detecting a hacked wordpress site without wasting time requires a proven method, precise checkpoints and quick decisions. This operational guide shows you how to confirm the intrusion, prioritize the risks, preserve your data and SEO positions, then initiate clean remediation.
1) Immediate warning signs you should never ignore
Before you even open an administration console, scan what your visitors see and what the engines read. This visual and behavioral scan takes a few minutes and often reveals more than 80% of classic compromises.
What to look out for right away: conditional redirects (they sometimes only activate on first load, on mobile, or for users who are not logged in), injected pop-ups, advertising overlays that don't belong to your experience, sudden lengthening of loading times on simple pages, browser warnings (Chrome/Firefox) about dangerous content, abnormal Google results (titles in Japanese, pharma content, inserts unrelated to your business), messages This page seems to be sending spam to certain webmails after clicking on your newsletters or purchase confirmations.
To get a quick idea of the most common patterns, take a look at these diagrams common signs of WordPress hacking. If you already tick two or three items, treat the situation as a probable compromise.
2) Server-side technical indicators of compromise
Traces rarely leave room for doubt. First, dig into the global metrics: unexpected CPU/memory spikes, high disk IO outside backups, drop in availability, explosion in outgoing e-mail volume, new IPs banned by your firewall, recently modified files en masse in wp-content (especially uploads), unknown crons, scheduling of tasks by the minute (minutely) that didn't exist, abnormal bandwidth use on the outgoing side (exfiltration).
On the log side: multiply the angles. Watch for 404s to unknown PHP paths, repeated calls to admin-ajax.php or wp-json from dubious ASNs, large POSTs to seldom-used form endpoints, exotic (curl, python-requests) or empty User-Agents, requests to wp-login.php with a constant rhythm (discreet bruteforce), unusual HEAD/OPTIONS just before malicious POSTs, 302/307 redirects not planned in your stack.
Hunt down classic persistence: .php files in uploads or wp-includes, mu-plugins you never created, backdoors in index.php of obsolete themes, .ico or .png scripts that are actually PHP, files named with a legitimate plugin prefix but dropped in the wrong place.
3) Quick 15-minute audit routine
To confirm or deny the intrusion without delay, adopt a standardized protocol. Draw up an inventory: list of active administrator accounts, recovery e-mails and roles (detect a recent admin2 account), list of plugins and themes with their versions (spot those that no longer update), date of last modification of critical files (wp-config.php, .htaccess, index.php at root). Measure the exposure surface: directories listed by mistake (DirectoryIndex absent), publicly accessible backup files (.zip, .sql), REST endpoints exposing too much information. Finally, inspect the front end: source code of key pages, unexpected script/iframe tags and strange minification. Anomalies combined are a strong signal.
Benefit from a free website audit
4) Front-end checks: DOM, scripts and network
Open the browser's DevTools on a typical page. In the Elements tab, look for scripts inserted at the end of a body, suspicious onload/onmouseover attributes, unknown CDN URLs, base64 or hex encrypted payloads. In the Network tab, filter out JS and Document: you'll soon see uploads to domains with misleading spelling. Also examine the timing: if a third-party JS lengthens the TTFB/DOMContentLoaded disproportionately, it may encapsulate a conditional redirect or injection.
Specific points of attention: 1px x 1px iframes, pharma/japanese keywords in DOM masked via CSS, Service Worker not provided (it may persist redirects), absence or sudden weakening of your CSP/permissions-policy, dynamic rewrites of outgoing links to monetize traffic.
5) High-risk files and persistence points
Target configuration hubs: wp-config.php (constant keys and DB, adding includes or evals), .htaccess (custom Rewrite rules to redirect certain conditions), index.php at root (conditional includes), wp-content/mu-plugins directory (automatic execution on loading), uploads (webshells are camouflaged there). A simple temporal diff speaks for itself: if wp-config.php has been modified for no reason, suspend incoming connections and save proof (time-stamped copy) before taking any action.
6) Database, options and users
In addition to files, a lasting compromise often involves the base: creating discreet admin users, changing the e-mail address of the existing admin account, injecting autoloaded options into the options table to execute code on every request, adding orphaned pages for SEO spam, hijacking widgets or menus. Also check the home and siteurl fields for global redirects, as well as the presence of scripts in post content (script tags, iframes, unknown shortcodes). Finally, scan the cron table for minute-by-minute executions of functions with innocuous names.
7) SEO spam: exotic keywords, redirects and ghost URLs
Japanese keyword hack, pharma hack and doorway pages remain among the most devastating for image and SEO. Three symptoms: your SERPs display snippets with foreign terms, you discover hundreds of unknown indexed pages, your organic traffic becomes distorted (resulting in an abnormal bounce rate). Start by searching for site:yourdomain.tld in private browsing, and compare the titles with your actual tree structure. Then inspect the permalinks: if the structure has been altered, rewrites may mask a malicious directory.
To find out more aboutmassive URL injection and ghost page generation mechanisms, this resource provides concrete clues for auditing. At the same time, if you need to quickly revise your URL structure after an incident, rely on the methods ofpermalink optimization to restore clean routes and reduce the risk of reindexing unwanted pages.
8) Extensions, themes and supply chain
Many incidents are caused by a vulnerable component. Typical clues: dropped extensions, security updates released but not applied, nulled themes, files deposited outside the component directory, or dubious filiation (unverified forks). Establish the chronology: When did the abnormal behavior appear? and What was updated/installed just before? Time correlation is your best ally. If you identify a likely point of entry, prioritize neutralization: deactivation, replacement, then trace analysis (logs, dropped files, scheduled tasks).
9) Phishing, clones and selective redirects
Some attackers don't alter your main content; they add phishing pages and redirect only specific profiles (mobile traffic, specific referer, unknown IP). To flush out these scenarios, test your pages on different networks (4G/5G, VPN), devices and browsers, and compare redirect paths. This approach, coupled with a few best practices for recognize a booby-trapped pageThis new feature identifies traps invisible to connected administrators.
10) Differentiate between failure, bug and compromise
Not all bugs are attacks. Here are three simple criteria to distinguish between them: reproducibility (a bug is generally reproducible independently of the IP, a hack can hide behind conditions), temporality (a bug appears after a known internal update; a compromise can emerge without any change on the team side), persistence (once the cache has been emptied, a bug often disappears; a compromise rises on its own through tasks/CRONs). Cross-reference these criteria before triggering a full incident plan, but if substantial doubt persists, treat as a security incident.
11) Proof policy: preserve, isolate, analyze
As soon as you suspect an intrusion, create snapshots: backup files and database, copy access/error logs, list active processes, export accounts and roles. Work on a copy for analysis, keep production under strict surveillance, and avoid announcing the incident publicly until you've blocked exfiltration routes. Keep your evidence in case you need to contact the host, report abuse or if a more formal investigation is required.
Benefit from a free website audit
12) Advanced detection checklist
Web surface
Check the content of the home page and strategic pages in private browsing, monitor redirects by region/device, inspect the source code for suspicious external scripts, compare cached content (CDN) with the original version, test the compliance of security headers (CSP, HSTS, X-Frame-Options).
Files and integrity
Compare kernel and extension versions with the official ones, list recently modified files, look for backdoor patterns (eval, base64_decode, concatenated gzuncompress, anonymous create_function), detect disguised PHP files (executable .ico/.png extensions), inspect mu-plugins and must-uses that load opaque code.
Base and users
Audit recent roles, check recovery e-mails and tokens, browse recently created autoloaded options, track injections into posts/pages via exotic shortcodes, spot scheduled tasks with innocuous but very frequent names.
Logs and network
Analyze attack patterns (peaks on wp-login, REST, XML-RPC), filter by IP, referer and user-agent, look for 500/502 correlated POSTs, identify conditional redirect chains by device/UA.
13) SEO indicators and reputation
In addition to abnormal pages, keep an eye on Search Console: alerts on suspicious URLs, sudden rise in soft 404s, drop in coverage, keywords inconsistent with your sector. Also check e-mail blacklists if you send out newsletters: a compromise can hijack your forms to spread spam. If you restructure your content after cleaning, these good taxonomy practices will help restore consistent indexing and close the door on spurious categorization.
14) Frequent scenarios and how to spot them quickly
Stealth injection by child theme
Code inserted in functions.php of child theme adds third-party scripts only for non-admin. Test: private browsing, other device, other network, CDN cache dump. Strong hint: external scripts at end of body.
Backdoor via uploads
A php image file in uploads that responds to a GET parameter and executes commands. Hint: recent .php files in uploads, 200/POST on this path, frequent requests from a single IP.
SEO spam by parallel sitemaps
Creation of a clandestine sitemap pointing to ghost pages. Hint: presence of a sitemap-XYZ.xml file not generated by your tool, strange indexing submissions.
Targeted redirection
Scripts that only redirect on mobile. Hint: disparity in behavior between desktop and mobile, sporadic 302 redirects, obfuscated scripts conditioned on user-agent.
15) Protect your forms and hearings during the investigation
If you suspect a compromise, temporarily restrict the sending of outgoing messages, impose reCAPTCHA/turnstile everywhere, suspend webhooks to third-party services, archive leads but don't automatically push them into your CRMs until integrity is confirmed. When everything is cleaned up, resume a healthy integration based onadd a subscription form that respect anti-abuse best practices and RGPD compliance.
16) After confirmation: containment, eradication, restoration
As soon as compromise is confirmed, isolate (front-end maintenance mode, block editing from outside, password rotation), save status for forensics, clean up (files, database, accounts, tasks), update, then restore from a healthy snapshot if necessary. For a step-by-step operational roadmap that covers the entire cycle (containment, recovery, hardening), follow this guide complete remediation guide. Don't forget: change all secrets (SFTP/SSH, DB, keys, tokens) before going back online.
17) Hardening and continuous monitoring to prevent recurrence
Good detection depends on good observability. Implement file integrity monitoring (hashes), alerts on admin/CRON creation, application WAF, immutable off-server backups, automatic updates (at least security updates), least privilege policy, 2FA for all high-risk accounts, strict security headers (CSP, HSTS), quarterly review of extensions. Document your architecture (who does what, where are the logs, how to restore). The greater the visibility, the faster the detection time.
18) URLs, redirects and structural cleanliness
After an incident, harmonize your rewrite rules and eliminate spurious routes; revalidate permalink structure, rebuild sitemaps, purge CDN cache and force clean reindexing of main pages. Procedures forpermalink optimization allow you to regain control of internal meshing and curb the indexing of residual pages.
Benefit from a free website audit
19) Sectoral cases and special attack surfaces
Some verticals are more targeted (real estate, e-commerce, education), as they concentrate personal data and qualified traffic. For example, real estate catalogs and capture pages attract SEO spam, scrapping and form hijacking. If you're building or relaunching a business portal, take inspiration from robust methods for a online presence for real estate agencies which integrates safety and observability requirements right from the design stage.
20) User scenarios: when you're not the problem
Sometimes the end user sees an alert, not because your hosting is compromised, but because their own device is infected, their DNS is poisoned, or a browser plugin is injecting ads. Quick check: test from multiple networks and devices, use a clean browser profile, compare with a curl renderer or via an independent capture service. If suspicion is concentrated on the user side, explain how to validate the page's integrity and, if necessary, guide the user to resources to avoid pitfalls and to avoid the risk of being infected. recognize a booby-trapped page.
21) Crisis communication and reputation
Transparency needs to be handled sensitively: inform your users promptly if data may have been exposed, describe the measures taken and recommendations made (password reset, transaction verification), and provide a point of contact. Document the entire chronology: detection, containment, removal, recovery, hardening. This documentation will be useful during a subsequent audit, and will reduce response time in the event of a future incident.
22) Case studies: time-saving diagnostic shortcuts
Compare rendering as a logged-in administrator vs. an anonymous visitor; test at night and at weekends (some malware activates during off-peak hours); go through a browser with an ad-blocker and another without; audit a flat HTML export of a key page (to check the code generated before JS). Last but not least, keep an eye on e-mail output: a sharp rise in e-mail traffic is often the result of form hijacking.
23) Prevent post-incident SEO regressions
Beyond cleaning up, reassure the engines: request reconsideration if a security warning has been issued, remove ghost URLs from the index, clean 410/301 redirects, update sitemaps, rebuild internal meshing, check facets and taxonomies. Reviewing the editorial structure and coherence of the information architecture also strengthens resilience in the face of attempts to exploit orphan pages or archives. good taxonomy practices is relevant in this phase.
24) When to delegate auditing and cleaning
If the clues are multiplying, the business criticality is high, or you lack server visibility, delegate analysis and remediation to a specialized team. An external viewpoint provides investigative tools, a proven method and a shorter resolution time, while allowing you to concentrate on communication and business continuity. You can request a Free technical audit to prioritize actions and obtain an immediate treatment plan.
25) Additional resources and summary
The best detection is proactive: centralized logs, alerts on abnormal behavior, file integrity, security updates, tested backups, access segmentation, form hardening, and monitoring your components for vulnerabilities. If in doubt, go back to the list of common signs of WordPress hacking. And remember: don't stop at the most visible symptom. Attackers look for persistence. Check scheduled tasks, entry points, base and redirects.
By applying this method, you'll reduce detection time, limit the impact on your audience and SEO, and get back on track with peace of mind. Once the attack has been contained and cleaned up, don't forget to industrialize your security and monitoring routines to transform the incident into a lever for continuous improvement.
