What Happens When Your WordPress Site Gets Hacked

TL;DR

Most hacked WordPress sites don't look hacked. They get injected with spam links, redirect your visitors to shady sites, or quietly mine cryptocurrency. It happens because of outdated plugins, not because hackers targeted you specifically. Fixing it costs 5,000–20,000 kr. Preventing it costs 99 kr/month.

You probably won't notice it at first

Here's what most people imagine when they hear "hacked website": a skull and crossbones on their homepage. Some dramatic message from a shadowy hacker group. Their data being held for ransom.

That's not how it works.

Most WordPress hacks are quiet. The site still loads. It still looks normal — to you. But behind the scenes, things have already gone wrong. Your visitors might be getting redirected to a pharmacy website. Your search results might show Japanese characters and spam links. There could be a crypto miner running in your visitor's browser, slowing down their computer while making someone else money.

You won't see any of this unless you know where to look. And by the time you do notice — maybe Google sends you a warning, or a customer calls to say your site is "acting weird" — the damage has been building for weeks.

How WordPress sites actually get hacked

Let's be clear: nobody is targeting you personally. This isn't a movie. There's no guy in a hoodie picking your site out of millions.

What's actually happening is automated. Bots scan the entire internet for known vulnerabilities in WordPress plugins and themes. When a security flaw is discovered in a plugin — say, a contact form plugin used by 5 million sites — it gets added to a database. Within hours, bots start scanning every website on the internet to find sites still running the vulnerable version.

If your site is one of them, it gets exploited. Automatically. No human involvement needed.

According to Sucuri's annual hacked website report, the vast majority of hacked WordPress sites were running outdated software at the time of compromise. It's not sophisticated attacks — it's known vulnerabilities that have already been patched, but the site owner never installed the update.

The most common entry points:

Outdated plugins — this is the #1 cause. Plugins with known security holes that haven't been updated.
Outdated WordPress core — less common than plugins, but still a risk. WordPress releases security patches regularly.
Weak passwords — "admin/admin123" is still embarrassingly common.
Abandoned plugins — plugins that haven't been updated in years and are no longer maintained by their developer.

The WPScan vulnerability database tracks thousands of known WordPress vulnerabilities. New ones are added every week. Every one of them is a potential door into your site — if you haven't updated.

What hackers actually do with your site

Once a bot finds a way into your site, here's what typically happens:

SEO spam injection

This is the most common attack. Hackers inject hidden links and pages into your site — often for pharmaceutical products, gambling sites, or counterfeit goods. Your site starts ranking for "cheap viagra" in Google without you knowing. When Google notices, your entire site's search ranking drops.

Redirect attacks

Your visitors get silently redirected to a different website. It might only happen on mobile, or only for visitors coming from Google (so you won't see it when you type your URL directly). Your traffic numbers drop and you have no idea why.

Malware distribution

Your site becomes a delivery mechanism for malware. Visitors' computers get infected just by visiting your page. Google will flag your site with a bright red "This site may harm your computer" warning. You can check if your site is flagged using Google's Safe Browsing report.

Cryptocurrency mining

A script gets injected into your pages that uses your visitors' browsers to mine cryptocurrency. Their devices slow down, their fans spin up, and someone else profits. Your visitors just think your site is slow.

Backdoor installation

Even after you "clean" the hack, attackers often leave backdoors — hidden files that let them back in whenever they want. This is why simply deleting the obvious malware often doesn't solve the problem.

What it costs when it happens

Here's where it gets painful.

Emergency malware cleanup 3,000 – 10,000 kr

Developer time to find and remove backdoors 2,000 – 8,000 kr

Google blacklist removal request + waiting period 1 – 4 weeks

Lost business during downtime and blacklisting Unknown

Reputation damage with customers who saw the hack Impossible to measure

The total bill for a single hack typically lands between 5,000 and 20,000 kr — and that's before you count the business you lost while your site was compromised. If your site generates leads or sales, the real cost is much higher.

And here's the kicker: cleaning up the hack doesn't fix the underlying problem. If you don't update your plugins and close the vulnerability, you'll just get hacked again.

The timeline of a typical attack

Here's how it usually plays out:

Week 0: A vulnerability is discovered in a popular plugin. A patch is released.
Week 1: You don't update because you're busy / didn't notice / are afraid of breaking something.
Week 2-4: Bots start mass-scanning for sites still running the vulnerable version.
Week 4-8: Your site gets compromised. Spam links injected, backdoors installed. You don't notice.
Month 2-3: Google starts flagging your site. Your search rankings drop. A customer mentions your site is "acting weird."
Month 3+: You discover the hack. Panic. Emergency cleanup. Thousands of kroner spent.

The entire attack could have been prevented by installing a plugin update within the first week. That's the frustrating part.

How to check if your site has been compromised

There are some quick checks you can do right now:

Google your site: Search site:yourdomain.com and look for pages you didn't create, especially ones in foreign languages.
Check Google Safe Browsing: Go to Google's transparency report and enter your URL.
Run a free scan: Tools like Sucuri SiteCheck can detect common malware.
Check your files: If you have hosting access, look for recently modified files you didn't change — especially in wp-content/uploads/.
Test on mobile: Visit your site from a phone using Google search. Redirect attacks often only target mobile visitors from search engines.

How to prevent it

The good news: preventing WordPress hacks is straightforward. The bad news: most people don't do it consistently.

The single most important thing is keeping everything updated. WordPress core, all plugins, all themes. Every week, new vulnerabilities are discovered and patched. If you're running the patched version, you're safe. If you're not, you're a target.

But here's the catch — you can't just click "Update All" and hope for the best. Updates can conflict with each other. They can break your theme. They can cause the White Screen of Death. You need to back up before updating, and verify everything works after.

That's what proper WordPress maintenance actually means. It's not just installing updates — it's the backup-before, verify-after, rollback-if-needed process that keeps your site both secure and functional.

For a complete prevention checklist, see our WordPress Security Checklist for Non-Technical People.

Prevention costs less than a single hour of cleanup

Regular WordPress maintenance — keeping everything updated, backed up, and verified — costs a fraction of what a single hack costs to fix.

WPulse handles this automatically: every month, we back up your database, update WordPress core and all plugins, verify your site loads correctly, and roll back automatically if anything breaks. No plugins installed on your site. No access to your WordPress admin needed.

99 kr/month. That's less than one hour of emergency developer time — for a full year of peace of mind.