Most hacked WordPress sites do not announce the problem with a defaced homepage.

More often, the website still looks normal to the owner, especially while logged in. But search engines, visitors, hosting providers, or email systems may be seeing something very different.

That gap is what makes WordPress compromises so dangerous. Attackers often hide redirects from administrators, inject spam pages only search engines can see, create backdoors inside writable folders, or use scheduled tasks to restore malware after cleanup.

If you only check your website from one browser, one device, and one logged-in admin account, you can miss a compromise for weeks.

This guide covers the most important signs that your WordPress site may be hacked, how to verify each one, and what to do next. It also explains where the Securewp Remote Security Scanner and SiteFort Security Plugin can help.

1. Google or Browsers Show a Security Warning

If visitors see warnings such as “Deceptive site ahead,” “This site may harm your computer,” or “This site may be hacked,” treat it as an active security incident.

These warnings usually mean Google, a browser vendor, or a security provider has detected malware, phishing, unwanted software, social engineering, or hacked content on your site.

Google’s Search Console Security Issues report lists signs that a site may have been hacked or may harm visitors, including malware, unwanted software, phishing, and deceptive content.

How to verify

  • Open Google Search Console.
  • Go to Security & Manual Actions → Security Issues.
  • Review any sample URLs Google provides.
  • Check whether warnings appear only on specific pages or across the whole domain.
  • Run an external scan using the Securewp Remote Security Scanner.

If Google has flagged the site, do not only remove one suspicious file and request review. First, clean the infection, fix the entry point, remove backdoors, and verify the site from outside your logged-in session.

2. Search Visitors or Mobile Users Are Redirected, but You Are Not

This is one of the most common WordPress malware patterns.

The site loads normally for the owner, but visitors arriving from Google Search, Bing, social media, or mobile devices are redirected to scam pages, fake update prompts, gambling sites, adult content, or SEO spam.

This happens because redirect malware is often conditional. It may check the visitor’s referrer, device, country, user agent, cookies, or login state before redirecting.

Google’s spam policies include cloaking and sneaky redirects as spam behaviors that can cause pages or entire sites to be ranked lower or omitted from Search.

How to verify

  • Open the site while logged out.
  • Use an incognito/private browser window.
  • Test from a mobile device.
  • Test from a different network, such as mobile data.
  • Search site:yourdomain.com in Google and open several results.
  • Compare what guests see with what logged-in administrators see.

If behavior changes based on search referrer, device, or login state, investigate for cloaked redirect malware.

The Securewp Remote Security Scanner is useful here because it checks the public-facing version of the site, not the version shown inside your WordPress admin session. SiteFort can then help scan inside WordPress for injected scripts, suspicious redirects, modified files, vulnerable plugins, and backdoors.

3. Unknown Admin Users or Role Changes Appear

Unexpected administrator accounts are a strong compromise signal.

Attackers often create backup admin users so they can return later. In some cases, they also hide those accounts from the normal WordPress user list or silently elevate an existing user’s role.

How to verify

  • Go to Users → All Users.
  • Review every administrator account.
  • Check unfamiliar usernames, email addresses, and display names.
  • Review recent password reset activity.
  • Check whether any editor, author, or subscriber was promoted unexpectedly.
  • If possible, compare dashboard users against wp_users and role data in wp_usermeta.

Every privileged account should have a clear owner and reason to exist.

After removing unknown users, reset passwords, enable 2FA, and review audit logs if available. SiteFort can help with login security, 2FA, weak or breached password checks, and audit logging for user and role changes.

4. PHP Files Appear in Uploads or Writable Directories

The WordPress uploads directory should normally contain media files, documents, and generated assets. It should not contain executable PHP files.

A PHP file inside wp-content/uploads is a common backdoor pattern. Attackers place web shells in writable directories because those locations are easier to write to through vulnerable plugins, insecure upload handlers, or compromised admin sessions.

How to verify

Check these locations for suspicious executable files:

  • wp-content/uploads/
  • wp-content/cache/
  • wp-content/upgrade/
  • Temporary upload folders
  • Backup folders
  • Old staging or test folders

Look for extensions such as:


.php
.phtml
.phar
.php5
.php7
.image.jpg.php

Some plugins may create unusual files, so do not assume every non-image is malicious. But every executable file in a public writable path deserves an explanation.

SiteFort can help scan for backdoors, web shells, malicious PHP, suspicious files, and exposed sensitive files. It can also help harden WordPress by blocking PHP execution in uploads where supported.

5. Google Is Indexing Pages You Never Published

SEO spam infections often stay invisible to normal visitors.

Instead of breaking the homepage, attackers create spam landing pages, inject hidden links, or alter what search engines see. Your website may start ranking for pharmacy terms, casino keywords, fake product pages, Japanese text, or other content you never created.

How to verify

Search Google using:


site:yourdomain.com
site:yourdomain.com casino
site:yourdomain.com viagra
site:yourdomain.com Japanese
site:yourdomain.com inurl:index.php?

Review titles, descriptions, and URLs carefully. Look for:

  • Foreign-language pages you did not publish
  • Pharmacy, gambling, adult, or fake shopping terms
  • Random query-string URLs
  • Strange directories
  • Spam meta titles and descriptions
  • Search results that redirect after clicking

Also check Search Console for unknown sitemaps, suspicious indexed URLs, and security issues.

The Securewp Remote Security Scanner can help identify public-facing spam and redirect symptoms, while SiteFort can scan inside WordPress for SEO spam indicators, injected scripts, modified files, and suspicious redirects.

6. Core, Theme, or Plugin Files Changed Unexpectedly

Unexpected file modification is one of the strongest technical signs of compromise.

Attackers often add a few lines of code to a core bootstrap file, theme template, plugin loader, or configuration file so their code runs on every request.

How to verify

  • Compare WordPress core files against official checksums.
  • Compare plugin and theme files against clean vendor copies.
  • Review recently modified files.
  • Check deployment logs or Git history if available.
  • Look for changes in index.php, wp-config.php, functions.php, header.php, footer.php, and plugin bootstrap files.

WordPress hardening guidance recommends keeping WordPress, plugins, and themes updated and using basic security precautions to reduce compromise risk.

SiteFort can help by scanning for modified core files, suspicious file changes, known malware patterns, and vulnerable plugins or themes.

7. Unknown Cron Jobs or Scheduled Tasks Exist

Persistence is what turns a one-time infection into a recurring one.

Attackers may use WordPress cron tasks or server-level cron jobs to recreate malware, download payloads, send spam, or recreate admin accounts after cleanup.

How to verify

  • Review WordPress cron events using WP Crontrol or WP-CLI.
  • Look for unfamiliar hook names.
  • Check callbacks tied to unknown plugins or files.
  • Review suspicious high-frequency tasks.
  • If you manage the server, review system cron jobs too.

If malware returns after cleanup, scheduled tasks should be one of the first places you check.

8. wp-config.php, functions.php, mu-plugins, or Rewrite Rules Changed

Not every compromise is stored in an obvious malware file.

Attackers often hide code in files that already execute on every request, such as:

  • wp-config.php
  • Theme functions.php
  • wp-content/mu-plugins/
  • Code snippets plugins
  • .htaccess
  • Nginx include files
  • Auto-prepend PHP configuration

How to verify

Look for suspicious patterns such as:


eval
base64_decode
gzinflate
str_rot13
file_get_contents
curl_exec
include
require
String.fromCharCode
window.location

These functions are not always malicious, but they should be reviewed carefully when found in unexpected locations.

Also check for unknown remote URLs, hidden includes, strange variable names, redirect logic, and obfuscated strings.

9. Plugins, Themes, or Code Snippets Changed Without Approval

Attackers do not always upload files with obvious malware names.

Sometimes they install a fake plugin with a normal-looking name, modify a dormant theme, add a code snippet, or edit an existing plugin file.

How to verify

  • Review all installed plugins and themes.
  • Remove anything unused, abandoned, or unknown.
  • Check code snippets for unfamiliar PHP or JavaScript.
  • Review activation dates and last modified times.
  • Compare installed plugins with deployment records or client approval history.

If your team did not approve the change, do not treat it as harmless just because it looks like a normal WordPress component.

10. Resource Usage Spikes Without a Clear Reason

Performance issues are not proof of compromise by themselves. A slow site can be caused by a heavy plugin, bad hosting, no caching, database bloat, or real traffic growth.

But unexplained CPU, memory, PHP worker, or process spikes can be a useful compromise signal when they appear with other symptoms.

Malware, spam mailers, bot traffic handlers, hidden cron jobs, and abusive crawlers can all create resource spikes.

How to verify

  • Check hosting resource charts.
  • Review access logs for repeated bot traffic.
  • Check PHP error logs.
  • Review running processes if server access is available.
  • Look for repeated hits to wp-login.php, xmlrpc.php, wp-json, search pages, or random 404 URLs.
  • Scan for malware if the spike has no clear traffic or deployment cause.

SiteFort can help with bot blocking, firewall logs, 404 probe controls, rate limiting, login protection, malware scanning, and Cloudflare Sync for selected blocking rules.

11. Transactional Email Fails or the Host Reports Spam Abuse

Compromised WordPress sites are often used to send spam, phishing emails, or abusive outbound traffic.

The first visible sign may not be a broken page. It may be email problems.

Common symptoms include:

  • Password reset emails stop arriving.
  • WooCommerce order emails land in spam.
  • Your host sends an abuse notice.
  • Your domain or server IP appears on a blacklist.
  • SMTP provider reports unusual volume.
  • Unexpected mail scripts appear on the server.

How to verify

  • Review SMTP provider logs.
  • Check hosting mail logs if available.
  • Review recent file changes around the time the spam started.
  • Scan for mailer scripts and backdoors.
  • Check whether WordPress users or plugins were added recently.

A blocklisted IP does not always prove WordPress malware, especially on shared hosting. But if email issues appear alongside suspicious files, unknown users, redirects, or resource spikes, treat them as part of the same investigation.

12. Malware Returns After You Remove It

If suspicious files reappear, redirects return, or spam pages come back after cleanup, the problem was not fully removed.

Reinfection usually means one of these is still active:

  • A hidden backdoor
  • An unpatched vulnerable plugin or theme
  • A compromised admin account
  • A malicious cron job
  • Compromised SFTP/FTP credentials
  • Malware hidden in the database
  • A server-level persistence mechanism

How to verify

  • Re-scan after cleanup.
  • Compare file changes over time.
  • Review cron tasks and admin users.
  • Check writable directories.
  • Update or remove vulnerable components.
  • Reset WordPress, hosting, database, SFTP/FTP, and control panel passwords.

SiteFort can help with repeatable malware scans, file checks, vulnerability monitoring, audit logs, hardening controls, and firewall protection after cleanup.

What to Do If You See One of These Signs

Do not treat a single malicious file, redirect, or warning as the whole incident. In WordPress compromises, the visible symptom is often not the root cause.

  1. Take a backup first. Preserve the current state before deleting files so you can investigate safely.
  2. Confirm the symptom from multiple views. Test as a guest, from mobile, from search results, and with an external scanner.
  3. Scan inside WordPress. Check files, plugins, themes, users, vulnerabilities, redirects, and database indicators.
  4. Audit persistence layers. Review cron jobs, admin users, mu-plugins, writable directories, code snippets, and rewrite rules.
  5. Patch the entry point. Update or remove vulnerable plugins, themes, custom code, or weak credentials.
  6. Reset credentials. Change WordPress admin, hosting, SFTP/FTP, database, control panel, email, and DNS passwords where relevant.
  7. Remove unknown access. Check WordPress users and Google Search Console users.
  8. Harden the site. Block PHP execution in uploads, disable file editing, restrict XML-RPC if unused, protect sensitive files, and enable 2FA.
  9. Monitor after cleanup. Re-scan over the next several days and review logs for reinfection.

The Securewp Remote Security Scanner is useful for checking what outsiders can see. SiteFort is useful for checking what is happening inside WordPress and applying ongoing protection.

How SiteFort and the Securewp Remote Scanner Help

The Securewp Remote Security Scanner provides an outside-in view of your site. It can help detect public-facing issues such as visible malware indicators, suspicious redirects, blacklist status, exposed sensitive files, security header gaps, and search-facing symptoms.

SiteFort Security Plugin works from inside WordPress and helps with deeper investigation and prevention.

SiteFort can help with:

  • Malware scanning
  • Backdoor and web shell detection
  • Modified core file checks
  • Vulnerability alerts
  • Hardening controls
  • Firewall rules
  • Bot blocking
  • Login security and 2FA
  • Audit logs
  • Cloudflare Sync for selected blocking rules

Used together, they give you two important views:

  • Remote scanner: What search engines, visitors, and attackers may see from outside.
  • SiteFort: What is happening inside WordPress files, users, plugins, themes, settings, and security logs.

Final Thoughts

The most dangerous WordPress compromises are often the quiet ones.

The homepage still loads. Admin login still works. Nothing looks obviously broken. Meanwhile, the attacker may be using a backdoor, cron hook, writable directory, modified theme file, fake plugin, or search-engine cloaking to stay hidden.

Early detection comes from checking the site from more than one point of view. Check what Google sees, what visitors see, what the server logs show, and what changed inside WordPress.

For a quick outside check, run the Securewp Remote Security Scanner. For ongoing protection inside WordPress, use SiteFort to scan files, monitor vulnerabilities, apply hardening, block bad traffic, protect logins, and review audit logs.

If one of these warning signs is present and the site keeps getting reinfected, consider a professional WordPress malware removal service so the root cause can be cleaned, not just the visible symptom.