🎉 Free WordPress fix for our first 50 sites — in exchange for an honest review. Claim a spot →

WordPress Site Hacked? Here's How to Clean It Up — Safely

The short answer If your WordPress site is showing spam pages, redirecting visitors elsewhere, or triggering a Google "this site may be hacked" warning, it has almost certainly been compromised — but it's fixable, and you have not lost your site. The right move is to stay calm, take a backup before you touch anything, change your passwords, and then identify and remove the malware while patching the entry point that let it in. Rushing the cleanup or deleting files blindly is what turns a bad day into a worse one.

What you're seeing

  • Unexpected redirects sending visitors to spam, pharma, or sketchy third-party sites — often only on mobile or only from Google
  • Spammy pages, posts, or links you didn't create (pharma, replica goods, gambling), or junk text injected into your existing pages
  • New admin users you don't recognize, or suspicious scheduled posts and cron jobs you never set up
  • A Google Search Console security alert, a "this site may be hacked" SERP label, or a browser/host blocklist warning
  • Modified core, theme, or plugin files, a defaced homepage, or your host suspending the account for malware

What causes it

An outdated plugin or theme

The most common entry point by far is a plugin or theme left un-updated past a known security patch. Attackers scan the web for sites running vulnerable versions and exploit them automatically. The longer an update sits unapplied, the wider the window.

A vulnerable plugin (even when fully updated)

Sometimes the plugin itself has a flaw the developer hasn't fixed yet, or one that was abandoned entirely. A single insecure plugin can give an attacker a foothold to upload files or create admin accounts. Nulled or pirated premium plugins are an especially frequent culprit — many ship with backdoors built in.

Weak or reused passwords

Brute-force and credential-stuffing attacks target wp-admin, hosting, and FTP logins constantly. A weak admin password, or one reused from a service that was breached elsewhere, hands over the keys directly. Logins without two-factor authentication are the easiest targets.

Shared-host cross-contamination

On shared hosting, multiple sites can live under the same account or server space. If a neighbouring site is compromised, malware can spread across the directory into yours — even if your WordPress was perfectly maintained. This is why a clean reinstall sometimes gets reinfected within hours.

An out-of-date WordPress core or server stack

Running an old WordPress version, or an outdated PHP version your host no longer patches, leaves known holes open. Core is usually well-maintained via auto-updates, but sites with auto-updates disabled drift out of support. The underlying server software matters as much as WordPress itself.

A leftover backdoor from a previous hack

If a site was compromised before and only partially cleaned, attackers almost always leave a hidden backdoor file to re-enter later. Removing the visible symptoms without finding that backdoor leads straight to reinfection. This is the single biggest reason DIY cleanups fail.

How to fix it yourself

If you want to attempt the first steps yourself, here's how to do it safely and without making things harder to fix later.

  1. Take a full backup before touching anything

    Back up your entire site — files and database — even though it contains the malware. This preserves evidence of how the attacker got in and gives you a restore point if a cleanup step goes wrong. Download it locally; don't rely only on a backup that lives on the same compromised server.

  2. Change every password and reset your salts

    Reset your WordPress admin, hosting, database, and FTP/SFTP passwords to strong, unique ones, and remove any admin users you don't recognize. Then rotate your WordPress security keys (salts) in wp-config.php to force every existing session to log out, which kicks out an attacker who is currently signed in. Enable two-factor authentication on wp-admin while you're there.

  3. Update WordPress core, themes, and plugins

    Bring core, all themes, and all plugins up to their latest versions, since an outdated component is the most likely entry point. Delete any plugins or themes you aren't actively using, especially nulled ones. Don't reactivate anything until you're confident the entry point is closed.

  4. Scan and inspect for malware

    Run a reputable security scanner to flag injected code, unknown files, and modified core files. Compare your wp-admin and wp-includes directories against a fresh copy of the same WordPress version to spot anything that doesn't belong. Look closely for recently modified PHP files and obfuscated code, which often signal a backdoor.

  5. Request a blocklist review once it's clean

    After you're confident the site is genuinely clean and the hole is patched, request a review in Google Search Console to clear any "this site may be hacked" warning. Ask your host to lift any malware suspension as well. Submitting for review before the site is truly clean only resets the clock and can prolong the penalty.

Rather not risk it? We'll fix it for you.

Thorough malware removal is genuinely hard and risky to do yourself — one missed backdoor file and the spam or redirects come right back, often within a day. Mend's Emergency Rescue ($299) puts senior engineers on your site fast: we back up first, find and remove every piece of malware, patch the entry point that let it in, reset your credentials and salts, and request the blocklist review for you. Every step is documented so you can see exactly what we did, and it's backed by our money-back guarantee — if we can't fix it, you don't pay.

Backup-first Documented fix Money-back guarantee
$299
Emergency Rescue · flat
Rescue my site →

Frequently asked

How do I know for sure my WordPress site is hacked?
Clear signs are unexpected redirects, spam pages or links you didn't create, unfamiliar admin users, a Google "this site may be hacked" warning, or your host flagging malware. If you see any of these, treat the site as compromised. A security scan will confirm it and show you what was injected.
Can I just restore a backup to fix a hacked site?
Restoring a clean, pre-hack backup can remove the malware, but only if you also patch the vulnerability that let the attacker in first. If you restore without closing the entry point — an outdated plugin, a weak password, a leftover backdoor — the site usually gets reinfected. A backup is part of the fix, not the whole fix.
Why does my site keep getting hacked again after I clean it?
Reinfection almost always means the original entry point is still open or a hidden backdoor file was missed during cleanup. Attackers plant these specifically so they can return after a surface-level fix. Lasting removal requires finding and closing the root cause, not just deleting the visible spam.
Will a hacked site hurt my Google rankings?
Yes — Google may flag your site with a security warning, suppress it in results, or drop affected pages, and visitors who hit a warning bounce immediately. The faster the site is cleaned and submitted for review, the faster rankings and traffic recover. Leaving it unresolved deepens the damage over time.
How fast can Mend remove the malware?
Emergency Rescue is built for speed — senior engineers start on your site quickly rather than leaving you in a ticket queue. Most hacked-site cleanups are completed within hours of getting access, depending on how deeply the malware spread. We back up first, fix it, document everything, and stand behind it with a money-back guarantee.
More WordPress fixes

How to Fix the WordPress White Screen of Death

The WordPress white screen of death (WSoD) is a blank page with no error message, served w...

There Has Been a Critical Error on This Website: What It Means and How to Fix It

"There has been a critical error on this website" is WordPress telling you a PHP fatal err...

How to Fix the WordPress 500 Internal Server Error

A 500 internal server error on WordPress is a generic message that means the server hit a...