Signs your WordPress site may be hacked
- Visitors are sent to a different website or a fake security page
- Google shows spam titles, Japanese keywords, or pages you did not create
- The browser or hosting company flags the site as dangerous
- New WordPress administrators appear without explanation
- Files return after being deleted, or the site is reinfected within days
- Outgoing email, CPU use, or hosting bandwidth suddenly increases
Some compromises are visible only to search engines, mobile visitors, or traffic from specific sources. A homepage that looks normal to the owner does not prove the installation is clean.
What a proper cleanup includes
Containment and backup
I preserve what is available, limit ongoing abuse where practical, and gather enough evidence to avoid destroying the only workable recovery path.
File, database, and account review
The work can include checking WordPress core against known-good files, reviewing plugins and themes, finding injected database content, removing rogue users, inspecting scheduled tasks, and checking server-level files attackers commonly use for persistence.
Credential reset and hardening
A cleanup is incomplete if the entry point remains open. Depending on the cause, that can mean replacing vulnerable software, updating WordPress, rotating credentials, regenerating security keys, correcting file permissions, and adding practical protection and backups.
Search and warning recovery guidance
After the site is clean, I provide the next steps for Google Search Console, hosting warnings, or browser blocklists when those systems need a review request.
Malware removal cannot honestly be priced from one screenshot
A small compromised brochure site is different from an old WooCommerce installation spread across several hosting accounts. The free first look determines whether the job fits the starting price before you approve it.