WordPress Website Hacked?
Our US‑based in‑house team delivers proactive, reliable, and specialized WordPress Security, malware and hacked solutions designed for businesses, agencies, and individual site owners.







If your WordPress site is hacked, act in this order
Don't delete anything yet. 1) Put the site in maintenance mode and change every password. 2) Scan with Sucuri SiteCheck and a server-side scanner like Wordfence. 3) Remove the malware AND the backdoor that let it in, or it comes back within days. 4) Update everything, then request a Google review if you were flagged. If that sounds like more than you signed up for, our US-based team has been cleaning hacked WordPress sites since 2014 — get an emergency quote.
Is Your Site Actually Hacked, or Just Broken?
About a third of the "hacked" emergencies we see are not hacks. They're plugin conflicts, expired SSL certificates, or a caching issue that made the site look defaced. Before you panic-delete files, run this check:
| What you see | Probably a hack if… | Probably NOT a hack if… |
| White screen / error | Error mentions unknown files or eval() code | It started right after a plugin or theme update |
| Site redirects elsewhere | Redirects go to pharma, casino, or adult domains | It redirects to your own domain with www/SSL changes |
| Strange content | Japanese/pharma spam pages appear in Google results | Layout is broken but the text is still yours (CSS/caching) |
| Can't log in | Your admin account is gone or the email was changed | Password reset works and no new admin users exist |
| Browser warning | "This site may be hacked" or red Safe Browsing screen | "Not secure" only — that's just a missing SSL certificate |
Fastest confirmation: run your URL through Sucuri SiteCheck and check Google Safe Browsing status. Both are free and take under a minute.
9 Signs Your WordPress Site Is Hacked
The most reliable signs of a hacked WordPress site are unexpected redirects, spam pages in Google, unknown admin users, and modified core files. Here is the full list we check first:
- Visitors get redirected to spam or scam domains (often mobile-only, so you may not see it yourself)
- Google shows pages you never created — frequently in Japanese or pushing pharma products
- A "This site may be hacked" label or a red warning page appears in search results or Chrome
- New admin users you didn't create, or your own login credentials suddenly fail
- Core files like wp-config.php or .htaccess were modified when you changed nothing
- Your host suspends the account or your outgoing email lands in spam (server flagged for spam-sending)
- Traffic collapses overnight in Search Console, or a Security Issues notice appears there
- The site is drastically slower, with CPU spikes from crypto-mining or bot scripts
- Pop-ups or ads appear that you never installed
Which Hack Do You Have?
Identifying the hack type tells you where the infection lives and how it got in. These five cover the vast majority of WordPress compromises:
| Hack type | Symptom | Where it hides | Usual entry point |
| Malicious redirect | Visitors sent to spam domains | .htaccess, theme header.php, database widgets | Vulnerable plugin |
| Japanese keyword hack | Thousands of Japanese spam pages indexed | Auto-generated sitemaps, cloaked pages, fake GSC owners | Outdated core/plugin |
| Pharma / SEO spam | Viagra/casino links injected into your pages | Database posts, cloaked content only Google sees | SQL injection, weak login credentials |
| Backdoor / webshell | Hack keeps returning after cleanup | Fake plugin folders, wp-includes, uploads directory (.php in /uploads/) | Left behind by the original breach |
| Defacement | Homepage replaced with hacker message | index.php, active theme files | Brute force attack on wp-admin |
How to Fix a Hacked WordPress Site: 7 Steps
Cleaning a hacked WordPress site means containing the damage, finding every infected file, removing the malware and its backdoor, then closing the hole it entered through. In order:
1. Contain first — don't wipe anything
Put the site in maintenance mode so visitors aren't exposed. Take a full backup of the site as-is, infection included. It sounds backwards, but if a cleanup step breaks the site, that infected backup is your only path back to your content. Then change every password: WordPress admins, hosting panel, SFTP, and the database password in wp-config.php.
2. Scan from two angles
Remote scanners like Sucuri SiteCheck only see what a browser sees. Server-side scanners like Wordfence read the actual files and catch backdoors remote scans miss. Run both. Note every flagged file path before touching anything.
3. Check file integrity against clean originals
WordPress core files should match the official release byte-for-byte. Wordfence's file integrity check compares your core, and repo plugins/themes, against the originals and shows exactly what changed. Anything modified in wp-admin or wp-includes that you didn't change is a red flag. Also sort /wp-content/uploads/ by file type: PHP files in an uploads folder are almost always malicious.
4. Remove the malware and the backdoor
Replace modified core files with fresh copies from WordPress.org. Delete plugins/themes you don't recognize, and reinstall the ones you keep from their official source. Search the database (wp_posts, wp_options) for injected script tags and iframes. Most importantly, hunt the backdoor: obfuscated code using functions like eval, base64_decode, or gzinflate tucked into a legitimate-looking file.
WarningWhy hacks come back: the reinfection checklist
If a site gets reinfected within days, one of these was missed: 1) a backdoor file survived the cleanup, 2) a rogue admin or database user still exists, 3) the vulnerable plugin was cleaned but not updated, so it was re-exploited, 4) stolen passwords were reused instead of rotated, or 5) a cron job or must-use plugin re-downloads the malware on schedule. Cleanup without root-cause removal is temporary.
5. Audit users and access
Delete admin accounts you don't recognize, check for unfamiliar database users, review FTP/SSH accounts at the host, and remove unknown owners in Google Search Console (the Japanese keyword hack adds one to control your indexing).
6. Update everything, then harden
Update WordPress core, every plugin, every theme, and PHP itself. Most WordPress hacks start with a known plugin vulnerability that had a patch available. Then: two-factor authentication on all admins, login attempt limits to blunt brute force attacks, and file editing disabled in wp-config.php. The official WordPress hardening guide is the reference here.
7. Verify, then monitor
Re-run both scans clean, watch logs for a week, and set up uptime and file-change monitoring. Ongoing monitoring is exactly what a WordPress maintenance plan exists for — hacks caught in hours are far cheaper than hacks caught by Google.
Clean It Yourself or Hire a Professional?
Honest answer: not every hack needs us. If it's a simple defacement, you're comfortable with SFTP, and the site isn't your revenue source, the 7 steps above will get you there in an afternoon. Hire professional WordPress malware removal when any of these are true:
- The site makes money. Every hour of downtime or Google blacklisting has a real dollar cost that dwarfs a cleanup fee.
- It's already come back once. Reinfection means a backdoor survived. Finding obfuscated webshells is forensic work, not plugin-button work.
- Customer data may be exposed. WooCommerce or membership sites can carry breach-notification obligations. You need certainty, not "the scanner says clean."
- Google has flagged you. A botched review request extends the blacklist. It should be filed once, after a verified-clean state.
What's IncludedWhat professional cleanup includes at WP Technicians
Full server-side scan, manual file integrity review, malware and backdoor removal, database cleaning, user audit, core/plugin/theme reinstall from official sources, hardening, blacklist review requests, and a post-clean monitoring window — handled by our US-based team through Premium Support.
Recovering Your Google Rankings After a Hack
A hack hurts SEO twice: Google may label or deindex your site, and spam pages dilute your crawl. Recovery has its own checklist, and most cleanup guides skip it:
- Open Search Console → Security Issues. Once verified clean, request a security review from Google. Warnings typically clear within days of an approved review.
- Site-search yourself (site:yourdomain.com) for leftover spam pages. Serve 404/410 on them and request removal of the worst offenders via the Removals tool.
- Check indexed pages for the Japanese keyword hack pattern: thousands of new URLs you never wrote. Remove injected sitemaps and rogue GSC owners.
- If email was affected, check your domain against spam blocklists and request delisting after the server is clean.
- Expect rankings to take weeks, not days, to fully recover after the warning clears. If they don't, that's an SEO recovery project, not a security one.
Preventing the Next One
Nearly every WordPress hack traces back to one of four causes: outdated software, weak login credentials, a vulnerable plugin, or an insecure host. Prevention is just closing those four doors and keeping them closed: weekly updates, 2FA everywhere, fewer and better-vetted plugins, off-site backups you've actually test-restored, and hosting with server-level malware scanning and isolation. That last one is the difference between a hardened environment and hoping — it's the core of our managed WordPress hosting, and the update/monitoring routine is what a maintenance plan automates.
PreventionThe 15-minute monthly habit that prevents most hacks
Update core, plugins, and themes. Delete anything deactivated. Confirm your backup ran and spot-restore one file. Review admin users. Sites that do this monthly almost never end up on this page.
Hacked WordPress Site: FAQ
How do WordPress sites get hacked in the first place?
The most common entry points are outdated plugins with known vulnerabilities, weak or reused passwords cracked by brute force attacks, nulled (pirated) themes containing pre-installed malware, and insecure shared hosting. WordPress core itself is rarely the breach point when kept updated.
Will restoring a backup remove the hack?
Only if the backup predates the infection, and most infections are discovered weeks after entry, so recent backups are often infected too. Restoring also reopens the original vulnerability. A restore can be a starting point, but it must be followed by updates, password rotation, and a scan.
How long does it take to clean a hacked WordPress site?
A straightforward infection on a small site is typically cleaned in a few hours. Deep infections with multiple backdoors, database injection, or thousands of indexed spam pages can take one to several days, and Google blacklist removal adds a review wait after the cleanup itself.
Does being hacked hurt my Google rankings permanently?
Usually not, if you act fast. Rankings commonly dip while a security warning is active and recover over the following weeks once Google approves your review and recrawls the clean site. Long-term damage mostly happens when hacks sit unnoticed for months and spam pages get deeply indexed.
My host suspended my account for malware. What do I do?
Ask the host for their malware scan report and temporary SFTP access for cleanup, since most hosts allow file access even while the site is offline. Clean the flagged files plus the backdoor, then request their re-scan to lift the suspension. If they won't cooperate on a timeline, a professional team can usually work directly with the host on your behalf.
Hacked right now? Skip the 7 steps.
Send us the URL and what you're seeing. Our US-based WordPress specialists have been cleaning, hardening, and un-blacklisting hacked sites since 2014 — malware removed, backdoor found, Google warning cleared.
Get an Emergency QuoteQuestions? Email contact@wptechs.com or get a free quote → wptechs.com/contact-us