Aller au contenu principal
Urgence

Hacked WordPress site: 12 signs you must not ignore

January 20, 2026 7 min read

Key takeaways

  • Table of Contents
  • 1. Unknown administrator accounts
  • 2. Modified or defaced homepage

Published June 13, 2025 · Category: Emergency · Reading time: 12 min

⚠️ SECURITY ALERT — Your WordPress site could be compromised without you knowing. An undetected hack can cause catastrophic damage for weeks before being noticed.

According to the Sophos 2024 report, a website attack costs small businesses an average of $4,500. Yet 90% of hacks are preventable with basic security measures. The worst part? Most site owners don't realize they've been hacked until it's too late. Here are the 12 signs that should never be ignored.

1. Unknown administrator accounts

This is one of the most alarming signs and yet one of the most frequently ignored.

How to check:

  1. Log in to your WordPress dashboard
  2. Go to Users → All Users
  3. Check the complete list of accounts with the "Administrator" role
  4. Look for usernames you don't recognize

Why it's dangerous:

An unknown administrator account means someone else has full access to your site. They can modify content, install malware, steal your users' data, or use your server to attack other sites.

What to do:

  • Immediately delete unauthorized accounts
  • Check the modification history made by these accounts
  • Change all administrator passwords
  • Enable two-factor authentication

If you discover suspicious accounts, contact WpDefender immediately for a complete site analysis.

2. Modified or defaced homepage

If your homepage displays content you didn't publish — political messages, ads for illegal products, or simply a blank page — your site has been compromised.

Common defacement variants:

  • Complete defacement: The homepage is entirely replaced
  • Partial defacement: Text blocks or images are added
  • Code injection: Invisible code is added (only visible in source code)
  • Conditional defacement: The modification only appears for certain visitors or devices
💡 Tip: Sophisticated attackers don't always deface your site. They prefer invisible modifications that last longer without being detected. Regularly check your pages' source code.

3. Google blacklist warning

Google detects and flags compromised sites to its users. If your site appears with the warning "This site may be hacked" or "This site may harm your computer", it's an absolute emergency.

Impact on your business:

  • 95% traffic drop: Most visitors leave immediately
  • SEO penalties: Your site loses its ranking in search results
  • Loss of trust: Potential customers see a security warning
  • Revenue loss: For an e-commerce site, every day on the blacklist represents lost sales

How to check:

  1. Google Search Console: Log in and check the Security & Manual Actions section
  2. Direct test: Type site:yoursite.com in Google
  3. VirusTotal: Submit your URL on virustotal.com for multi-engine analysis

Find detailed advice in our article: Google blacklist: how to get off the blacklist in 24h.

4. Unauthorized redirects

Your visitors are being redirected to gambling, pornography, online pharmacy, or other malicious sites? This is a clear sign of compromise.

Types of redirects:

  • Server-side redirect: Modifies the .htaccess file or PHP code
  • Client-side redirect: Injects JavaScript into your pages
  • Conditional redirect: Only redirects search engines or mobile users
  • Delayed infection redirect: Only appears after several visits

How to identify the source:

  1. Examine your pages' source code (right-click → View Source)
  2. Look for unknown <script> or <iframe> tags
  3. Check your .htaccess file for suspicious RewriteRule rules
  4. Consult database options for injected code

Read our complete guide on the subject: Redirects to malicious sites: why and how to stop them.

5. Slowed performance

If your WordPress site is suddenly much slower than before, this could be a sign of compromise.

Why a hacked site slows down:

  • Malicious scripts: Injected code consumes server resources
  • Infinite loops: Some malware creates loops that overload the processor
  • Overloaded database: Injected queries weigh down performance
  • Network traffic: Your server is being used for DDoS attacks or spam

How to diagnose:

  1. Compare current load times with your usual metrics
  2. Check server logs for errors or activity spikes
  3. Use GTmetrix or Google PageSpeed Insights to identify issues
  4. Check if your host reports CPU/RAM quota overuse

6. Unknown or modified files

The appearance of files you didn't create is a major indicator of hacking.

Where to look:

  • wp-content/uploads/: Upload folders should never contain PHP files
  • Site root: Files like config.bak.php, wp-settings.bak.php are suspicious
  • /tmp/ or /var/tmp/: Suspicious temporary files on the server
  • .htaccess: Unauthorized modifications to rewrite rules

Detection tools:

  • Compare files with a clean WordPress copy using diff
  • Use the Wordfence plugin to scan for modifications
  • Check file timestamps to spot recent additions

For a thorough analysis, learn how to detect malware on WordPress using the same methods as security professionals.

7. Passwords changed without your consent

If you can no longer log in with your usual credentials, or if another administrator reports their password has changed, this is an alarming sign.

Typical situations:

  • You're logged out of wp-admin without any action on your part
  • A colleague informs you their credentials no longer work
  • You receive password reset emails you didn't request
  • Your host notifies you of FTP password changes

Immediate actions:

  1. Contact your host to verify authentication logs
  2. Reset the database password from the hosting control panel
  3. Modify the password in wp-config.php if necessary
  4. Check all administrator accounts for unauthorized modifications

8. Suspicious database queries

Unexpected SQL queries or unusual database errors can indicate SQL injection.

Signs to watch for:

  • Unexplained MySQL errors: Error messages containing SQL code
  • Modified content in database: Posts or pages containing unauthorized text
  • New options in wp_options: Entries you didn't create
  • Unknown tables: New tables in your database

How to check:

  1. Examine database tables via phpMyAdmin
  2. Search for suspicious content in text fields
  3. Check WordPress options in the wp_options table
  4. Compare the database schema with a standard WordPress installation

9. Pop-ups and unwanted ads

The appearance of advertising pop-ups on your site is not only annoying for your visitors but also a sign of serious compromise.

Types of ad injections:

  • Classic pop-ups: Overlaid windows with advertisements
  • Banner injection: Ads added to your page content
  • Crypto-mining: Your server is being used to mine cryptocurrency
  • Keyloggers: Scripts stealing your visitors' login data
🚨 High Risk: Injected ads can spread malware to your visitors, exposing you to lawsuits and complete destruction of your online reputation.

10. Email domain blacklisted

Your emails landing in spam? Receiving complaints from recipients? Your domain may have been added to an email blacklist.

How to check:

Impact:

  • Transactional emails (orders, confirmations) blocked
  • Communication with your customers interrupted
  • Email campaigns completely ineffective
  • Spam being sent from your server without your knowledge

11. Unknown cron jobs

WordPress uses the cron system to schedule tasks. Attackers exploit this to execute malicious code regularly.

How to detect them:

  1. Use a plugin like WP Crontrol to list all cron tasks
  2. Look for tasks with suspicious names or unknown URLs
  3. Check system tasks via your hosting control panel (system cron jobs)
  4. Examine wp-cron.php files for modifications

Warning signs:

  • Tasks that execute external PHP code
  • Tasks scheduled at unusual hours
  • Tasks that download or send data
  • System crons you didn't configure

12. Modified .htaccess file

The .htaccess file is one of the first files targeted by attackers because it controls your Apache server's behavior.

Common suspicious modifications:

  • Redirects: RewriteRule rules redirecting to malicious sites
  • Cloaking: Rules hiding malicious content from search engines
  • Disabled security: File protection or directory browsing disabled
  • ErrorDocument: Error pages redirected to malicious content

How to check:

  1. Download your .htaccess via FTP
  2. Compare it with a standard WordPress .htaccess
  3. Search for suspicious keywords: redirect, RewriteRule, eval, base64
  4. Check the file's last modification date

Act now, not tomorrow

If you've identified one or more of these signs on your site, don't wait. Every minute of inaction allows attackers to cause more damage. Read our emergency guide hacked site: what to do in 15 minutes to take immediate action.

A single one of these signs is enough to justify an emergency intervention. Multiple signs together indicate a serious compromise requiring professional expertise.

Your site shows one or more of these signs?

Don't risk the security of your online business. Our team of experts analyzes and secures your site in under 30 minutes.

Request a free diagnosis →

Protect your WordPress site today

WpDefender offers 24/7 monitoring, automatic scans, and guaranteed emergency response to protect your site from hacks.

Discover our services →

📞 Emergency: call us directly · ⏱️ Diagnosis in under 30 min

Related articles

Your site is compromised? We take care of everything.

Don't waste time. Every minute counts for your traffic and SEO.

Immediate intervention Free diagnostic
Need urgent help? Scan my site

Related articles

Discover more articles on the same topic

Urgence

My WordPress site was hacked: what to do in 15 minutes
Urgence

How to know if your WordPress site is infected with malware
Urgence

Google blacklist: how to get off the blacklist in 24h
Available now — Response within 30 minutes Immediate intervention
🛡️
WpDefender Bot Online now

Hello! I'm the WpDefender assistant. How can I help you?

Select your problem: