How to Check If Your WordPress Website Is Hacked: A DIY Malware Scan Guide

A restaurant owner in Pune emailed me last year with a screenshot that made my stomach drop on his behalf. He had Googled his own restaurant to check his rankings, and instead of his menu, the search results showed page after page of Japanese text selling fake branded watches. His website looked completely normal when he opened it directly. He had no idea anything was wrong until a customer asked him why his site was "selling Japanese products now."

His site had been hacked for at least three months. By the time he found it, Google had indexed over 1,400 spam pages under his domain and his rankings for his actual business had collapsed. This is the cruel part of a WordPress hack: the site owner is almost always the last person to find out.

I have cleaned and hardened WordPress sites since 2005, and the single biggest reason hacks turn into disasters is delay. The malware sits there for weeks doing damage while the owner has no idea. This article fixes that. By the end you will know the ten signs of a compromise, the exact free tools to confirm it in minutes, and whether you should clean it yourself or get help.

Why are you always the last to know your site is hacked?

Modern WordPress malware is built to stay hidden from the site owner. The attacker does not want you to notice, because the longer the infection lives, the more value they extract. So the malware often shows itself only to specific audiences.

It shows spam to Google's crawler but your normal homepage to you. It redirects visitors arriving from search engines but leaves direct visitors alone. It activates only for users on mobile, or only for first-time visitors, or only outside your country. Sucuri's malware research documents these conditional payloads in detail. The result: you open your site, everything looks fine, and you assume it is fine. Meanwhile Google sees a pharmacy.

This is why you cannot rely on "looking at the site." You have to actively scan it and watch the signals that show up where you do not normally look: your Google search listings, Search Console, and your server files.

What are the 10 signs your WordPress site is hacked?

Any one of these is enough reason to scan immediately. Several together is close to confirmation.

#	Sign	What it usually means
1	Unexpected redirects	Visitors land on spam, betting, or adult sites. Classic injected-redirect malware in .htaccess or a theme file.
2	Japanese text in Google results	The Japanese keyword hack. Hundreds of spam pages indexed under your domain selling counterfeit goods.
3	Red Google warning screen	"This site may harm your computer." Google Safe Browsing has blacklisted you. Traffic drops to near zero.
4	Pharma spam pages	Pages selling Viagra, Cialis, and other pills appear under your domain. The "pharma hack," one of the oldest and most common.
5	Unknown admin users	A new administrator account you did not create, often with a random name. The attacker's way back in.
6	Sudden traffic collapse	Organic traffic falls off a cliff in Analytics. Google has either blacklisted or de-ranked the hacked pages.
7	Host suspended your account	The hosting company detected malware or outbound spam from your account and pulled it offline.
8	Browser or antivirus warnings	Chrome, your antivirus, or your firewall flags the site. A strong external signal something is wrong.
9	Unexplained slowness and load	Your site crawls and the server CPU spikes. Malware often uses your server to attack others or mine crypto.
10	Changed or new core files	Files in wp-includes or wp-admin modified, or odd files like wp-x1.php appearing. Backdoors and injected payloads.

How do you scan a WordPress site for malware (free, step by step)?

Run these in order. The first two need no access to your site at all, so start there.

Step 1: Sucuri SiteCheck (remote scan, 30 seconds)

Sucuri SiteCheck is the standard free remote scanner. Paste your URL and it checks your site the way a visitor's browser would: known malware signatures, injected spam, defacement, and whether you are on any blacklist (Google, Norton, McAfee, and others). It scans only what is publicly visible, so it cannot see hidden backdoors, but it instantly catches the malware that affects visitors and search engines. Treat a clean SiteCheck as necessary but not sufficient.

Step 2: Google Search Console, Security Issues

If you have Google Search Console connected (and every business site should), open the Security Issues report in the left menu. Google tells you directly if it has detected hacked content, malware, or social engineering, and often lists sample URLs. This is the most authoritative source because it is exactly what Google will act on. While there, use the URL Inspection tool and the site:yourdomain.com search to spot indexed spam pages.

Step 3: Wordfence server-side scan (the deep one)

Remote scanners miss what is hidden in your files. Wordfence (free) installs as a plugin and scans from inside. Its core feature: it compares your WordPress core, plugin, and theme files against the official copies in the WordPress.org repository and flags anything modified, added, or suspicious. It also checks for known malware signatures, backdoors, and bad URLs in your content. Install it, go to Wordfence then Scan, and run a full scan. Read the results carefully, a modified core file is a serious red flag.

Other free scanners worth running

• WPSec, a free online vulnerability scanner that identifies your plugins and compares versions against known vulnerability databases. Great for finding the unpatched plugin that let them in.
• Quttera, a free malware scanner that detects suspicious scripts and unknown threats and checks blacklist status.
• MalCare, the free plugin scans on its own servers (so it does not slow your site) and is excellent at catching complex, well-hidden malware that signature scanners miss.
• Google Safe Browsing status tool, paste your URL to see if Google currently considers your site dangerous.

How do you read a malware scan report without panicking?

Scan reports look alarming because they flag everything suspicious, including false positives. Here is how to read one calmly.

• Modified core files are the most serious. WordPress core files should be byte-identical to the official version. If Wordfence says wp-includes or wp-admin files were changed, that is almost always real malware.
• Unknown files in wp-content/uploads are a major red flag. The uploads folder should hold images and documents, never PHP files. A .php file in uploads is a backdoor until proven otherwise.
• Files with random names like wp-x1.php, class-wp-legacy.php, or radio.php in odd locations are classic backdoor naming. Hackers pick names that blend in.
• Suspicious code patterns: base64_decode, eval(, gzinflate, str_rot13, and long strings of gibberish are how malware hides itself. Legitimate plugins occasionally use these, so context matters, but in an unknown file they signal trouble.
• False positives exist. Some legitimate plugins and premium themes get flagged. Do not delete a file just because it is flagged, confirm it is not part of a known plugin first. This is exactly where deleting blindly breaks sites.

Should you clean it yourself or call a professional?

Be honest about your situation. DIY cleanup is real work and the cost of getting it wrong is high. Use this decision guide.

Clean it yourself if...	Call a professional if...
You have a clean backup from before the infection	You have no backup at all
The hack is recent (days, not months)	The site keeps reinfecting after you clean it
You are comfortable with files, FTP, and the database	Google has blacklisted the site
The site is not critical income (a blog, a small brochure site)	It is an e-commerce site or handles customer data
You can afford some downtime while you work	Every hour offline costs you real money
It is a single site you fully control	You manage multiple sites on shared hosting (cross-infection risk)

The DIY path, in short: take a backup of the infected state, restore a clean pre-hack backup if you have one, update everything, change all passwords and the security keys in wp-config, scan again to confirm, then harden. If you do not have a clean backup, you are into manual file-by-file and database cleanup, which is where most people leave a backdoor behind. That single missed backdoor is why reinfection is so common after DIY cleanups.

If you are reading that list and feeling out of your depth, that is the correct instinct for a business-critical site. A professional cleanup finds every backdoor, removes the blacklist, and hardens the site so it does not recur. I do this through my technical consulting service, and ongoing protection is built into my WordPress maintenance plans. If you want a fast diagnosis first, an SEO and traffic audit will also surface a hack that is hurting your rankings. Or just book a free 15-minute call and I will tell you honestly whether it is a DIY job or not.

The cleanup sequence at a glance

How do you stop it from happening again?

Cleanup without hardening is pointless. The site that got hacked once, with nothing changed, gets hacked again. Patchstack's State of WordPress Security report consistently finds that the overwhelming majority of vulnerabilities come from plugins and themes, not WordPress core. So hardening is mostly about discipline around what you install and how current you keep it.

• Update within days, not months. Core, plugins, and themes. The window between a vulnerability being disclosed and bots exploiting it is now measured in hours.
• Delete what you do not use. Every inactive plugin and theme is still attackable code sitting on your server. Remove them entirely.
• Strong unique passwords plus two-factor on every admin account. This closes the brute-force door, the second most common entry point. My email security guide in this series covers 2FA and passkeys in detail.
• Install a firewall. Wordfence or Sucuri block malicious traffic before it reaches WordPress.
• Automated daily backups stored off-server. A backup on the same hosting account that gets hacked is a backup that gets hacked too.
• Never use nulled or pirated plugins and themes. They ship with backdoors built in. This is a leading infection source for Indian small business sites trying to save a few thousand rupees.
• Run modern PHP (8.2+) on quality hosting. Old PHP is unsupported and unpatched.

Why a maintenance plan is cheaper than one cleanup

Here is the math I show every client who asks whether maintenance is worth it. A single professional cleanup with blacklist removal runs Rs.15,000 to Rs.40,000, plus the lost revenue from days of downtime, plus the SEO recovery that takes months after Google has de-ranked your hacked pages. The Pune restaurant lost three months of rankings; rebuilding them took longer than the hack lasted.

Ongoing maintenance prevents almost all of it: updates applied within days, daily off-server backups, a firewall, uptime monitoring, and a human watching. It turns the seven hardening tasks above into someone else's daily routine instead of something you remember to do twice a year. For most small businesses this is the difference between never thinking about security and losing a weekend to a cleanup every year. My WordPress maintenance plans are built exactly around this, and if you would rather hire help for a specific build or fix, you can hire me directly.

The Cyber Kavach series: what comes next

This is article 2 of the opening season of Cyber Kavach. The full run:

• Article 1: How to check if your email has been hacked, a free 5-minute self-check
• Article 2: How to check if your WordPress website is hacked (you are here)
• Article 3: Digital arrest scams in India, how to spot the fraud in 30 seconds
• Article 4: Is this link safe? How to check any suspicious link before you click
• Article 5: UPI fraud in 2026, the 10 active scams and the 5-step safety setup

Each article comes with a free, printable resource on my Free Resources page. For this one, download the WordPress Hacked? Emergency Recovery Checklist, a one-page action plan you can follow under pressure, plus keep the WordPress Maintenance Checklist handy for prevention.

Frequently asked questions

How do I check if my WordPress website is hacked for free?
Run three free scans: Sucuri SiteCheck (remote, 30 seconds), Google Search Console Security Issues (what Google detected), and the Wordfence plugin (server-side file scan). The remote scan catches what visitors and Google see; the server-side scan catches hidden files. Also run a site:yourdomain.com search on Google to spot indexed spam pages.

What are the signs a WordPress site is hacked?
Unexpected redirects, Japanese or Chinese text in your Google results, a red Google warning screen, pharma spam pages, unknown admin users, traffic collapse, host suspension, browser warnings, unexplained slowness, and modified core files. One sign warrants a scan; several together is near-confirmation.

What is the Japanese keyword hack?
A spam attack that injects Japanese-language pages into your site to sell counterfeit goods. They do not show on your homepage but flood your Google results and Search Console with pages you never created. It usually enters through an outdated plugin or weak password and builds its own rogue sitemap to get indexed fast.

Can I clean a hacked WordPress site myself?
Yes if the hack is recent, you have a clean backup, you are comfortable with files and databases, and the site is not critical income. Call a professional if you have no backup, the site keeps reinfecting, it is blacklisted, it is e-commerce, or downtime costs you money. The DIY risk is leaving one backdoor, which causes reinfection.

How much does it cost to clean a hacked WordPress site in India?
Rs.8,000 to Rs.40,000 for a one-time cleanup depending on infection depth and blacklist status. Automated plugin services start around Rs.8,000 per year; specialist manual cleanup with hardening is Rs.15,000 to Rs.40,000. Ongoing maintenance that prevents hacks runs Rs.5,000 to Rs.50,000 per month by level.

Will reinstalling WordPress remove the malware?
Not reliably. Malware hides in the database, uploads folder, plugins, themes, .htaccess, and scattered backdoor files. A core reinstall replaces only standard files and misses all of those. Leave one backdoor and the site reinfects within hours.

How did my WordPress site get hacked?
Over 90% of cases trace to a known vulnerability in an outdated plugin or theme. Other doors: weak or reused admin passwords, nulled or pirated plugins with built-in backdoors, cross-infection on shared hosting, and outdated PHP. The fix almost always existed before the hack; it just was not applied.

How do I stop it from happening again?
Update everything within days, delete unused plugins and themes, enforce strong passwords plus 2FA, run a firewall, take automated off-server backups, remove nulled plugins, and use modern PHP on quality hosting. Most businesses cannot keep up manually, which is what a managed maintenance plan handles.