Your rankings just dropped. Google is showing a “This site may be hacked” warning. Your hosting provider suspended your account. Or worse, you have no idea anything is wrong, but your traffic fell off a cliff last week.
If any of that sounds familiar, your WordPress site has likely been compromised, and how you handle the next 24 to 72 hours will determine whether you recover your SEO or lose months of ranking progress permanently.
This guide walks you through exactly what to do: how to confirm the hack, clean the infection, restore trust with Google, and make sure your rankings survive. Everything here is based on real-world site recoveries, not theoretical advice.
The Quick Answer (If You Need It Now)
Here is the short version for anyone in panic mode.
Take your site offline or put it in maintenance mode immediately. Run a malware scan using a tool like Wordfence, Malcare, or Sucuri. Remove all infected files and backdoors. Update every password, plugin, and theme. Request a Google review to lift any manual action or blacklist warning. Then audit your SEO signals to confirm no damage was done to your rankings during the infection period.
The rest of this guide covers each step in detail, including the parts most tutorials skip that end up costing people their rankings.
Signs Your WordPress Site Has Been Hacked
You do not always get an obvious warning. Hackers are increasingly stealthy because they want your site to keep running while they use it for spam, SEO manipulation, or credential theft. Here is what to watch for.
Visible symptoms include your site redirecting visitors to a pharmacy, gambling, or adult website (especially on mobile or when arriving from Google), new pages appearing in your sitemap that you did not create, strange links appearing in your footer or content, and your contact forms sending out spam.
Search-related symptoms are often the first sign: a sudden drop in organic traffic in Google Search Console, Google showing a “This site may be hacked” snippet in search results, your site flagged in the Security Issues report inside Search Console, or pages appearing in Google’s index that you have never published.
Server-level symptoms include your web host suspending your account for malicious activity, unusual spikes in server resource usage, unfamiliar admin accounts in your WordPress dashboard, and file modification timestamps that do not match your last deployment.
If you see any of these, treat it as confirmed until proven otherwise.
Why WordPress Sites Get Hacked (The Real Reasons)
Understanding how you got here prevents it from happening again, and helps you know exactly where to look during cleanup.
Outdated plugins and themes are responsible for the majority of WordPress compromises. Nulled (pirated) plugins and themes are a particularly high-risk vector because they often ship with backdoors pre-installed. Even a single abandoned plugin that has not been updated in 18 months can be the entry point an attacker needs.
Weak credentials remain a massive problem. If your admin username is “admin” and your password is under 12 characters, your site can be brute-forced. Many hacks exploit this in combination with XML-RPC, which allows remote login attempts at scale.
Shared hosting environments are another underappreciated risk. If another site on your shared server is compromised, malware can sometimes spread across accounts, especially if file permissions are misconfigured.
Compromised plugin supply chains have also become more common. The WordPress.org repository is well-monitored, but third-party plugin sources are not, and a legitimate-looking update can carry an infection.
Step-by-Step: How to Fix a Hacked WordPress Site Without Losing SEO
Step 1: Do Not Delete Everything. Back Up First.
The instinct when you discover a hack is to wipe everything immediately. Resist it.
Before you touch a single file, take a complete backup of your current state, including the infected version. You will need it to compare files, trace the infection path, and in some cases, recover legitimate content that a rushed cleanup might delete. Your hosting provider likely has cPanel or Plesk backups. Pull one now. Also download a local copy of your wp-content folder via SFTP.
This backup is not for restoring. It is for forensics.
Step 2: Put the Site in Maintenance Mode or Take It Offline
While your site is actively serving malware, Google’s crawlers are indexing that malicious content and your visitors are being exposed to it. Every hour it stays live costs you more SEO damage.
If you can still access your WordPress dashboard, install a maintenance mode plugin like WP Maintenance Mode or SeedProd and activate it. This returns a 503 status code to search engines, which signals “temporarily unavailable” rather than a ranking penalty, and pauses crawling of the infected content.
If you cannot access the dashboard, contact your host and ask them to temporarily block public access at the server level. Most managed WordPress hosts like WP Engine, Kinsta, or Flywheel can do this within minutes.
One important SEO note: a 503 during a brief cleanup period of 24 to 72 hours will not harm your rankings. Google is designed to handle temporary outages gracefully. What does harm rankings is leaving infected content live and crawlable.
Step 3: Scan for Malware Using the Right Tools
This is where you find out exactly what was injected, modified, or added without your knowledge.
Wordfence Security is one of the most thorough file-level scanners available for WordPress. Its free version scans your core files against WordPress.org checksums, detects modified plugin and theme files, and flags unknown PHP files in unexpected locations. The premium version adds real-time threat intelligence. Run a full scan and export the results before touching anything.
Malcare is worth considering if you need automated one-click cleanup. It uses cloud-based scanning that does not slow down your server and is particularly effective at detecting sophisticated obfuscated malware that simpler scanners miss.
Sucuri SiteCheck is a free external scanner at sitecheck.sucuri.net. Paste your URL and it checks for blacklisting across Google Safe Browsing, McAfee, Norton, and several other databases. It also reveals injected scripts and spam content visible from the outside. Run this first because it takes about 30 seconds and gives you an immediate picture of the external exposure.
WPScan is a command-line tool preferred by developers and security professionals. It enumerates vulnerabilities in your specific plugin versions and identifies known exploits that may have been used against your site. It is technical but powerful for tracing the exact attack vector.
Step 4: Remove Malware Without Destroying Your Site
Once you have your scan results, you are looking for three categories of infection.
The first is injected code in core files. Look closely at wp-config.php, index.php, .htaccess, and functions.php in your active theme. Malicious code is often base64-encoded and injected at the top or bottom of these files. Compare what you have against a clean WordPress download from wordpress.org. Any additions that are not in the clean version should be removed.
The second category is unknown or modified files. Rogue PHP files often appear in wp-content/uploads (a directory that should never contain executable PHP), in plugin folders, or as files with random-looking names like xzp8f.php. Delete these entirely.
The third category is database injections. Attackers frequently inject spam links or redirect scripts into your WordPress database, particularly into wp_options (where they often persist as auto-load entries), wp_posts, and wp_postmeta. Use a tool like Search-Replace-DB or WP-Sweep to search for known injection patterns such as eval(base64_decode, <script src="http://, or suspicious external URLs. Delete what does not belong.
One critical point: do not use a clean backup as your only fix. Restoring an old backup without understanding how the attacker got in means you will be hacked again within days. The vulnerability must be patched before any restore.
Step 5: Close Every Backdoor
Malware rarely comes alone. Most sophisticated attacks leave multiple backdoors so that even if you find and remove the primary infection, the attacker can regain access.
Common backdoor locations include the wp-content/uploads folder (check for any PHP files, which should not exist there), themes you have installed but are not using (delete all inactive themes), and plugins that appear legitimate but have been silently modified. Any plugin with a last-updated date more than two years ago that is not from a major vendor should be scrutinized carefully or replaced with an alternative.
Also audit your user accounts. Go to Users > All Users in your dashboard and look for any admin accounts you did not create. Delete them. Then immediately change passwords for every admin, editor, and FTP/SSH user connected to the site.
Step 6: Harden and Update Everything
Once the site is clean, lock things down before bringing it back online.
Update WordPress core to the latest version. Update every plugin and theme with no exceptions. Delete plugins you are not actively using. Replace any nulled or pirated themes with legitimate purchased versions.
Change your database password in wp-config.php and update the file accordingly. Change your hosting control panel password. Rotate your SFTP and SSH credentials.
Implement two-factor authentication for all admin accounts. WP 2FA and Google Authenticator are reliable plugins for this.
Disable XML-RPC if you are not using it for Jetpack or another service that specifically requires it. Add the following to your .htaccess file:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>Set correct file permissions throughout: directories should be set to 755, regular files to 644, and wp-config.php should be 440 or 400.
Step 7: Reinstall WordPress Core and Trusted Plugins
For a thorough recovery, reinstall WordPress core files entirely rather than just patching individual files. You can do this without losing any content because WordPress stores all your posts, pages, and settings in the database, not the core files.
Download a fresh copy of WordPress from wordpress.org. Via SFTP, delete and replace all files except the wp-content folder and wp-config.php. This ensures no modified core files remain anywhere on the server.
Do the same for any plugins where you cannot be fully confident of their integrity. Delete them through the dashboard and reinstall fresh copies directly from wordpress.org.
Step 8: Fix the SEO Damage (The Step Most Guides Skip)
Cleaning the malware is only half the battle. You also need to actively undo the SEO damage the hack caused during the time it was live.
Check for new pages in your sitemap. Hackers often create thousands of spam pages targeting pharmaceutical or gambling keywords. Log into Google Search Console and go to Pages > Indexed, not submitted in sitemap. Look for URLs you do not recognize. Use the URL Inspection tool on any suspicious ones to see what Google cached. Then use the URL Removal Tool to request de-indexing, and set up a 410 (Gone) response for any spam pages that were created on your domain.
Audit your internal links. Malicious code frequently injects hidden links styled with display: none or zero-font-size text to pass PageRank to the attacker’s sites. Scan your database for external links pointing to domains you do not recognize and remove them completely.
Review your backlinks. If your site was used for a spam campaign, pull your backlink profile from Google Search Console or a tool like Ahrefs and look for any recent spike in referring domains. Most of the time, as long as you have cleaned the site and requested reconsideration, Google distinguishes between a victim site and a willing participant in spam.
Resubmit your sitemap. After cleanup, go to Search Console, remove your existing sitemap and re-add it. This triggers a fresh crawl of your legitimate content and helps Google understand the site is clean again.
Step 9: Request Google’s Review
If Google has flagged your site under Security Issues in Search Console, you will see a warning that suppresses your rankings. This does not go away automatically. You have to request a review.
Go to Search Console > Security and Manual Actions > Security Issues. If there is an active issue listed, click “Request a Review.” Write a clear explanation of what happened: when you discovered the hack, what malware was found, how you removed it, and what security measures you have put in place to prevent recurrence. Be specific. Google’s review team responds significantly faster to detailed requests than vague ones.
Review times typically range from a few days to two weeks. Once approved, the ranking suppression caused by the security warning should lift, and your previous rankings often recover within two to four weeks as Google re-crawls your content.
If your site was flagged in Google Safe Browsing and showing the red “Deceptive site ahead” warning in Chrome, submit a separate reconsideration request at transparencyreport.google.com/safe-browsing/search.
Tools Summary for WordPress Malware Removal
Wordfence Security handles file scanning, firewall protection, and brute-force blocking all in one plugin. This is the right starting point for most sites.
Malcare is the best option for one-click automated cleanup and is particularly effective against obfuscated infections that evade signature-based scanners.
Sucuri SiteCheck gives you an instant external view of your blacklist status and any visible malware. It is free and requires no installation whatsoever.
WPScan is the professional-grade command-line tool for vulnerability enumeration, ideal for developers doing a thorough forensic investigation.
Search-Replace-DB by Interconnect/IT is invaluable for searching and safely cleaning database-level injections without risking data loss.
Solid Security (formerly iThemes Security) is a solid hardening plugin for post-cleanup protection, with file change detection and login security built in.
Common Mistakes That Cost You Your Rankings
Restoring a backup without patching the original vulnerability is the most expensive mistake you can make. You will be reinfected within days, and each recurrence makes Google recovery harder.
Using a general-purpose virus scanner such as your desktop antivirus instead of a WordPress-specific tool is another frequent error. Generic scanners do not understand WordPress file structure and regularly miss PHP-based backdoors entirely.
Skipping the Google Search Console review step is surprisingly common. Many site owners clean the malware and assume Google will notice on its own. Google will not automatically lift a security warning. You have to submit the request.
Failing to audit for spam pages is perhaps the most SEO-damaging oversight of all. If hackers created 500 pages of pharmaceutical spam on your domain and those pages indexed before you caught them, they build a negative association between your domain and spam signals that takes real time to reverse.
Staying on shared hosting after a cross-account infection without moving to an isolated environment means you remain vulnerable to reinfection from neighboring sites even after a thorough cleanup.
Prevention: How to Stop This From Happening Again
Use a managed WordPress host with server-level malware scanning. WP Engine, Kinsta, Pressable, and Flywheel all include this as part of their hosting. The additional monthly cost is small compared to even one emergency cleanup.
Keep an automated plugin update schedule. Jetpack or your host’s built-in auto-update feature can handle minor plugin updates. Review and apply major updates manually, but do so promptly. Most vulnerabilities are patched within 48 hours of public disclosure, but sites running old versions stay exposed for months.
Install a Web Application Firewall. Wordfence’s free firewall is adequate for most small sites. Cloudflare’s WAF (available on paid plans) or Sucuri’s cloud-based WAF are better options for high-traffic sites or ecommerce stores processing real transactions.
Use activity logging. WP Activity Log records every login attempt, file change, and admin action with timestamps and IP addresses. When something goes wrong, this log tells you exactly when it happened and what changed, turning a two-day investigation into a 30-minute one.
Schedule weekly automated backups to an off-site location, not just your hosting account. UpdraftPlus with Google Drive, Dropbox, or Amazon S3 as the remote destination is a reliable free option that takes about 10 minutes to configure.
A Real-World Scenario
A client running a five-year-old WooCommerce store came in with a 60% traffic drop spread over three weeks. The site looked completely normal on the surface and Sucuri SiteCheck showed nothing from the outside. But Wordfence’s scan flagged 14 modified plugin files and three rogue PHP files sitting inside wp-content/uploads.
Digging into the database revealed over 800 auto-inserted spam pages that Google had indexed, all targeting generic pharmaceutical keywords. The infection had been live for six weeks before the traffic drop became visible in analytics.
After cleaning the malware, submitting 410 responses for the spam pages, requesting a Search Console review with a detailed remediation summary, and reinstalling every plugin from scratch, the manual action was lifted within three weeks. Within six weeks, traffic had recovered to within 10% of pre-hack levels. The critical factor was catching the spam pages early enough that Google had not built a lasting spam association with the domain.
Final Takeaway
A hacked WordPress site does not have to mean permanent SEO damage. The sites that recover quickly share three things: they act fast, they clean thoroughly rather than superficially, and they communicate proactively with Google through Search Console rather than waiting for things to resolve on their own.
The biggest risk to your rankings is not the hack itself. It is a slow or incomplete response to it.
Need Help With a Hacked WordPress Site?
If you are in the middle of a hack right now and need someone who has done this hundreds of times, emergency WordPress malware removal and SEO recovery services are available at 1SiteRank. The process covers the full cleanup, closing every backdoor, restoring your Google trust signals, and delivering a documented hardening plan so it does not happen again.
Whether your site was just flagged or you are dealing with an ongoing infection, the sooner someone looks at it, the better the outcome for your rankings.
