8 signs you’ve had your WordPress site hacked

In spite of what common sense might say, it is not true that open source platforms are more likely to be hacked. The truth is that a closed source platform developed on a smaller scale is much more likely to be hacked than a platform audited by thousands of developers around the world. Of course, if we compare statistics, the number of hacked websites based on open source platforms is much higher. After all, the overwhelming majority of the Internet uses these platforms as the basis for their online presence.

First of all, prevention is much better than cure, so always keep all your plugins, themes, and WordPress core up to date, preferably every week. Updates are essential, and doing them at shorter intervals can lessen the risk of a hack. Security patches should be applied as soon as they ‘leave the factory’.

If you are not familiar with hacking, you may not know if you have in fact been hacked. So, let’s look at some signs that your site may have been hacked.

1 . Traffic

Sudden movements in traffic graphics may indicate that your site has been hacked. If your traffic is declining sharply in a short period of time, this may mean an organic movement resulting from another symptom or that there is some mechanism redirecting all of your traffic. In general, the reasons may be:

  1. Google is warning users that your site may contain malware. This can occur either through the Red Screen Alert shown in Google Chrome or through the search engine results.
  2. People may give up accessing your site because it is showing undue content or even being slow (these are also symptoms that the site has been hacked and there are specific sections for them in this article).
  3. There is a redirect of traffic from your site to malicious pages.

Also, there may be a sudden increase in your traffic metrics. Although this sounds good at first, this can mean a total disaster in various aspects of your site. A sudden increase in traffic can result in numerous problems:

  1. Increased bandwidth usage.
  2. CPU usage metrics can hit peaks and therefore can generate slowness, resulting in poor user experience and reduced scores.
  3. Your site may be blacklisted.

An increase in traffic can be caused by a technique called Spamvertising, where pages containing advertisements or malicious content are created on the hacked site, and emails are triggered using the server’s IP in order to attract traffic to those created pages. Hyperlinks can also be added on some parts of the site to improve the rankings of the ‘hacker website’.

2 . Modified pages

Changes to pages can easily be noticed or may be hidden and destroying the user experience bit by bit. You should pay attention to strange hyperlinks, banners with dubious content, pop-ups, texts, or pages of unknown origin.

Generally, these types of content have the sole purpose of attracting the attention of the user to another page, which usually makes use of social engineering to obtain personal information or even to steal money.

Some pop-ups are quite difficult to identify and so this kind of change can remain on pages for a long period of time without being noticed by site administrators. The reality is that your users may not warn you of the problem and simply never come back to your site.

Some content types are filtered so that they are not shown to users logged in to the site, so they can go undetected for even longer. Ad Blockers can also prevent you from seeing this kind of problem, so checking the site using an incognito tab can help identify the problem.

3. Recently Created or Modified Files

The White Screen of Death (usually HTTP Error 500) can be generated by an invasion. When hackers get access to your site’s files, they can create new malicious scripts or change existing files. It is extremely common to see scripts encrypted inside the WordPress configuration file (wp-config.php), for example.

Most malicious files may be in the WordPress core, usually in wp-config.php or wp-includes files. However, it is quite common to check these modifications in themes or plugins.

Generally speaking, just removing these strange files/snippets is not enough. There is a great possibility of another backdoor in some other part of the files, so scanning the site using automated tools like Sucuri or WPScan is fundamental.

Another point to be analyzed is the .htaccess file, where there may be malicious redirects. We recommend that you keep the default version of .htaccess.

4. Google Warnings

Google maintains a tool called Google Safe Browsing that helps improve the internet experience. In fact, this is a kind of blacklist and if you see this message when accessing your site, it means that there is probably malware installed there.

In addition to this message that warns users in a very aggressive way, Google tags sites that are suspected of being insecure in their own search pages, even before the user accesses the website. This can greatly reduce the number of hits on your site as reported in the Traffic section.

In order for your site to return to normal, it must first be cleaned and then you request the delist from Safe Browsing list.

5. Emails

If your website uses the PHP Mail function to send emails, hackers can harm the operation of the service or take advantage of it to send messages containing advertisements or malicious content.

If the attacker sends too many messages at once and people report them as spam, chances are that the IP of your server will be blacklisted and this could lead to a service malfunction.

This type of problem may be inconspicuous for a long period of time. After all, no message or warning is displayed when sending or receiving messages. Usually, the problem is identified when there are attempts to send emails and these arrive in the recipient’s spam box.

Once you have cleaned your WordPress and changed all the passwords, you should identify which spam lists blacklisted the IP of your server. This can be done through tools like MX Tool Box. Then, contact these spam lists to remove your IP.

6. Can’t login

If you can not log in to your WordPress site or reset your password, it could mean that the hacker has deleted your user.

There are a few ways to recover your access. One of the easiest is to upload via FTP/SFTP, a script that creates new users.

It is worth mentioning that recovering your user will not be the solution, but it is the first step to identify what is going on.

7. Hijacked Search Results

Hijacking happens when search engines crawl the website and unwanted metadata is shown in place of the real metadata. The goal is to steal all of the traffic from your website and redirect it to illegal content sites. This is possibly one of the worst types of invasion and is usually crafted in a structured and difficult-to-identify manner.

If Google Safe Browsing identifies the problem, it will automatically notify users that the site is not secure, and this should decrease your traffic considerably.

After performing the cleanup, it is essential that you request a new site indexing through Search Console and ask Google Safe Browsing to delist your website.

8. Performance

The main types of hacks that can result in performance problems are DDoS attacks, which systematically send multiple requests to your site from different IPs, and general scripts are inserted into the database, into WordPress Core files, Theme, or Plugins.

DDoS attacks can lead to your website being extremely slow and even totally unavailable.

Scripts that consume many computational resources can also be inserted to make your site slow or unavailable. In addition, many malicious scripts use your server to mine crypto-coins.

These attacks can be identified from the analysis of the access logs and can be avoided using a good Website Firewall.


If you have identified one or more of the above symptoms, chances are that your website was probably hacked. At this point, the ideal thing would be to have a backup available so that there is the possibility of restoring to a date before the beginning of the problems. After restoring the backup, you should change all your passwords, update plugins, themes, and WordPress Core. Changing access passwords to FTP and Database can also help prevent new hacks from happening.

If you do not have any backups available, you will need to remove the malware by using professional or specialized software. We recommend Sucuri removal service, which is performed by security professionals. Another option would be the Malcare plugin, which has malware removal functionality programmed.

After cleaning, be sure to keep backing up, updating your plugins, themes, and WordPress weekly. Remember to always use a strong password for each service and make sure that your site is no longer being blacklisted on any spam lists.

The 4-Step Framework To Successfully Scale a Care Plan Program