm and follow these steps in order:
Step 1: Cut off public access (immediate action)
The first step is to prevent further harm to users and the site’s reputation:
# Add before the entire .htaccess content:
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^YOUR\.IP\.ADDRESS$
RewriteRule .* – [R=503,L]
ErrorDocument 503 “Site under maintenance” #
Or with a simple PHP file
<?php
if ($_SERVER[‘REMOTE_ADDR’] !== ‘YOUR_IP_ADDRESS’) {
header(‘HTTP/1.1 503 Service Temporarily Unavailable’);
die(‘The site is under maintenance. Please check back later.’);
}
?>
Step 2: Change all passwords
Before taking any action, change all passwords:
- ☐ WordPress dashboard password (all admins)
- ☐ FTP/SFTP password
- ☐ SSH password
- ☐ MySQL database password
- ☐ cPanel/Plesk password
- ☐ CDN (Cloudflare) Crosscode
Important: Also change the WordPress Secret Keys to expire all active sessions:
curl -s https://api.wordpress.org/secret-key/1.1/salt/
# Replace the new keys in wp-config.php
define(‘AUTH_KEY’, ‘new key’);
define(‘SECURE_AUTH_KEY’, ‘new key’);
define(‘LOGGED_IN_KEY’, ‘new key’);
define(‘NONCE_KEY’, ‘new key’);
define(‘AUTH_SALT’, ‘new key’);
define(‘SECURE_AUTH_SALT’, ‘new key’);
define(‘LOGGED_IN_SALT’, ‘new key’);
define(‘NONCE_SALT’, ‘new key’);
Step 3: Create a backup of the current state
Before making any changes, take a backup of the current state. This backup is useful for forensic analysis and identifying points of intrusion:
tar -czvf /backup/hacked-site-$(date +%Y%m%d).tar.gz /var/www/html/
# Backup database
mysqldump -u USER -p DATABASE > /backup/hacked-db-$(date +%Y%m%d).sql
Step 4: Scan and detect malware
Scan the site using the tools introduced:
clamscan -r –infected /var/www/html/
# Search for malware patterns
grep -rn “eval(base64_decode” /var/www/html/
grep -rn “gzinflate(base64_decode” /var/www/html/
grep -rn “@include” /var/www/html/wp-content/
grep -rn “FilesMan” /var/www/html/
grep -rn “WSO” /var/www/html/
# Check recently changed files
find /var/www/html -name “*.php” -mtime -7 -ls
# Check the integrity of WordPress files
wp core verify-checksums –path=/var/www/html
Step 5: Delete infected files
Once you have identified the infected files, delete or replace them:
- Unknown files: Delete completely
- Modified core files: Replace with original version
- Infected plugins/themes: Completely remove and reinstall
WP files core download –force –path=/var/www/html
# Remove PHP files from uploads
find /var/www/html/wp-content/uploads -name “*.php” -delete
# Delete the infected plugin and reinstall
wp plugin delete infected-plugin –path=/var/www/html
wp plugin install plugin-name –activate –path=/var/www/html
Step 6: Restore from a healthy backup (if needed)
If the infection is widespread, it is best to restore from the last known good backup. Make sure the backup is from before the date of the breach:
- Restore files from backup
- Import the database from backup.
- After restoring, be sure to update all plugins and WordPress.
- Change all passwords.
Step 7: Update everything
After cleaning, update all components:
wp core update –path=/var/www/html
# Update all plugins
wp plugin update –all –path=/var/www/html
# Update all themes
wp theme update –all –path=/var/www/html
# Update PHP version (via cPanel or ssh)
# PHP 8.2 or 8.3 recommended
Step 8: Strengthen security
After recovery, add layers of security:
- Install and configure a firewall (Wordfence or Sucuri)
- Enable two-factor authentication for all admins
- Limit login attempts
- Change login page URL
- Disable file editing from the counter
// Disable file editing
define(‘DISALLOW_FILE_EDIT’, true);
// Restrict plugin/template installation
define(‘DISALLOW_FILE_MODS’, true);
// Force SSL for the counter
define(‘FORCE_SSL_ADMIN’, true);
Step 9: Request a reconsideration from Google
If Google blocks the site, request a re-review after cleaning:
- Log in to Google Search Console
- Go to the Security Issues section.
- Click “Request a Review”
- Explain what actions you took.
- It usually takes 2-7 days to complete the review.
Comprehensive Hacking Prevention Guide
Prevention is always better than a cure. Minimize the risk of your site being hacked by following these tips:
1. Regular updates
96% of vulnerabilities are exploited through outdated plugins. Apply security updates immediately:
- Keep WordPress core up to date
- Update plugins no later than one week after release.
- Update templates
- Upgrade the server’s PHP version to the latest stable version (8.2 or 8.3)
- Remove unnecessary or outdated plugins (no updates in 6 months)
2. Use secure hosting
Choosing a secure and reputable WordPress host is the most basic security step. A good host should:
- Have a server-level firewall (WAF)
- Perform daily malware scans
- Create automatic daily backups
- Offer free SSL
- Have Account Isolation
- Provide 24/7 support
3. Strong and unique passwords
Use passwords that are at least 16 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. Never use the same password for multiple services.
openssl rand -base64 24 #
or
< /dev/urandom tr -dc ‘A-Za-z0-9!@#$%^&*’ | head -c 20; echo
4. Two-factor authentication (2FA)
According to Melapress, 2FA usage is expected to grow from 15% in 2024 to 60% in 2026. Enable 2FA for all admin users. Recommended plugins:
- Wordfence Login Security (Free)
- WP 2FA (Free with paid advanced features)
- Google Authenticator
5. Use SSL/HTTPS
An SSL certificate not only encrypts communications but is also a ranking factor for SEO. All pages on your site should use HTTPS:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
6. Regular and automatic backups
Daily backups are the lifesaver of your site. Backup rules:
- Frequency: At least daily for databases, weekly for files
- Storage: at least in 2 different locations (local + cloud)
- Recovery testing: Test monthly that backups are recoverable.
- Retention: Keep backups for at least 30 days.
Recommended plugins: UpdraftPlus, BackWPup, BlogVault
7. Restrict access
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from YOUR.IP.ADDRESS
</Files>
# Protection of wp-config.php
<Files wp-config.php>
Order Allow, Deny
Deny from all
</Files>
# Disable directory listing
Options -Indexes
# Protect .htaccess
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
8. Use a VPS or dedicated server for important sites
For commercial or high-traffic sites, it is recommended to use a virtual private server (VPS) rather than shared hosting. On a VPS:
- Your site is completely isolated.
- You have full control over security settings.
- It is possible to install advanced firewalls such as Fail2ban and CSF.
- Better performance and higher security
9. Security monitoring and alerts
Use monitoring tools to identify problems quickly:
- Setting up alerts in Google Search Console
- Enabling notifications in Wordfence
- Using WP Activity Log to record changes
- Uptime monitoring with UptimeRobot or Pingdom
Frequently Asked Questions
How do I know if my WordPress site has been hacked?
The main signs of a hack include: unwanted redirects to other sites, sudden traffic drops, Google security warnings, the creation of anonymous admin users, pop-up ads, changes to the site’s appearance, and an inability to log in to the dashboard. For a more detailed check, use tools like Sucuri SiteCheck or Wordfence.
What is the first step if my site is hacked?
The first step is to restrict public access to the site to prevent further damage to users. Then change all passwords (WordPress, FTP, database, hosting). Before cleaning, take a backup of the current state so that you can identify the point of intrusion.
Which is better, Wordfence or Sucuri?
Wordfence is an Endpoint Firewall that runs directly on your server and does a deeper scan, but it uses up server resources. Sucuri is a Cloud Firewall that filters traffic before it reaches the server and includes a CDN. For small to medium sites, the free Wordfence is sufficient; for high-traffic sites, Sucuri is better with DDoS protection.
Does cheap hosting cause your site to be hacked?
Cheap, low-quality hosts can increase the risk of hacking because they have poor account isolation, allowing a hack on one site to spread to others; they lack firewalls and malware scanning; they use outdated versions of PHP and other software; and they don’t offer security support. Using a reputable host with security features is an essential investment.
How long does it take to recover a hacked site?
Recovery time depends on the severity of the infection. A simple hack (such as link injection) may take 1-2 hours. Complex hacks with multiple backdoors and database contamination can take 4-8 hours. If a full restore from backup is required, it may take 1-2 days. Getting back into Google results after a blocklist usually takes 2-7 days.
What are the dangers of nulled templates?
Nulled (illegal and cracked) themes and plugins almost always contain malware, backdoors, or malicious code. This code can: steal your login information, connect your site to a spam network, destroy your site’s SEO, and even steal your customers’ information. Never use illegal themes and plugins.
How do I prevent my site from being hacked again?
To prevent re-hacking: 1) Keep all software up to date, 2) Enable two-factor authentication (2FA), 3) Use strong and unique passwords, 4) Install a security plugin like Wordfence, 5) Set up daily automatic backups, 6) Use a reputable host with security features, 7) Enable SSL/HTTPS, 8) Remove unnecessary plugins and themes.
Conclusion
Detecting a hacked WordPress site requires recognizing a range of signs. From suspicious redirects and decreased traffic to anonymous files and fake users, they can all be signs of an intrusion. By using detection tools such as Wordfence and Sucuri, regularly reviewing server logs, and following preventive principles, you can maximize your site’s security.
Key points:
- 96% of vulnerabilities come from plugins – regular updates are essential
- The average time to detect a hack is 120 days – continuous monitoring is important
- Using 2FA stops 99.9% of Brute Force attacks
- Daily backups are the best insurance against ransomware
- Choosing a secure host is the most basic security step.
