Nobody expects their website to get hacked. For most small business owners, the thought doesn’t even cross their minds until it happens. But WordPress sites are targeted every single day, and the longer a compromise goes undetected, the more damage it causes to your business, your reputation, and your customers’ trust.

Here are five clear warning signs that your WordPress site may have been compromised, and what you should do about each one.

1. Your Site Redirects Visitors to Spam or Suspicious Pages

This is one of the most common and alarming signs of a hack. You type in your website address and instead of seeing your homepage, you’re whisked away to a dodgy pharmaceutical site, a gambling page, or something far worse. Sometimes the redirect only happens on mobile devices, or only when visitors arrive from Google, which makes it harder to spot.

Why it happens: Hackers inject malicious code into your theme files, plugins, or database. This code detects where visitors are coming from and redirects them to sites that generate revenue for the attacker.

What to do immediately: Do not log into your WordPress admin panel from the affected site. Instead, contact your hosting provider and let them know you suspect a compromise. If you have a recent clean backup, make a note of when it was taken. Do not restore it yet, as you need to close the vulnerability first.

2. Unknown Admin Users Have Appeared

Log into your WordPress dashboard and navigate to Users. If you see administrator accounts you don’t recognise, your site has almost certainly been compromised. Hackers create these accounts to maintain access even after you change your own password.

Why it happens: Attackers exploit vulnerabilities in outdated plugins or use stolen credentials to create backdoor admin accounts. Some malware even creates hidden admin users that don’t appear in the standard user list.

What to do immediately: Delete any admin accounts you don’t recognise. Change the passwords for every legitimate admin account. Enable two-factor authentication if you haven’t already. Then check your plugins and themes for any that are outdated or unfamiliar.

3. Your Pages Have Been Defaced or Contain Strange Content

Sometimes hackers aren’t subtle. They replace your homepage with their own message, or inject hidden content into your pages. This hidden content might include links to other websites, pharmaceutical spam, or content in languages you don’t use. You might not notice it visually, but search engines certainly will.

Why it happens: Some hackers deface sites to make a statement or prove their skills. Others inject hidden content for SEO spam, using your site’s authority to boost their own dodgy websites in search rankings.

What to do immediately: Take screenshots of the defaced content for your records. Check your posts and pages for any content you didn’t create. Look at your site’s source code for hidden links or text. If you see injected content, your database has likely been compromised.

4. Google Shows a “This Site May Be Hacked” Warning

If Google detects malware or suspicious content on your site, it will display a warning in search results that reads “This site may be hacked” or “This site may harm your computer.” This is devastating for your business because most people will never click through to a site with that warning.

Why it happens: Google’s automated systems scan billions of pages looking for malware, phishing attempts, and spam. When they find it on your site, they flag it to protect searchers. By the time Google flags your site, the hack has usually been in place for days or weeks.

What to do immediately: Log into Google Search Console. Under Security Issues, Google will tell you exactly what it found. This information is invaluable for cleaning up the hack. Don’t ignore this warning. Every day it stays up, you’re losing potential customers and damaging your search rankings.

5. A Sudden, Unexplained Drop in Traffic

If your website traffic falls off a cliff with no obvious explanation, a hack could be the cause. This is especially true if the drop coincides with Google flagging your site, but it can also happen when hackers redirect your organic traffic to their own sites.

Why it happens: Between Google warnings scaring off visitors, malicious redirects sending traffic elsewhere, and potential blacklisting by security services, a compromised site can lose the majority of its traffic almost overnight.

What to do immediately: Check Google Search Console for security warnings. Review your analytics for unusual patterns such as traffic from unexpected countries or spikes in traffic to pages that shouldn’t be popular. Compare your traffic sources before and after the drop.

What to Do Next

If you’ve spotted any of these signs, time is critical. Here’s a quick action plan:

1. Don’t panic, but do act quickly. The longer a hack goes unaddressed, the harder it is to clean up.
2. Change all passwords. WordPress admin, hosting panel, FTP, and database passwords should all be changed immediately.
3. Document everything. Take screenshots and notes about what you’ve found. This helps whoever cleans up the site.
4. Contact a professional. Cleaning a hacked site properly requires expertise. A botched cleanup can leave backdoors in place, leading to reinfection within days.
5. Prevent it happening again. Once the site is clean, put proper security measures in place including regular updates, strong passwords, two-factor authentication, and a good security plugin.

We clean hacked WordPress sites every week. The pattern is almost always the same: an outdated plugin, a weak password, or a lack of basic security measures. The good news is that in most cases, we can have your site cleaned and secured within a few hours.

If you’re seeing any of these signs on your WordPress site, don’t wait for things to get worse. Get in touch with us and we’ll take a look.