How to tell if your WordPress site has been hacked: Expert tips from Datami

WordPress is one of the most popular website platforms, and also one of the most targeted by hackers. Even if your site seems to be running smoothly, it doesn’t guarantee that it’s safe. Malicious code can operate silently, affecting your SEO, redirecting visitors to unwanted pages, or stealing user data. The longer a hack goes undetected, the more serious the consequences can be: loss of traffic, search engine bans, or sanctions from your hosting provider.

To detect a hack early, Datami experts recommend watching out for key signs of WordPress compromise: unexpected redirects, altered content (spam or phishing pages), warnings from Google or antivirus software, and unfamiliar admin accounts in the database. Inside the admin panel, check for suspicious plugins, unplanned updates, or modified files. It’s also advisable to use external tools such as Sucuri, VirusTotal, or Google Search Console, and to monitor your SSL certificate status. If you notice any of these signs — it’s time to act to protect your site and your business.

First steps after detecting a WordPress site hack

Discovered that your WordPress site has been hacked? Don’t panic — the key is to act quickly and thoughtfully. The sooner you take action, the better your chances of minimizing damage and regaining control of your site.

Immediate backup

If you suspect that your WordPress site has been compromised, create a full backup of your files and database before making any changes. Use a previous clean backup (taken before the infection) for comparison. This will preserve the current state of your site, even if it’s already been hacked. You can use tools provided by your hosting provider or specialized plugins like UpdraftPlus or Duplicator. Save the backup locally or in the cloud so you can revert to it if recovery attempts fail.

Avoid manually editing or deleting files right away, even if you find suspicious code. Hackers often leave hidden backdoors, and making changes without fully understanding the situation can worsen the problem. It’s better to first save the current version, analyze it thoroughly, and only then begin the cleanup.

Access restriction

Right after creating a backup, change all passwords — WordPress admin, hosting account, FTP, database, and API keys for connected services. Use strong, unique passwords and enable two-factor authentication (2FA) if possible. You should also consider temporarily restricting public access to the site, especially if the hack affects users or compromises their data. This can be done through your hosting control panel.

Notify relevant parties

If you have a development team or technical support from your hosting provider, notify them immediately. They can help assess the scope of the problem and create an action plan. If user data may have been exposed, it’s also important to inform your users. Transparent communication can help you avoid reputational damage and maintain audience trust.

Deep WordPress site scan and analysis

You've backed up your site and changed all access credentials — now it's time to assess how deep the hack goes and what traces the attackers have left behind. The main goal of this stage is to identify and neutralize all malicious files, backdoors, and suspicious scripts that could allow hackers to regain access in the future.

Start by checking the core WordPress files, plugins, and themes. Compare them with the official versions from the WordPress repository. You can download clean files from the official WordPress website and use tools like WP File Manager for easier comparison. If you discover unfamiliar files or suspicious code — such as obfuscated scripts, long random strings, or dynamic function calls — these are strong indicators of a hack.

To ensure nothing gets missed, focus on the following key checkpoints:

• Core and plugin files – look for unauthorized scripts or unexpected modifications not present in original versions.
  
  
• Changed site settings – altered configurations might point to traffic redirects or other malicious manipulations.
  
  
• Unauthorized admin users – check if any new administrators were added without your knowledge.
  
  
• Server log files – analyze recent activity, especially login attempts and requests to unknown files.
  
  
• Unexpected database changes – look for hidden scripts or malicious commands that execute during site loading.

The next step is to inspect your database. Hackers often modify tables related to posts (inserting spam pages) or tamper with site options to introduce unwanted redirects or disable important settings. Carefully review entries in these sections, and double-check your list of admin users — unknown accounts are a clear sign of compromise.

Pay special attention to server logs (Apache/Nginx) and use monitoring plugins like WP Activity Log. These tools can reveal when and how the site was hacked. If you notice requests to unfamiliar files or login attempts from suspicious IP addresses, this data can help trace the source of the attack and prevent further intrusions.

WordPress hack cleanup and recovery

After analyzing and identifying malicious elements on your site, the next step is complete removal. It’s crucial to proceed with caution to avoid damaging legitimate files or breaking your site.

Only delete suspicious files after creating a backup. Use tools like SFTP, WP-CLI, or trusted security plugins such as Wordfence or Sucuri. If hackers have modified your theme or plugin code, it’s safer to reinstall them from the official WordPress repository. Accidentally removing a critical file can disrupt your site, so if you’re unsure about manual cleanup, it’s better to restore the site from a clean backup taken before the hack.

To ensure an effective recovery process, follow these steps:

• Check wp-config.php – this file holds your site’s core configuration. Look for any injected code or unusual changes to environment variables.
  
  
• Clean the .htaccess file – hackers often alter it to set up redirects, restrict access, or hide malicious scripts.
  
  
• Reset all passwords – for the database, WordPress admin, FTP access, API keys, and any other sensitive tokens.
  
  
• Scan for malware – use services like Sucuri SiteCheck, Wordfence, or MalCare to detect and remove threats.
  
  
• Check your site’s status in Google Search Console, Google Transparency Report, and review your site indexing to identify any security warnings or deindexing issues.

If the infection is widespread, it’s best to fully reinstall WordPress, keeping only the verified content — such as posts, images, and a clean version of your database. Before doing so, carefully review wp-config.php for any malicious code.

Also, verify whether your site has been blacklisted by Google — you can do this via Google Search Console. If flagged as unsafe, submit a reconsideration request to get your site re-evaluated. This is vital to restore traffic and rebuild visitor trust.

Prevention and strengthening security

Securing a WordPress site isn’t a one-time task — it’s an ongoing process. Even if you’ve successfully recovered your site after a hack, the risk of reinfection remains high without proper security measures. The golden rule is: it’s easier to prevent a hack than to deal with its consequences. That’s why it’s essential to regularly update the WordPress core, plugins, and themes — and only use reputable software.

Always use strong, unique passwords for all accounts and enable two-factor authentication (2FA) to make it significantly harder for attackers to gain access to your admin panel.

It’s equally important to secure your server and file configurations. Here's what you should do:

• Enable SSL/HTTPS to ensure data encryption.
• Restrict access to critical files such as wp-config.php, .htaccess, and the WordPress admin area.
• Ensure proper file permissions (for example, wp-config.php should be readable only by the server).
• Disable directory browsing to prevent attackers from viewing your server file structure.

In addition, set up real-time monitoring and scanning systems. Use security plugins like Wordfence, iThemes Security, or Sucuri to scan code, detect suspicious behavior, and automatically block threats. Configure alert notifications for unusual logins, file changes, or vulnerabilities in plugins so you can react immediately.

Finally, don’t overlook the importance of choosing a reliable hosting provider. Some companies offer built-in security features like traffic filtering, regular backups, and firewall protection. This is especially crucial for websites handling personal user data or experiencing high traffic. When selecting a host, look for features like antivirus protection, automatic updates, and responsive technical support that can help you handle threats swiftly.

Action plan for the future

Even after fully restoring the site, the risk of a repeated hack remains. Therefore, it is important not only to eliminate the consequences of the attack but also to create a clear security system that will help quickly respond to new threats. One of the best strategies is to create an “incident response plan.” This is a document that outlines all necessary actions in the event of another attack: who is responsible for security, what measures need to be taken, and how quickly to notify stakeholders and users. It is also worth defining regular backup procedures: how many copies to keep, how often to update them, and where to safely store the backup files.

To detect vulnerabilities in advance, it is necessary to regularly perform security tests. This can be a professional pentest or automated scanning with special tools. Additionally, it is recommended to check the compatibility of updates before installing them to avoid code conflicts. To simplify control, it is useful to create a checklist that includes the main points for site security checks:

• Are all WordPress, plugin, and theme updates installed?
  
  
• Are fresh backups of the site and database made?
  
  
• Have any suspicious files or code changes appeared?
  
  
• Are there any suspicious login attempts to the admin panel?
  
  
• Are the configured alerts for attacks and system changes working?

Regularly performing these checks will not only allow quick responses to threats but also help prevent potential attacks, keeping the site secure.

Expert tips from Datami and common mistakes

Despite the growing number of attacks on WordPress sites, many site owners still don’t pay enough attention to security. One of the most common mistakes is the belief that “My WordPress site hacked? Impossible.” However, scanning your site for malware may prove otherwise: even a small corporate website or personal blog can become a target. Hackers often don’t attack manually — they use automated scripts that scan sites for vulnerabilities. Another widespread myth is that “one security plugin is enough.”

In reality, scanning WordPress for viruses should be comprehensive: a single plugin can’t provide 100% protection if the system isn’t updated, weak passwords are used, or backups are not maintained.

Site owners also often make critical mistakes that make it easier for hackers to succeed:

• Using “admin” as the administrator login — this is the first thing attackers try during brute-force attacks.
  
  
• Installing pirated themes and plugins, which may contain hidden malware or backdoors. Always download extensions from the official WordPress repository or trusted sources.
  
  
• Not creating backups. Without regular backups, how can you know if your WordPress site was hacked — and what to do afterward? Recovery without a backup can be difficult or even impossible.

If you suspect a problem, how can you tell if your WordPress site has been hacked? The fastest way is to use security tools such as Google Search Console, Sucuri, or VirusTotal. These tools can help detect if your WordPress site has been hacked and reveal hidden threats. Systematic virus scans and regular monitoring reduce the risk of attacks and help maintain stable site performance.

Conclusion

WordPress website security is a continuous process that requires attention and a systematic approach. Hacker attacks can lead to traffic loss, search engine penalties, and even user data leaks. However, timely virus scans, monitoring changes in files and the database, using strong passwords, and creating regular backups significantly reduce the risk of being hacked. It’s essential to keep plugins and themes up to date and rely on trusted security solutions like Wordfence or Sucuri. Regular prevention is the best way to avoid hacks and the complex recovery procedures that follow.

If your site has already been attacked or you want to minimize future risks, Datami experts are here to help. We offer WordPress monitoring and protection services, including regular malware scans, vulnerability removal, and security setup. Ensure the stable operation of your website — contact us for professional protection against potential threats.

Dealing with the aftermath of a WordPress site hack: answers from Datami experts

Should I change my hosting provider after a hack?

Not always. If the hack occurred due to a vulnerability on the host’s side or if the support team fails to assist in resolving the issue, then it’s worth considering a switch to a more secure hosting provider. A reliable host should offer regular backups, server-level protection (firewall, antivirus monitoring), and a proactive response to security incidents. If your provider doesn’t deliver these, it’s better to look for an alternative.

How to choose the best WordPress security plugin?

The ideal plugin offers comprehensive protection: site scanning, blocking malicious requests, login monitoring, and automatic threat alerts. Popular choices include Wordfence, iThemes Security, and Sucuri. It’s important to use only verified plugins from the official WordPress repository and to keep them updated to maintain proper security levels.

Does two-factor authentication (2FA) protect against all attacks?

2FA significantly increases account security but isn’t a complete solution. It prevents brute-force login attempts but won’t protect against vulnerabilities in plugins, themes, or on the server level. That’s why 2FA should be part of a broader security strategy: regular updates, malware scans, and proper access configuration are also essential.

How quickly will Google remove the “unsafe site” warning?

If your site was blacklisted by Google due to a hack, once the site is cleaned and all issues are resolved, you should submit a reconsideration request via Google Search Console. In most cases, the review process takes anywhere from a few hours to a few days. It’s crucial to not only remove the malicious code but also ensure the site is free of any remaining threats — a reinfection can delay the removal of the warning.