Your WordPress site is redirecting visitors to a fake pharmacy site, or Chrome is showing a full-page red warning that says “this site may harm your computer.” Either way, your WordPress site is hacked, and you don’t have time to panic. In my 10+ years building and maintaining WordPress sites, including 950+ client projects on Fiverr, I’ve cleaned up more hacked sites than I can count. The process is almost always the same, and most site owners make it worse by rushing to delete files before they understand what they’re looking at.
Here’s the exact sequence I use when a client messages me saying “my site’s been hacked, help.” No fluff, no upsell, just the steps in the order that actually protects your site, your visitors, and your SEO.
The Signs Your WordPress Site Is Actually Hacked
Before you go into cleanup mode, confirm it’s actually a hack and not a plugin conflict or a bad update. I’ve had clients call me in a panic over a broken layout that turned out to be a theme bug, not malware. Real signs of a hack look like this:
- Your homepage redirects visitors to another site, usually spam, adult content, or fake pharmacy pages
- Google Search Console shows a “security issue” flag, or visitors see a red warning screen in Chrome
- There’s an admin user in your Users list that you never created, often with an innocent name like “support” or “editor2”
- Your site suddenly runs slow, throws pop-ups, or shows ads you never installed
- You spot .php files sitting inside
wp-content/uploads/, a folder that should only ever contain images and media
If two or more of these apply, treat it as confirmed and move fast. The longer malware sits on your site, the more it spreads and the more damage it does to your rankings.
Step 1: Put the Site in Maintenance Mode
Your first move is to stop the bleeding, not fix the wound. Isolate the site so it stops infecting visitors and stops racking up more Google Search Console flags while you work. Most hosts let you flip on maintenance mode or temporarily suspend public access from the hosting dashboard. If your host doesn’t offer that, a maintenance mode plugin works, but only if the plugin itself still functions, since some malware disables the admin dashboard.
If the dashboard is completely locked out or throwing a white screen, you’re dealing with something closer to what I cover in my WordPress critical error guide, and you’ll need SFTP or file manager access through your host to get back in first.
Step 2: Change Every Password Right Now
Not just your WordPress admin password. Change all of these, in this order:
- Hosting account / cPanel password
- SFTP / FTP credentials
- WordPress database user password
- WordPress admin account(s)
- Any email account connected to the site
If the hacker got in through a weak password, this closes the door they walked through. If they got in another way, it still stops them from waltzing back in through the front door while you’re cleaning up the back.
Step 3: Back Up the Infected Site Before You Touch Anything
This sounds backwards, but take a full backup of the site exactly as it is, infected files and all, before you start deleting anything. If you break something mid-cleanup, you need a way to roll back and try again instead of losing the site entirely. If a clean backup from before the hack exists, that’s your fastest way back to normal: restore it, then go straight to hardening the site so it doesn’t happen again. This is exactly why I’m strict with every client about having a real backup plugin running, which I cover in detail in my WordPress backup plugin guide. Sites with a clean recent backup are usually back online within an hour. Sites without one can take days of manual file-by-file cleanup.
Step 4: Find and Remove the Malware
This is the part people get wrong. They open a random plugin folder, see code they don’t recognize, and panic-delete it, sometimes taking down a legitimate plugin along with the malware. Work through these locations in order:
- wp-content/uploads/: this folder should never contain .php files. If it does, they’re almost always backdoors.
- wp-config.php, .htaccess, and index.php: compare these against fresh copies from a clean WordPress install. Injected code usually shows up as a long, obfuscated base64 string near the top or bottom of the file.
- Theme and plugin folders you don’t recognize: if you didn’t install it, it doesn’t belong.
If you have SSH or terminal access through your host, this command finds every PHP file hiding inside your uploads folder in seconds:
find wp-content/uploads -name "*.php"Anything that command returns is suspicious by default. No plugin needs to write executable PHP into your media folder to function normally. A malware scanner will speed this whole process up and catch things a manual file check misses, which is one of the reasons I run one on every client site as a baseline, not just after an incident. I go through the two I trust most in my Wordfence vs Sucuri comparison.
Step 5: Kill the Backdoors and Rogue Admin Users
Removing the visible malware isn’t the finish line. Hackers plant backdoors specifically so they can walk back in after you’ve cleaned up, and that’s the step people skip. Go to Users → All Users and delete any administrator account you didn’t create yourself. Then check Tools → Scheduled Actions or your WP-Cron entries for jobs you don’t recognize, since a common backdoor trick is scheduling a “cron job” that silently re-downloads the malware on a timer, even after you’ve deleted the original files.
Step 6: Reinstall WordPress Core and Update Everything
Once the obvious infection is gone, go to Dashboard → Updates and click “Re-install Now” on the current WordPress version. This overwrites every core file with a fresh copy without touching your database or content, and it wipes out any core file tampering you might have missed. Then update every theme and plugin to the latest version, and delete anything inactive. An old, unused plugin is exactly the kind of unpatched entry point that got you hacked in the first place.
Step 7: Request a Review in Google Search Console
If Google flagged your site as hacked or dangerous, cleaning the malware doesn’t automatically lift the warning. You have to ask. Log into Google Search Console, go to Security Issues, and submit a review request once you’re confident the site is clean. In my experience this clears in anywhere from a few hours to about three days, depending on how thorough your cleanup was. If the warning is still there after a week, something got missed, and it’s worth running a second scan before requesting another review.
How to Make Sure This Never Happens Again
Cleaning a hacked site is stressful and avoidable. After 950+ projects, the sites that never get hacked all share the same habits:
- A real security plugin running full-time, not installed after the fact
- Two-factor authentication on every admin account
- Automatic, offsite backups running daily, not just “whenever I remember”
- WordPress core, themes, and plugins updated within a week of release, not months later
- Unused plugins and themes deleted, not just deactivated
None of these takes more than an hour to set up, and together they close the doors that hackers actually use. A WordPress site hacked once is stressful. A WordPress site hacked twice, because the same door was never closed, is just avoidable.
Frequently Asked Questions
Look for unexpected redirects to other sites, a security warning in Google Search Console or Chrome, admin users you didn’t create, unfamiliar .php files in your uploads folder, or a sudden appearance of pop-ups and ads. Any one of these on its own could be something else, but two or more together almost always means a hack.
If you’re comfortable with SFTP and can tell legitimate WordPress files from injected code, you can clean a straightforward infection yourself. If the site handles customer data, payments, or you can’t confidently tell what’s malicious, bring in a developer. A botched manual cleanup that misses a backdoor often means getting hacked again within weeks.
No, not permanently. Once you clean the malware and submit a review request through Google Search Console, the warning typically clears within a few hours to a few days. It only stays flagged if the infection wasn’t fully removed or if you never requested a review in the first place.
Clean the malware completely first, including backdoors and rogue admin users, then submit a review request in Google Search Console under Security Issues. Skipping straight to the review request without a thorough cleanup just delays things, since Google will re-scan and re-flag the site if anything malicious is still there.
In my experience cleaning up client sites, it’s almost always one of three things: an outdated plugin or theme with a known vulnerability, a weak or reused admin password, or a nulled/pirated premium plugin that shipped with malware baked in. Keeping everything updated and buying plugins from legitimate sources closes most of the doors hackers rely on.

Leave a Reply