Your WordPress Site Was Hacked - Here's How to Tell and What to Do About It

It happened to us. Our own WordPress site was compromised, and we didn't even know it until we migrated to a new platform and checked Google Search Console. What we found was alarming: spam pages indexed under our domain, fake product listings for "reborn doll clothes" and "velvet ribbon," and a Google listing that said we were based in New York when we've been in North Carolina for years.

If you run a WordPress site, this article is for you. We'll walk through how to tell if your site has been hacked, what attackers actually do once they're in, and what steps you can take to fix the damage and prevent it from happening again.

The Signs Your WordPress Site Has Been Hacked

Most business owners don't realize their site has been compromised until the damage is done. Here are the warning signs we discovered, and the ones you should watch for:

1. Strange Pages Appearing in Google Search Results

This was our biggest red flag. When we searched site:elfatranydesign.com in Google, we found pages we never created:

• URLs with random directory paths like /pjgukn/4-inch-wide-velvet-ribbon
• Product listings for items we've never sold
• Pages in languages we don't speak
• Query parameter spam like /?e=278272914 with titles like "Sale landscape design Deals"

If you search site:yourdomain.com in Google and see pages you didn't create, your site has been compromised.

2. Google Search Console Warnings

In our Search Console, we found "Product snippets" being detected on our homepage. Specifically, a structured data entry for "Best 10 inch reborn doll clothes Factory Sale." We never sold dolls. This was injected malware creating fake product schema to exploit Google's rich results.

3. Outdated or Wrong Business Information

Hackers often modify your site's metadata. In our case, platforms like Facebook and LinkedIn were still showing cached data that said "A Creative Design Agency based in New York." That information predated the hack, but the attackers never bothered to update it, so it mixed right in with their spam content.

4. Unexpected Redirects or Slow Performance

Some hacks redirect your visitors to spam sites or inject scripts that slow down your page load. If visitors or clients mention your site acting strangely, take it seriously.

5. New Admin Users You Didn't Create

Log into your WordPress dashboard and check Users, then All Users. If you see administrator accounts you don't recognize, someone has gained access. Hackers create these so they can get back in even after you change your password.

6. Your Host Suspended Your Account

Many hosting providers run automated malware scans. If your host emails you about a suspension or a malware detection, don't ignore it. That is one of the clearest signs something has gone wrong.

7. Customers Are Getting Spam From Your Domain

If clients or customers start receiving spam emails that appear to come from your domain, hackers may have installed mail scripts on your server. This can also get your domain blacklisted by email providers, which creates a whole separate problem.

Why WordPress Sites Get Hacked in the First Place

WordPress powers about 40% of the internet. That popularity makes it a massive target. But it's not WordPress itself that's usually the problem. It's how sites are maintained (or not maintained) over time.

Outdated Plugins and Themes

This is the number one entry point for attackers. When a plugin developer releases a security patch, hackers immediately start scanning the internet for sites that haven't updated yet. If your plugins are even a few weeks behind, you're exposed. The more plugins you run, the bigger your attack surface.

Weak or Reused Passwords

Brute force attacks are still incredibly common. Bots try thousands of username and password combinations against your wp-login.php page. If you're using "admin" as your username or reusing a password from another site that was breached, it's only a matter of time.

Cheap Shared Hosting

On budget shared hosting, your site shares a server with hundreds of other sites. If any one of those sites gets compromised, the attacker can sometimes move laterally to other accounts on the same server. You might do everything right and still get hacked because of a neighbor.

Abandoned or Nulled Plugins

Some site owners install "nulled" (pirated) premium plugins to avoid paying for them. These almost always contain backdoors. And plugins that haven't been updated by their developer in over a year are just as dangerous, because known vulnerabilities go unpatched.

No Ongoing Maintenance

Here's the uncomfortable truth: WordPress is not a "set it and forget it" platform. It needs regular updates, security monitoring, and backups. Many business owners launch their site and don't touch it again for months or even years. That's how vulnerabilities pile up.

This is exactly why we offer website maintenance packages. Keeping your plugins, themes, and core files up to date is the single most effective thing you can do to prevent a hack. If you don't have the time or technical knowledge to stay on top of it yourself, having someone handle it for you is well worth the investment.

What Hackers Actually Do to Your WordPress Site

The most common WordPress hacks don't deface your homepage with a skull and crossbones. They're subtle. Attackers inject:

• Hidden spam pages that are invisible to you but indexed by Google. These pages sell backlinks or promote products, using your domain's authority.
• Malicious structured data (JSON-LD) that tricks Google into showing fake rich results for your site.
• Backdoor files in your /wp-content/ or /wp-includes/ directories that give them persistent access even after you change your password.
• Database injections that modify your posts, pages, or site options with spam content.
• Mail scripts that send spam from your server, damaging your domain's email reputation.
• Cryptominers that run in the background, using your server resources to mine cryptocurrency while slowing your site to a crawl.

The goal isn't to destroy your site. It's to exploit your domain's search engine reputation to promote their own products and services. That's what makes it so sneaky: your site can look perfectly normal to you while Google is indexing hundreds of spam pages under your domain.

How to Fix a Hacked WordPress Site

If you've confirmed your site is compromised, here's the action plan:

Step 1: Don't Panic, But Act Fast

The longer spam pages live on your domain, the more damage they do to your search rankings. Google may eventually flag your entire domain as compromised. Time matters here.

Step 2: Put Your Site in Maintenance Mode

Before you start cleaning, put up a maintenance page so visitors don't interact with compromised content. This also prevents the hack from spreading further while you work.

Step 3: Change Every Password

Change your WordPress admin password, database password, FTP credentials, and hosting control panel password. Do this before anything else so the attacker can't undo your cleanup in real time. Generate strong, unique passwords with a password manager.

Step 4: Clean Up Google Search Console

• Go to Google Search Console then Removals
• Submit removal requests for all spam URLs
• For directories with multiple spam pages, use Remove all URLs with this prefix
• Use URL Inspection then Request Indexing on your legitimate pages to push Google to re-crawl the clean versions

Step 5: Scan and Remove Malware

• Use a security plugin like Wordfence or Sucuri to scan your files
• Manually check /wp-content/uploads/, /wp-includes/, and your theme files for unfamiliar PHP files
• Look for base64-encoded strings in your files. These are often malicious payloads
• Check your database for injected content in wp_options and wp_posts tables
• Compare your core WordPress files against a fresh download to find modified files

Step 6: Remove Backdoor Users and Files

• Delete any admin users you don't recognize
• Remove any unfamiliar PHP files, especially in /wp-content/uploads/ (there should never be PHP files in your uploads folder)
• Check your .htaccess file for suspicious redirect rules
• Regenerate your WordPress security keys and salts in wp-config.php

Step 7: Update Everything

• Update WordPress core to the latest version
• Update all plugins and themes
• Delete any plugins or themes you're not actively using
• If you're running a theme or plugin that no longer receives updates, find a replacement

Step 8: Harden Your Security

• Install a web application firewall (Wordfence or Sucuri)
• Enable two-factor authentication on all admin accounts
• Limit login attempts to prevent brute force attacks
• Change your database table prefix from the default wp_
• Disable file editing from the WordPress dashboard
• Block PHP execution in the /wp-content/uploads/ directory

Step 9: Request a Security Review from Google

If Google flagged your site with a "This site may be hacked" warning, go to Search Console, then Security Issues, and request a review after you've completed your cleanup. Google typically responds within a few days.

Tips to Prevent Future WordPress Hacks

Cleaning up a hacked site is stressful and time-consuming. Here's how to make sure it doesn't happen again:

Keep WordPress, Plugins, and Themes Updated

We can't stress this enough. The majority of WordPress hacks exploit known vulnerabilities in outdated software. Set up automatic updates for minor WordPress releases. Check your plugins at least once a week. If a plugin hasn't been updated by its developer in over a year, replace it with one that's actively maintained.

Use Strong, Unique Passwords and Two-Factor Authentication

Use a password manager like 1Password or Bitwarden. Never reuse passwords across sites. And turn on two-factor authentication for every admin account. Even if someone guesses your password, 2FA stops them from logging in.

Choose Quality Hosting

Cheap shared hosting often means shared vulnerabilities. Invest in managed WordPress hosting from providers like WP Engine, Kinsta, or Flywheel. They include built-in security scanning, automatic backups, server-level firewalls, and staging environments so you can test updates before they go live.

Limit Your Plugins

Every plugin is a potential entry point. Only install plugins from reputable developers with a track record of regular updates and good reviews. Audit your plugin list every few months and remove anything you're not using. If you can accomplish something with custom code instead of a plugin, that's usually the safer option.

Set Up Daily Backups

Back up your site every day. Store backups off-site, not just on your server (if your server is compromised, your backups are too). Test your backups periodically to make sure they actually restore correctly. Services like UpdraftPlus, BlogVault, or your hosting provider's built-in backup tools make this easy.

Install a Firewall and Security Plugin

A web application firewall (WAF) blocks malicious traffic before it reaches your site. Wordfence and Sucuri both offer free and premium options. At a minimum, enable login protection, file integrity monitoring, and malware scanning.

Monitor Your Site Regularly

Set up Google Search Console alerts so you're notified of security issues immediately. Run a site:yourdomain.com search in Google once a month to check for spam pages. Review your server access logs for unusual activity. The sooner you catch a problem, the easier it is to fix.

Consider Professional Maintenance

If managing updates, backups, and security monitoring sounds like a lot, that's because it is. It's ongoing work that requires attention every week. Our website maintenance and development retainer handles all of this for you, so you can focus on running your business while we keep your site secure, updated, and performing well.

When It's Time to Move Off WordPress

Sometimes the best security decision is to migrate away from WordPress entirely. That's what we did.

We rebuilt elfatranydesign.com on Next.js, a modern framework where:

• There's no admin panel for attackers to target
• Pages are pre-built as static files, not generated from a database
• There are no plugins with vulnerable code
• The attack surface is dramatically smaller

For businesses that don't need the complexity of a full CMS, a static or hybrid site is inherently more secure. Your site loads faster, ranks better, and gives hackers almost nothing to exploit. We still manage content through Sanity, a headless CMS that's completely separate from the frontend. It gives us the editing experience of WordPress without the security baggage.

If you're tired of dealing with WordPress security issues and want to explore what a modern website looks like, we'd love to talk about it.

The Bottom Line

A hacked WordPress site isn't the end of the world, but it is a wake-up call. Whether you choose to clean up and harden your existing WordPress installation or migrate to a more secure platform, the important thing is to act.

If you're not sure whether your site has been compromised, start by searching site:yourdomain.com in Google. You might be surprised by what you find.

Need help securing your website or planning a migration? We've been through it ourselves and can help you navigate the process. Get in touch to start the conversation.

Frequently Asked Questions

How do I know if my WordPress site has been hacked?

The easiest way to check is to search site:yourdomain.com in Google. If you see pages you didn't create, your site has likely been compromised. Other signs include Google Search Console warnings, unexpected redirects, slow performance, unfamiliar admin users in your dashboard, or your hosting provider flagging malware on your account.

Can a hacked WordPress site hurt my Google rankings?

Absolutely. When hackers inject spam pages into your site, Google starts associating your domain with that content. Your legitimate pages can drop in rankings, and in severe cases, Google may flag your entire site with a "This site may be hacked" warning in search results. The longer the spam pages stay indexed, the more damage they do.

How much does it cost to fix a hacked WordPress site?

It depends on the severity. A basic malware cleanup with a plugin like Wordfence can be done for free if you're comfortable doing it yourself. Professional cleanup services typically range from $200 to $600 for a one-time fix. Ongoing security monitoring and maintenance plans (like the ones we offer) start around $255/month and prevent most hacks from happening in the first place.

How long does it take to recover from a WordPress hack?

The cleanup itself can take anywhere from a few hours to a few days, depending on how deeply the site was compromised. But the full recovery, including getting spam pages deindexed from Google and restoring your search rankings, can take several weeks to a few months. That's why acting quickly matters so much.

Should I just rebuild my WordPress site from scratch?

If the hack is severe or your site was already outdated, rebuilding might actually be the faster and more cost-effective option. It's also a good opportunity to evaluate whether WordPress is still the right platform for your needs. Many businesses are moving to modern frameworks like Next.js that offer better performance and a much smaller attack surface.

Is WordPress safe to use?

WordPress itself is maintained by a large team of developers and receives regular security updates. The platform at its core is reasonably secure. The problems usually come from third-party plugins, outdated software, weak passwords, and poor hosting. If you keep everything updated and follow security best practices, WordPress can be safe. But it does require ongoing attention.

How do hackers find WordPress sites to attack?

Most attacks are automated. Bots scan the internet for sites running known vulnerable versions of popular plugins. They don't specifically target your business. They're casting a wide net and exploiting whatever they find. That's why even small business sites with minimal traffic can get hacked.

What's the difference between a firewall and a security plugin?

A web application firewall (WAF) sits between your site and incoming traffic, blocking malicious requests before they reach WordPress. A security plugin runs within WordPress and handles things like malware scanning, login protection, and file monitoring. Ideally you want both. Plugins like Wordfence combine firewall and security scanning in one package.

How to Tell if Your WordPress Site Has Been Hacked (and What to Do Next)

It happened to us. Our own WordPress site was compromised, and we didn’t even know it until we migrated to a new platform and checked Google Search Console.

What we found was alarming:

• Spam pages indexed under our domain
• Fake product listings for things like “reborn doll clothes” and “velvet ribbon”
• A Google listing that said we were based in New York when we’ve been in North Carolina for years

If you run a WordPress site, this guide is for you. You’ll learn how to spot a hack, what attackers actually do once they’re in, and the steps you can take to fix the damage and prevent it from happening again.

The Signs Your WordPress Site Has Been Hacked

Most business owners don’t realize their site has been compromised until the damage is done. These are the warning signs we discovered—and the ones you should watch for.

1. Strange Pages Appearing in Google Search Results

This was our biggest red flag.

When we searched:

```text