'I Would Know If My WordPress Site Was Hacked.' Most Owners Do Not.

'I would know if my site was hacked.' Every business owner I speak to says some version of that. Most of them are wrong.

Reviewing our incident log from last quarter, the pattern is boringly consistent. A site runs for months looking completely normal. The homepage loads. The contact form sends. The checkout processes orders. Then something external triggers: Google Search Console flags a security issue, a customer rings to ask why your site redirected them to a casino page, or the hosting provider notices outbound traffic that should not exist. That is when the owner finds out. Not before.

The myth that you would notice a compromise is one of the most comforting beliefs in small business web security. It is also one of the most expensive. This article is about why it is wrong, what modern WordPress compromises actually look like, and what proper detection does differently.

Modern Hacks Are Engineered to Stay Hidden

Fifteen years ago, a hacked WordPress site often looked hacked. Homepage defaced, skull and crossbones, some message about a political cause. That era is over. Defacement is bad business for attackers now. It triggers an immediate response from the site owner, gets the vulnerability patched, and ends the income stream.

Today's WordPress compromises are commercial operations. The goal is to keep the site running exactly as the owner expects while the attacker extracts value from it quietly. Three patterns dominate.

The first is SEO spam injection. Links and pages are added to your site promoting pharmaceuticals, gambling sites, counterfeit goods, or whatever the attacker's current client is paying for. The injected content is typically cloaked, meaning it is shown to search engine crawlers and specific visitor profiles while being hidden from the site owner and regular visitors. The pharma hack is the classic example. You will not see it when you browse your own site. It will sit happily inside Google's index.

The second is backdoor installation. A small, obfuscated file is placed somewhere the owner will never look, giving the attacker permanent access to re-enter the site even after the initial vulnerability is patched. Sucuri's 2023 Hacked Website & Malware Threat Report found that 49.21% of compromised sites contained at least one backdoor at the time of clean-up, and their team removed 21,062 backdoors across the year ^[1].

The third is malicious scripting: JavaScript added to page templates or plugins that performs skimming, ad injection, or credential theft against visitors. Again, cloaked. Again, silent from the owner's point of view.

Balada Injector is a good example of the scale this operates at. Sucuri's research team has tracked Balada since 2017 and estimates it has compromised close to one million WordPress sites over the full operation. In September 2023 alone, it hit more than 17,000 WordPress sites, with 9,000 of those through a single cross-site scripting flaw in the tagDiv Composer plugin ^[2]. Almost none of those site owners noticed on day one. The campaign depends on them not noticing.

What Actually Sits on a Compromised WordPress Site

The Sucuri report also gives a decent picture of what an infected site looks like once the cleanup team starts peeling back layers. SEO spam was detected on 42.22% of infected websites. Malicious admin users appeared in 55.2% of infected databases. Roughly 1 in 10 compromised sites hosted a full hack tool of some kind: automated exploit kits, credential stealers, spam mailers, botnet scripts ^[1]. These numbers vary by year and by sample, so take them as indicators of the general pattern rather than precise statistics, but the pattern is consistent across reports.

Translate that to a typical small business WordPress site. A silent compromise is not one thing. It is usually several: a backdoor you would need file-level access to find, a rogue admin user buried in a database table you have never opened, and injected spam content that only renders for Googlebot.

The damage is cumulative and largely invisible from the WordPress dashboard. Your site looks fine because it is still serving the same pages to you. Googlebot is seeing something different, and Google's index is slowly filling with content you never wrote.

The Three Ways You Usually Find Out, and the Time They Take

For a small business WordPress site without dedicated monitoring, detection almost always comes from one of three external signals.

The first is a customer complaint. Someone clicks a link to your site and lands on a casino page. Or a browser warning pops up saying 'deceptive site ahead'. Or a visitor who knows what they are looking at emails you with a screenshot. By the time this signal reaches you, the compromise is usually several weeks old. Customers have been bouncing off that warning the entire time. You just did not hear about it until someone bothered to tell you.

The second is a notification from Google Search Console. Google scans indexed sites for malware, unwanted software, hacked content, and social engineering patterns, and sends an email to every verified owner when something is flagged in the Security Issues report ^[3]. This is the most common way small business WordPress owners find out about a compromise, which is itself a revealing fact. If Google is your intrusion detection system, you are behind.

The third is an alert from a competent hosting provider. Most shared hosts do not do this. A minority, mostly managed WordPress hosts and specialist providers, run server-level malware scans and outbound traffic monitoring and proactively contact the site owner when patterns change. If your hosting provider has never emailed you about anything except a renewal notice, assume this detection layer does not exist for your site.

IBM's 2024 Cost of a Data Breach Report pegged the average time to identify a breach at 194 days across all organisations surveyed ^[4]. That is a figure dominated by enterprises with dedicated security teams. For a small business WordPress site relying on customer complaints and Google penalty emails, the realistic number is typically longer. I have seen compromises that were active for four to six months before detection, and cases where the site was only cleaned because the owner happened to check Google Search Console during a routine SEO review.

What Actual Detection Looks Like

Here is the part of the article where I admit a mistake. A couple of years ago I looked at a client's site three months after they asked me to investigate a PageSpeed drop. Everything in the dashboard looked fine. I did not catch the compromise on the first pass. A spam domain had been appending links to the site's footer for weeks, only rendering to certain user agents. We found it on the second review, by comparing the rendered HTML to the theme source. Now we run file integrity checks as the first diagnostic on anything that looks like unexplained SEO drift. Would not make that call again.

Proper detection of silent compromises is a layered operation, and almost none of it happens inside WordPress itself.

• File integrity monitoring. A baseline of every file on the server, checksummed. Any change, addition, or deletion outside expected patterns gets flagged immediately. Backdoors depend on being invisible. Integrity monitoring removes that invisibility.
• Server-level malware scanning. Not a WordPress plugin. A scan running against the file system itself, checking for known malware signatures and suspicious file patterns. Plugins like Wordfence run inside WordPress and can be disabled by any attacker who already has admin access. Server-level scans cannot.
• Intrusion prevention (fail2ban). Log-based detection that blocks IPs after failed login attempts, suspicious request patterns, and known attack signatures. This prevents most brute-force compromises before they ever succeed.
• Activity logging and anomaly alerts. Every admin login, every plugin install, every file change in the WordPress directories, logged with context. Unusual patterns trigger alerts.
• Outbound traffic monitoring. Compromised sites often become part of botnets or mailers. A sudden spike in outbound connections is one of the earliest real signals of an active compromise.

Most of those layers sit below the WordPress admin dashboard, at the server and hosting platform level. If your hosting provider is not running them, nothing is. A €2.99/month shared hosting plan is not including any of this, regardless of what the marketing page says about 'advanced security'.

At Web60, this is what the platform does by default. Every site runs on hardened Irish infrastructure with server-level malware scanning, fail2ban intrusion prevention, and WordPress-specific security tuning baked in. The platform's security hardening layer handles continuous malware scanning and brute-force blocking at the server level, so a silent compromise is more likely to be caught at the point of entry rather than months later through a Google penalty email. You can read the full architecture behind Web60's Irish-hosted WordPress security model, but the practical version is that detection runs continuously at the layers where silent hacks actually live.

A sync reality check before the architecture claim runs away with itself: no scanner catches every zero-day on day one. A genuinely novel malware signature can sit undetected until the scanner's definitions update, usually within hours to days. That is why file integrity monitoring runs alongside signature scanning, not instead of it. A file that should not have changed is a signal regardless of whether the scanner recognises what is inside it.

This is also why the full WordPress security and backup guide for Irish businesses treats detection as one leg of a three-leg stool: prevention, detection, recovery. None of them works alone. If you want the companion piece on why small business sites are deliberately targeted in the first place, we covered that angle separately.

For a Kilkenny craft brewery selling online, the practical translation is this. Your site could be leaking SEO authority to a Russian pharmacy domain for six weeks before anyone notices, and that six weeks costs you Google rankings, customer trust, and eventually a Google Safe Browsing flag that blocks every visitor until it is removed. Detection measured in hours instead of months is the difference between a cleanup and a recovery project.

Where Enterprise-Tier Security Genuinely Fits

I have to give the honest concession here. If you are running a high-risk WordPress platform, large e-commerce operation processing thousands of daily transactions, or a business with direct regulatory exposure around data, you will want a different class of security infrastructure than a €60/year managed platform provides. A dedicated SOC, 24/7 threat monitoring with tier-2 analysts on rotation, a managed WAF like Cloudflare Enterprise, and an incident response retainer genuinely suit those workloads. The cost runs into thousands of euro a year.

That is not the right answer for most Irish businesses. A typical SME WordPress site needs server-level hardening, continuous scanning, fast response, and a hosting platform that treats security as built-in rather than a premium add-on. For that profile, you do not need an enterprise SOC. You need a hosting provider that runs the basics properly.

Conclusion

The myth that you would know if your WordPress site was hacked is not arrogance. It is a reasonable assumption extrapolated from a world where most software bugs are visible. Web compromises do not work that way, and have not for years. Attackers who get caught quickly do not run profitable campaigns. The ones running profitable campaigns are the ones who stay invisible.

What catches them is not intuition. It is boring, automated, server-level operational work running quietly while you get on with the business. File integrity checks. Malware scans. Intrusion prevention. Activity logs. Outbound traffic monitoring. A hosting provider who treats that as the minimum standard rather than an upsell.

The question worth asking about your current site is not 'has it been hacked?'. The honest answer is 'I probably would not know either way'. The better question is which of the detection layers above are actually running, and who is watching the output. If you cannot name them, they are not running. And if they are not running, the clock is already ticking on something you will eventually find out about the hard way.

Frequently Asked Questions

How can I tell if my WordPress site has been hacked?

Visual inspection is the least reliable method. Most compromises are deliberately hidden from site owners. The more useful signals are: a notification in Google Search Console under Security Issues, a warning from Google Safe Browsing, unusual pages appearing when you search your domain in Google using site:yourdomain.ie, unexpected admin users in the WordPress dashboard, and outbound traffic spikes reported by your hosting provider. Proper detection relies on file integrity monitoring and server-level malware scanning rather than what you can see in the browser.

What is a WordPress pharma hack?

A pharma hack injects links and pages promoting pharmaceutical spam into your WordPress site, typically hidden from regular visitors and shown only to search engine crawlers through a technique called cloaking. The site looks completely normal when you browse it. The damage appears in Google search results, where your business starts ranking for terms you never wrote about, and eventually triggers a Google penalty that is costly to recover from.

How long does a WordPress compromise typically go undetected?

IBM's 2024 Cost of a Data Breach Report found that organisations took an average of 194 days to identify a breach. Small business websites without dedicated monitoring usually fall well behind that average because detection for them relies on external signals: a customer complaint, a Google Search Console notification, or a hosting provider alert. By the time any of those arrive, the compromise has often been active for weeks or months.

Does free SSL or HTTPS protect my site from being hacked?

No. SSL encrypts the connection between a visitor's browser and your server, which protects data in transit. It does nothing to prevent a compromise of the server itself, weak admin passwords, vulnerable plugins, or malicious file uploads. A site with a padlock can be fully compromised. The padlock means your traffic is encrypted, not that your site is secure.

What should I do if I think my WordPress site has been compromised?

First, do not log in from the site's front end and start clicking around. Contact your hosting provider's support team and request a server-level scan and an integrity check against known-good file hashes. Check Google Search Console for security notifications. Change all admin passwords from a clean device. Review the WordPress user list for accounts you do not recognise. If backups exist, identify the most recent clean backup. Then decide between restore and professional cleanup. Managed hosting providers will usually handle the whole process for you.

Does managed WordPress hosting include malware scanning?

It depends on the provider. Proper managed WordPress hosting should include automatic malware scanning, server-level intrusion prevention such as fail2ban, security hardening, and rapid response if a compromise is detected. Basic shared hosting, even when it is branded as 'WordPress hosting', often does none of this. Verify what the word 'managed' actually covers before you rely on it.

Sources