Website Maintenance 12 May 2026 by 1418

Hacked WordPress Sites: What Happens, How to Spot It, What to Do

WordPress sites get hacked more often than most business owners realise. Here is what actually happens when a site is compromised, how to spot the signs, and what to do about it.

WordPress powers around 40% of the web. That ubiquity is also why it is the most targeted platform for automated attacks. If you run a WordPress site and have never thought seriously about security, this post is worth reading.

This is not a theoretical exercise. Over the past week I have been dealing with a compromised WordPress site for a client — cleaning out injected code, closing the entry point, and getting things back to normal. At the same time, across a hosting portfolio of around 300 sites, there has been a noticeable spike in phishing emails and password reset attempts. Attacks are not random. They run in waves, and right now the tide is in.

Here is what actually happens when a WordPress site gets hacked, how to spot it early, and what to do when it does.

How WordPress sites get hacked

The vast majority of WordPress compromises follow the same pattern. An automated bot scans thousands of sites looking for known vulnerabilities — outdated plugins, outdated themes, weak passwords, or poorly configured hosting environments. When it finds one, it gets in.

The most common entry points are:

Outdated plugins — Plugin developers release security patches regularly. If you are not applying updates, you are leaving known vulnerabilities open. Attackers know exactly which plugin versions are vulnerable and scan for them at scale.

Weak or reused passwords — Brute force attacks on WordPress login pages are extremely common. If your password is simple or reused from another site that has been breached, it is only a matter of time.

Nulled themes and plugins — Pirated or “free” versions of premium WordPress plugins and themes frequently contain backdoors installed deliberately. If you are using nulled software, you may have invited the attacker in yourself.

Poorly secured hosting — Cheap shared hosting with weak file permission defaults, no malware scanning, and no isolation between accounts means one compromised site on a server can affect others.

What attackers actually do once they are in

This is where it gets more serious than most people expect. Getting in is not the end goal — staying in is.

Once an attacker has access, they typically:

  • Install a backdoor — a hidden file or piece of code that lets them return even after the obvious infection is cleaned up. This is why simply deleting malicious files is rarely enough.
  • Inject redirects — visitors to your site get silently redirected to spam, phishing, or malware sites. You may not notice because it often only triggers for visitors arriving from Google, not direct traffic.
  • Send spam — your domain and server get used to blast out phishing emails, damaging your email deliverability and potentially getting your domain blacklisted.
  • Create admin accounts — new WordPress admin users appear that you did not create, giving persistent access.
  • Stay hidden — sophisticated attacks are designed to avoid detection. The malicious code may be obfuscated, buried in core files, or only activate under certain conditions.

The most damaging attacks are the ones that go unnoticed for weeks or months.

How to spot a compromised site

Some signs are obvious. Most are not. Here is what to look for:

Obvious signs:

  • Visitors are being redirected to unfamiliar or suspicious websites
  • Google is showing a “This site may be harmful” warning in search results
  • Your hosting provider has suspended your account
  • Your browser flags the site as dangerous

Less obvious signs:

  • A sudden unexplained drop in search rankings or organic traffic
  • Spam or phishing emails appearing to come from your domain
  • WordPress admin accounts you do not recognise
  • New files in your installation you did not put there
  • Customers reporting strange behaviour on the site
  • Your site is loading noticeably slower than usual

If you are seeing any of these, the site needs attention immediately. The longer a compromise goes unaddressed, the more damage accumulates — to your search rankings, your email reputation, and your customers’ trust.

What to do if your site has been hacked

1. Do not panic, but do act quickly. The temptation is to either ignore it and hope it resolves itself, or to immediately delete everything. Neither is the right move. You need a methodical approach.

2. Take the site offline if necessary. If visitors are being redirected or served malware, take the site down temporarily. A maintenance page is better than actively harming your visitors.

3. Change all passwords immediately. WordPress admin passwords, hosting control panel passwords, FTP credentials, and database passwords. All of them. If any are reused elsewhere, change those too.

4. Scan for malware. Use a reputable scanning tool to identify infected files. This will find the obvious infections but may not catch everything — particularly well-hidden backdoors.

5. Clean the infection properly. Remove infected files, but do not stop there. Check core WordPress files against a clean installation. Check recently modified files. Look for base64-encoded strings in PHP files — a common sign of obfuscated malicious code.

6. Find and close the entry point. Cleaning the infection without closing the vulnerability that allowed access is pointless. The attacker will be back within hours. Identify how they got in — outdated plugin, weak password, compromised hosting — and fix it.

7. Hunt for backdoors. Assume there is at least one backdoor installed. Common locations include the uploads folder, inactive themes, and core WordPress files. A thorough clean means checking all of these.

8. Request a Google review if needed. If Google has flagged your site as harmful, you will need to request a review via Search Console once the site is clean. Rankings and traffic will not recover until Google re-evaluates the site.

How to reduce the risk going forward

The good news is that most WordPress compromises are preventable with basic ongoing maintenance.

  • Keep everything updated — WordPress core, themes, and plugins. Every update is a potential security patch.
  • Remove unused plugins and themes — inactive plugins are still a vulnerability. If you are not using it, delete it.
  • Use strong, unique passwords — and a password manager if necessary.
  • Limit login attempts — a simple plugin or hosting-level setting that blocks brute force attacks.
  • Use reputable hosting — with malware scanning, account isolation, and active security monitoring.
  • Take regular backups — stored offsite, not just on the server. A clean backup makes recovery significantly faster.

A well-maintained WordPress site is not invulnerable, but it is a much less attractive target than one that has been left to run without attention.

A note on moving away from WordPress

For some businesses, a hacked WordPress site is the final straw. If you are spending more time and money on security and maintenance than the platform is worth, it may be time to consider a move to a modern, lightweight framework — one that has no database, no plugins, and a dramatically smaller attack surface by design.

That is not the right move for everyone, but it is worth knowing the option exists.

1418 provides website maintenance and security support for businesses in Cumbria, including hacked site recovery and WordPress clean-up. If your site has been compromised or you are concerned about security, get in touch at info@1418.co.uk.

← Back to blog

Need help with your website?

Tell us what you need and we'll recommend the best next step.

Email us at info@1418.co.uk. To get a useful first response straight away, include:

  • your website address
  • what your business does
  • what you need help with

We aim to respond within one working day.

Email info@1418.co.uk