You didn’t get an alert. Your site looks fine. Pages load, checkout works, contact form submits. So nothing happened, right?

Not necessarily.

Most WordPress compromises are silent by design. Attackers don’t deface your homepage — that would alert you immediately. Instead, they inject hidden spam links into your pages, redirect mobile visitors to phishing sites, or use your server to send thousands of emails — all while your site appears completely normal to you.

Here’s how to check whether your site has already been compromised, without installing anything or hiring anyone.

Step 1: Run a Google transparency check
Go to Google’s Safe Browsing tool and enter your URL. If Google has flagged your site for malware or phishing, it will show here. This is also what triggers the “This site may harm your computer” warning in search results.

Step 2: Check your Google Search Console
Log into Search Console and look under Security & Manual Actions. Google will directly notify you here if they’ve detected malware, hacked content, or spam on your site. Many site owners have had active infections for months without checking this panel.

Step 3: Look at your outbound links
Install the free browser extension Redirect Path and browse a few pages of your site. If any links are redirecting visitors to domains you don’t recognise, your site is compromised.

Step 4: Check for unknown admin accounts
Go to your WordPress dashboard → Users → All Users. Filter by Administrator. If there are accounts you don’t recognise, someone has likely already gained access.

Step 5: Run our free scan
Our scanner checks your site against 11,334 known WordPress vulnerabilities in 60 seconds and sends you a full report. If something is wrong, it will tell you exactly what — and how serious it is.

If any of the above checks flag a problem, don’t wait. Every hour an active compromise continues, the damage compounds — more spam sent from your domain, more SEO equity destroyed, more phishing pages indexed under your name.

→ Run your free scan now