Your WordPress Site Was Hacked - Here's How to Tell and What to Do About It

It happened to us. Our own WordPress site was compromised - and we didn't even know it until we migrated to a new platform and checked Google Search Console. What we found was alarming: spam pages indexed under our domain, fake product listings for "reborn doll clothes" and "velvet ribbon," and a Google listing that said we were based in New York when we've been in North Carolina for years.

If you run a WordPress site, this article is for you. We'll walk through how to tell if your site has been hacked, what to do about it, and how to prevent it from happening again.

The Signs Your WordPress Site Has Been Hacked

Most business owners don't realize their site has been compromised until the damage is done. Here are the warning signs we discovered - and the ones you should watch for:

1. Strange Pages Appearing in Google Search Results

This was our biggest red flag. When we searched site:elfatranydesign.com in Google, we found pages we never created:

• URLs with random directory paths like /pjgukn/4-inch-wide-velvet-ribbon
• Product listings for items we've never sold
• Pages in languages we don't speak
• Query parameter spam like /?e=278272914 with titles like "Sale landscape design Deals"

If you search site:yourdomain.com in Google and see pages you didn't create, your site has been compromised.

2. Google Search Console Warnings

In our Search Console, we found "Product snippets" being detected on our homepage - specifically, a structured data entry for "Best 10 inch reborn doll clothes Factory Sale." We never sold dolls. This was injected malware creating fake product schema to exploit Google's rich results.

3. Outdated or Wrong Business Information

Hackers often modify your site's metadata. In our case, platforms like Facebook and LinkedIn were still showing cached data that said "A Creative Design Agency based in New York" - information from before the hack that the attackers never bothered to update, mixed with their spam content.

4. Unexpected Redirects or Slow Performance

Some hacks redirect your visitors to spam sites or inject scripts that slow down your page load. If visitors or clients mention your site acting strangely, take it seriously.

What Hackers Actually Do to Your WordPress Site

The most common WordPress hacks don't deface your homepage with a skull and crossbones. They're subtle. Attackers inject:

• Hidden spam pages that are invisible to you but indexed by Google. These pages sell backlinks or promote products, using your domain's authority.
• Malicious structured data (JSON-LD) that tricks Google into showing fake rich results for your site.
• Backdoor files in your /wp-content/ or /wp-includes/ directories that give them persistent access even after you change your password.
• Database injections that modify your posts, pages, or site options with spam content.

The goal isn't to destroy your site - it's to exploit your domain's search engine reputation to promote their own products and services.

How to Fix a Hacked WordPress Site

If you've confirmed your site is compromised, here's the action plan:

Step 1: Don't Panic, But Act Fast

The longer spam pages live on your domain, the more damage they do to your search rankings. Google may eventually flag your entire domain as compromised.

Step 2: Clean Up Google Search Console

• Go to Google Search Console → Removals
• Submit removal requests for all spam URLs
• For directories with multiple spam pages, use Remove all URLs with this prefix
• Use URL Inspection → Request Indexing on your legitimate pages to push Google to re-crawl the clean versions

Step 3: Scan and Remove Malware

• Use a security plugin like Wordfence or Sucuri to scan your files
• Manually check /wp-content/uploads/, /wp-includes/, and your theme files for unfamiliar PHP files
• Look for base64-encoded strings in your files - these are often malicious payloads
• Check your database for injected content in wp_options and wp_posts tables

Step 4: Update Everything

• Update WordPress core to the latest version
• Update all plugins and themes
• Delete any plugins or themes you're not actively using
• Change all passwords: WordPress admin, database, FTP, and hosting panel

Step 5: Harden Your Security

• Install a web application firewall (Wordfence or Sucuri)
• Enable two-factor authentication on all admin accounts
• Limit login attempts to prevent brute force attacks
• Change your database table prefix from the default wp_
• Disable file editing from the WordPress dashboard

How to Prevent Future Hacks

Prevention is always easier than cleanup. Here's what every WordPress site owner should do:

Keep Everything Updated

The number one cause of WordPress hacks is outdated software. Set up automatic updates for minor WordPress releases, and check plugins weekly.

Use Strong, Unique Passwords

Use a password manager. Never reuse passwords across sites. Enable two-factor authentication everywhere you can.

Choose Reputable Hosting

Cheap shared hosting often means shared vulnerabilities. Invest in managed WordPress hosting with built-in security scanning, automatic backups, and server-level firewalls.

Regular Backups

Back up your site daily. Store backups off-site (not just on your server). Test your backups periodically to make sure they actually work.

Limit Plugin Usage

Every plugin is a potential attack vector. Only install plugins from reputable developers with regular updates. If a plugin hasn't been updated in over a year, find an alternative.

When It's Time to Move Off WordPress

Sometimes the best security decision is to migrate away from WordPress entirely. That's what we did.

We rebuilt elfatranydesign.com on Next.js - a modern framework where:

• There's no admin panel for attackers to target
• Pages are pre-built as static files, not generated from a database
• There are no plugins with vulnerable code
• The attack surface is dramatically smaller

For businesses that don't need the complexity of a full CMS, a static or hybrid site is inherently more secure. Your site loads faster, ranks better, and gives hackers almost nothing to exploit.

The Bottom Line

A hacked WordPress site isn't the end of the world, but it is a wake-up call. Whether you choose to clean up and harden your existing WordPress installation or migrate to a more secure platform, the important thing is to act.

If you're not sure whether your site has been compromised, start by searching site:yourdomain.com in Google. You might be surprised by what you find.

Need help securing your website or planning a migration? We've been through it ourselves and can help you navigate the process. Get in touch to start the conversation.