The scariest type of hack isn’t the one that replaces your homepage with a skull and crossbones. It’s the one you don’t see.
Modern cybercriminals prefer to remain invisible. They want your server resources to mine cryptocurrency, send spam emails, or redirect your visitors to malicious websites without you knowing.
According to recent security reports, the average time to detect a breach is over 200 days. By the time you notice, your SEO rankings may have tanked, and your domain might be blacklisted by Google.
In this guide, we will walk you through the 7 most common indicators of a compromised WordPress site and how to confirm them.
1. The “SEO Spam” Infection (Japanese/Pharma Hack)
This is currently the most common WordPress hack. You visit your site, and everything looks normal. But when you Google your brand name, you see search results displaying Japanese characters or links to pharmaceutical products.
How to check:
Open Google and search for: site:yoursite.com.
If you see pages you didn’t create selling unexpected products, your site has been injected with SEO Spam. The hacker has created thousands of fake pages to hijack your domain authority.
FunSentry Tip:
FunSentry checks for common SEO spam injections in your page titles and headers during its external scan.
2. Unknown Administrator Accounts
Hackers often create a “backdoor” user account so they can log in even if you change your password. These users often have innocent-sounding names like support_user, wp_update, or backup_admin.
How to check:
- Go to Users → All Users.
- Filter by Administrator.
- If you see any user you do not recognize, delete them immediately.
Technical Check:
Sometimes hackers hide these users from the dashboard. You can check the database directly via phpMyAdmin:
SQL
SELECT * FROM wp_users;
3. Unexpected Redirects (Mobile Only)
Smart malware often detects the visitor’s device. If you visit on a desktop, the site looks fine. But if a visitor comes from a mobile device, they are redirected to a gambling or phishing site.
How to check:
Visit your website from your phone (using 4G/5G, not the same Wi-Fi as your computer) and click around. Better yet, use an incognito window on your phone.
4. Modified Core Files
WordPress core files (like wp-config.php, index.php, and wp-settings.php) should rarely change. If the “Last Modified” date on these files is recent, but you haven’t updated WordPress, that is a massive red flag.
How to check:
Connect via FTP and sort files by Last Modified.
Look for:
- Obfuscated code (random letters/numbers) at the top of
index.phporwp-config.php. - Strange files in the root directory like
lock360.phporadmin-ajax.php(fake version).
5. Sluggish Performance (Cryptomining)
If your super-fast website suddenly becomes incredibly slow, unauthorized scripts might be eating your server resources. Hackers often inject cryptomining scripts that use your visitors’ CPU power to mine digital currency.
How to check:
- Check your hosting CPU usage graph. Is it maxed out at 100% constantly?
- Inspect your site’s source code (Right Click → View Source) for strange JavaScript files loaded from external domains.
6. Disabled Security Plugins
If you had a security plugin installed, but it suddenly deactivated itself, or you can’t access its settings page, this is a clear sign of an intrusion. Advanced malware is programmed to kill security processes upon entry.
How to check:
Go to the Plugins page. If your security plugin is disabled and you didn’t do it, assume the site is compromised.
7. Browser or Google Warnings
This is the “Game Over” sign. If visitors see a giant red screen saying “The site ahead contains malware” or “Deceptive site ahead,” Google Safe Browsing has blacklisted you.
How to check:
- Visit Google Transparency Report.
- Enter your URL.
- If it says “Unsafe,” you must clean the site immediately and request a review.
How to Scan Your Site Right Now
If you suspect your site is hacked, you need confirmation.
Step 1: Run a FunSentry Scan
Use the FunSentry Scanner to perform a non-intrusive check. It looks for:
- Malware Payloads: Known malicious scripts in your HTML.
- Blacklist Status: Checks if you are flagged by Google, McAfee, or Norton.
- Defacement: Verifies if your title or headers have been altered.
- Exposed Sensitive Files: Checks if hackers have left behind accessible backdoors or log files.
Step 2: Check Google Search Console
Go to the Security & Manual Actions tab in Google Search Console. Google will often list the specific infected URLs they have found.
What to Do If You Are Hacked?
If you confirm a hack, follow these emergency steps:
- Put the site in Maintenance Mode immediately to protect visitors.
- Change all passwords (WordPress Admin, FTP, Database, Hosting Panel).
- Restore from a clean backup (choose a date before the signs appeared).
- Update everything: Core, Themes, and Plugins.
- Re-scan using FunSentry to ensure the vulnerability is closed.
Summary Checklist
| Symptom | Severity | What it means |
| Red Screen Warning | 🛑 Critical | Google has blacklisted your domain. |
| Unknown Admin User | 🛑 Critical | Hacker has full control. |
| Japanese/Pharma SEO | 🔴 High | Database injection / SEO Spam. |
| Mobile Redirects | 🔴 High | Malware targeting specific devices. |
| Slow Performance | 🟠 Medium | Possible cryptomining or bot traffic. |
Don’t wait for the red screen.
Early detection saves your reputation and your rankings. Run a free comprehensive security check at FunSentry now to see if your site shows any hidden signs of compromise.