知識庫

Your WordPress site is loading slower than usual. Strange pop-ups appear when visitors click links. Google just emailed saying your site contains malware. These aren't coincidences—your site's been hacked.

WordPress powers over 40% of the web in 2026, making it a prime target for hackers. The good news? Most hacks leave obvious clues if you know where to look. The bad news? By the time you notice them, damage might already be done.

Let's walk through the telltale signs your WordPress site has been compromised, what to check first, and how to verify your suspicions before panicking.

The Obvious Red Flags

Sometimes hackers are about as subtle as a moose in a china shop. These signs practically scream "you've been hacked":

Your Site Shows Different Content

The most obvious hack is when your homepage suddenly advertises pharmaceuticals, gambling sites, or adult content. This typically happens with outdated themes or plugins that hackers exploit through known vulnerabilities.

Check your site in an incognito browser window—hackers often hide malicious content from logged-in administrators to avoid detection. Also view your site on mobile, as some hacks only target mobile visitors.

Google Warns Visitors Your Site Is Dangerous

Nothing kills your credibility faster than Chrome showing a big red warning that your site "may be hacked" or "contains malware." Google's Safe Browsing technology scans billions of URLs daily and flags compromised sites quickly.

You'll also get an email to your Search Console account (assuming you've set one up). Don't ignore these warnings—a hacked website can destroy your firm's reputation and take months to recover from.

Users Report Strange Redirects

Your regular visitors know what your site should do. When they report being redirected to sketchy sites selling fake designer goods or miracle weight loss pills, take it seriously.

Redirect hacks are particularly sneaky. They might only activate for visitors from certain countries, on specific devices, or those arriving from search engines. You might never see the redirect yourself while testing from your office computer.

The Subtle Warning Signs

Not all hacks announce themselves with flashing neon signs. Smart attackers prefer staying hidden while using your site for their purposes. Watch for these quieter indicators:

Unexplained Traffic Spikes or Drops

Check your analytics. A sudden spike in traffic from countries where you don't do business? Suspicious. Traffic dropping to zero overnight? Your site might be blacklisted.

Look specifically at referral traffic. If you're suddenly getting thousands of visitors from random sites you've never heard of, hackers might be using your site in a link farm scheme.

New User Accounts You Didn't Create

Log into your WordPress admin and check Users → All Users. See any administrators you don't recognize? That's a massive red flag.

Hackers create admin accounts to maintain access even after you change your password. They often use generic names like "admin2" or "support" hoping you won't notice. Some even use names mimicking legitimate users with slight spelling variations.

Files Modified at Odd Hours

When did you last update your site at 3 AM on a Sunday? Probably never. Yet if you check your file modification dates (via FTP or your hosting file manager), you might find core WordPress files changed at bizarre hours.

Pay special attention to these files: - index.php - wp-config.php - .htaccess - Any files in wp-content/uploads

Your Site Sends Spam Emails

Getting email bounce notifications for messages you never sent? Your hosting account might be compromised and used to send spam. This can get your domain blacklisted faster than you can say "eh?"

Check with your hosting provider about email sending limits and recent activity. Ambrite's cloud hosting plans include email authentication to help prevent spoofing, but a compromised site can still abuse legitimate sending capabilities.

Performance and Functionality Clues

Hackers inject malicious code that consumes resources. Your site's performance often suffers as a result:

Pages Load Incredibly Slowly

While slow loading can have many causes, a sudden dramatic slowdown might indicate malicious scripts running in the background. These scripts might be mining cryptocurrency, participating in DDoS attacks, or scraping data.

Run a speed test and compare to previous results. If your site went from loading in 2 seconds to 15 seconds overnight, something's wrong.

Admin Panel Behaves Strangely

Can't save posts? Plugins mysteriously deactivated? Admin pages throwing errors? These might seem like technical glitches but could indicate database tampering or corrupted files.

Hackers sometimes partially break admin functionality to discourage you from logging in and discovering their modifications.

Search Functions Return Weird Results

Try searching your site. If results include content you didn't create—especially content about pharmaceuticals, loans, or essays—you've likely been hit by an SEO spam hack.

These hackers don't want to destroy your site; they want to use your domain authority to rank their spam content in search engines.

How to Verify Your Suspicions

Think your site might be compromised? Here's how to confirm:

Scan with Security Plugins

Install a reputable security scanner (check the official WordPress plugin directory for current options with good reviews). Run a full scan and review the results carefully.

Free scanners catch obvious issues but might miss sophisticated hacks. Consider paying for a premium scan if you handle sensitive data or run an e-commerce site.

Check Google Search Console

If you haven't set up Google Search Console yet, do it now. It's free and shows you exactly how Google sees your site.

Look for: - Security issues warnings - Sudden drops in impressions - Pages indexed that you didn't create - Strange search queries bringing traffic

Review Your Files via FTP

Download your site files and sort by modification date. Look for recently changed files you didn't touch. Common targets include: - Theme files (especially header.php and footer.php) - Plugin files - New PHP files with random names - JavaScript files you don't recognize

Examine Your Database

Access your database through phpMyAdmin (your host provides this). Look for: - New admin users in the wp_users table - Strange content in wp_posts - Modified site options in wp_options - Suspicious redirects in wp_postmeta

If you're not comfortable with databases, this is where professional help becomes valuable.

The Canadian Context

Canadian websites face unique considerations when dealing with hacks:

Privacy Breach Notifications

Under PIPEDA, if hackers access personal information of your customers, you might need to notify affected individuals and report to the Privacy Commissioner. This isn't optional—it's the law as of 2026.

Review our guide on PIPEDA compliance to understand your obligations.

Bilingual Site Complications

Running a bilingual site? Hackers might inject content in only one language version, making detection harder. Check both English and French versions of every page.

Impact on Canadian Payment Processing

If you run an online store with Canadian payment processors like Moneris, a hack could trigger security reviews or account suspensions. Payment processors take security seriously and might freeze your account until you prove the issue is resolved.

Common Hack Types to Watch For

Understanding different hack types helps you spot them faster:

SEO Spam Hacks

Hackers inject hidden content and links to boost their sites' search rankings. They might create thousands of spam pages on your domain or add invisible text to existing pages.

These hacks often target high-authority sites in professional sectors like law firms or healthcare practices.

Malicious Redirects

Code redirects visitors to malicious sites, often only affecting certain users to avoid detection. Mobile users and search engine visitors are common targets.

Backdoor Hacks

Hackers install hidden access points to return even after you clean the initial infection. These backdoors hide in innocent-looking files or database entries.

Phishing Kits

Your site hosts fake login pages mimicking banks, social media, or government sites. Visitors enter credentials thinking they're on the legitimate site.

Cryptomining Scripts

JavaScript mines cryptocurrency using your visitors' devices. Sites become sluggish as visitors' computers work overtime mining Bitcoin or Monero for hackers.

What to Do If You Confirm a Hack

Confirmed your site is hacked? Don't panic, but act quickly:

Take the Site Offline

Better to show a maintenance message than serve malware to visitors. Most hosting control panels let you enable maintenance mode quickly.

Change All Passwords

This includes: - WordPress admin accounts - Hosting account - FTP/SFTP access - Database passwords - Email accounts

Use strong, unique passwords. Consider implementing two-factor authentication immediately.

Contact Your Host

Quality hosts help during security incidents. They might have backups, security tools, or expert advice. Some hosts include basic malware scanning and removal.

Clean or Restore

You have two main options: - Clean the infection manually (time-consuming, requires expertise) - Restore from a clean backup (faster, but might lose recent changes)

For detailed cleaning steps, see our WordPress malware removal guide.

Prevention: Your Best Defense

An ounce of prevention beats a pound of cure, especially with website security:

Keep Everything Updated

WordPress core, themes, and plugins need regular updates. Outdated software is the number one entry point for hackers.

Can't keep up with updates? A maintenance plan ensures updates happen promptly without you lifting a finger.

Use Quality Hosting

Cheap hosting often means cheap security. Look for hosts offering: - Server-level security (like Imunify360) - Regular backups - Malware scanning - Quick support response times

Implement Security Headers

HTTP security headers tell browsers how to handle your site's content. They prevent many common attacks including cross-site scripting and clickjacking.

Regular Backups

When (not if) something goes wrong, recent backups save the day. Store backups off-site and test restoration periodically.

When to Call in Professionals

Some situations demand expert help:

• You handle sensitive customer data or payment information
• Multiple hack attempts despite cleaning efforts
• No recent backups exist
• You lack time or technical skills for thorough cleaning
• Your business can't afford extended downtime

Professional security services cost money but often save more in prevented damage and faster recovery.

The Reality Check

Here's the truth: if you run a WordPress site long enough, you'll likely face some form of attack. It's not personal—it's automated bots scanning for vulnerabilities.

The difference between a minor annoyance and a business disaster? Preparation. Regular maintenance, quality hosting, and quick detection turn potential catastrophes into manageable incidents.

Stay vigilant, keep backups current, and remember—the best time to improve your security is before you need it. If you're reading this because you suspect a hack, take action today. Your future self (and your website visitors) will thank you.

Need help? If you've discovered your site is hacked and need immediate assistance, contact our security team. We can help assess the damage, clean the infection, and implement stronger security measures to prevent future attacks.

This article was written with the help of AI and reviewed by the Ambrite team. Pricing, features, and technical details may change — always verify with official sources before making decisions.

Photo by Tima Miroshnichenko on Pexels