Your WordPress site is showing spam, redirecting visitors, or flagged by Google. What you do in the next hour decides whether this is a 4 hour cleanup or a 4 week recovery. This is the first response protocol a senior engineer runs, written by someone who has cleaned over 150 hacked WordPress sites.
Last updated ยท Reviewed by Ali Yasin Jatoi
Open the site in a private window and from a phone on mobile data. If you see spam pages, redirects to unrelated domains, or a Google Safe Browsing warning, treat it as a hack. If the site just throws a 500 error and the admin is broken, it is far more likely a bad update, not a hack, and the response is different.
Put the site in maintenance mode or password protect it at the host level. Do not delete files, do not reinstall WordPress, and do not run a scanner cleanup yet. Deleting evidence is the single most common mistake, because it destroys the trail we need to find how they got in and lets the attacker come back through the same door.
Full server backup: files plus the database plus the access logs. Store it off-server. This is what a real WordPress malware removal engineer will need. Without it you are guessing.
Change the WordPress admin password for every user, rotate the database user password, rotate hosting and SFTP credentials, and generate new WordPress salts in wp-config.php. This kicks any active session out of the site.
If you can read PHP, know how to grep for base64_decode and eval, and can audit wp_users plus cron jobs, keep going. If not, hand it to an engineer. Every hour a hack stays live costs traffic, trust, and often triggers a hosting suspension.
Match the symptom to the infection. Every family has a different fix path and a different reinfection risk.
| Symptom | Most likely cause | Severity |
|---|---|---|
| Google shows Japanese pages under your domain | Japanese SEO hack: a doorway script generating spam pages | High, ranking damage |
| Site redirects visitors to counterfeit pharmacy or affiliate sites | 302 redirect / pharma hack in .htaccess, functions.php, or mu-plugins | Critical, immediate traffic loss |
| Google Search Console shows a Deceptive Site warning | Google Safe Browsing flagged malware, phishing, or unwanted software | Critical, 95% CTR loss on click through |
| An admin user you did not create appears in wp_users | Attacker planted a persistent admin account for reinfection | Critical, still compromised |
| The checkout exfiltrates card details silently | Magecart style skimmer injected into checkout JavaScript | Critical, PCI incident |
| Hidden outbound links to gambling or replica goods in your footer | SEO spam injection targeting your outbound link equity | Medium, ranking drag |
Not every WordPress hack needs an engineer. Some absolutely do. Read the row that matches your situation.
If: You can read PHP and grep for base64_decode, eval, str_rot13
Then: You can attempt a DIY cleanup, but plan for 4 to 8 hours and expect at least one reinfection cycle.
If: The site is on shared hosting with no SSH access
Then: Hand it to an engineer. Cleaning a shared host WordPress hack through cPanel alone is slow and unreliable.
If: WooCommerce, LMS, or membership site with active revenue
Then: Hand it to an engineer immediately. Every hour of downtime here is quantifiable revenue loss.
If: Google flagged the site as deceptive
Then: Cleanup is only half of it. You also need the reconsideration request submitted correctly, which is where most DIY attempts stall.
If: You already cleaned once and the hack came back
Then: Definitely engineer. Reinfection almost always means a backdoor or a rogue cron the scanner missed.
If any of the following is true, the cheapest path is to hand it over. Every hour a live hack stays visible costs traffic, trust, and often triggers a hosting suspension you then have to fight to reverse.
Open the site in a private window and on mobile data. If you see spam pages, redirects to unrelated domains, unknown outbound links in the footer, a Google Safe Browsing warning, or unknown admin users in wp_users, it is a hack. A 500 error alone is usually a bad plugin update, not a hack.
Isolate the site, do not delete anything, take a forensic snapshot (files, database, access logs), and rotate every credential. Do not run a scanner cleanup before the snapshot, because you will destroy the evidence needed to find how they got in.
Yes if you can read PHP, grep for encoded strings like base64_decode, and audit wp_users, cron jobs, and mu-plugins. Plan for 4 to 8 hours and expect at least one reinfection cycle. If you cannot, hand it to a senior engineer, because reinfection almost always means a backdoor a scanner missed.
Flat $249 for a standard hacked WordPress cleanup by a senior engineer, with a 30 day reinfection guarantee. Complex reinfections, multisite networks, and WooCommerce stores are quoted after a free 15 minute triage.
Only if the infection stays visible. In most cases rankings recover within days once the malware is removed, the reconsideration request is submitted, and Google recrawls clean pages. The pages that were replaced by spam usually come back, though a large Japanese SEO hack can leave a 2 to 4 week recovery tail.
A senior engineer clean is a median of 4 hours from access. DIY cleanup on a single site is typically 4 to 8 hours plus a reinfection cycle. Google Safe Browsing reconsideration takes another 24 to 72 hours after the site is clean.
The vast majority of WordPress hacks come through outdated plugins, weak or reused admin passwords, and abandoned themes. After cleanup, keep every plugin and theme current, force strong passwords with 2FA, remove any plugin you do not actively use, and put the site on ongoing maintenance. Reinfection almost always traces back to one of those three.