Something seems off with your website. Strange redirects. Content you didn't create. Google is warning visitors. You're worried you've been hacked.

First: take a deep breath. The word "hacked" triggers a lot of fear, but the situation is probably more manageable than you think.

"Hacked" vs. "Has Malware"

Let's clarify something important. When people say "I've been hacked," they often imagine:

  • Someone breaking into their accounts
  • Personal information being stolen
  • Credit card data exposed
  • Their business is making the news for a data breach

That's the Hollywood version of hacking. The reality is usually much more mundane.

Most WordPress "hacks" are automated malware infections. A bot found a vulnerability—often in an outdated plugin—and injected some code. That code typically:

  • Redirects visitors to spam sites
  • Injects hidden links for SEO spam
  • Uses your server to send spam emails
  • Displays unwanted ads

Is this bad? Yes. Is it "hackers stole all your data"? Rarely.

Consider: if your site is a brochure website with no payment processing, no user accounts, no customer database—what would they steal? There's nothing there. The malware isn't after your data; it's using your website as a platform for spam.

Signs Your Site May Be Infected

  • Strange redirects: Visitors get sent to unfamiliar websites
  • Unknown content: Pages or posts you didn't create
  • Google warnings: "This site may be hacked" warnings in search results
  • Browser warnings: Security alerts when visiting your site
  • Slow performance: Malware can consume server resources
  • Spam emails: Your server is sending emails you didn't authorize
  • Unknown admin users: New administrator accounts you didn't create
  • Modified files: Theme or plugin files with unexpected changes

How to Check for Malware

Online Scanning Tools

Several free tools can scan your site for known malware:

  • Sucuri SiteCheck: Quick external scan
  • Google Safe Browsing: Check if Google has flagged your site
  • VirusTotal: Checks your URL against multiple security databases

These are good starting points, but won't catch everything—they can only scan what's publicly visible.

Check for Unknown Users

Log in to WordPress admin and check Users → All Users. Look for administrator accounts you don't recognize. If you find any, this is a strong indicator of compromise.

Review Recently Modified Files

If you have FTP access, check when the core WordPress files were last modified. If files like wp-config.php or core WordPress files show recent modification dates and you haven't updated anything, that's suspicious.

Check Google Search Console

If you have Search Console access, Google will notify you of security issues it detects.

What to Do If You Find Malware

Option 1: Professional Cleanup

For most site owners, professional cleanup is the right choice. Malware removal isn't just deleting obvious bad files—it's finding backdoors, cleaning database injections, and ensuring the infection is eliminated.

Sucuri offers malware removal services. For a few hundred dollars, they'll:

  • Clean the infection completely
  • Help remove Google blacklisting
  • Provide ongoing monitoring

If you're not hosted with a security-focused provider, this is our recommended approach. Their year-long plans are worth it for the ongoing protection they provide.

Option 2: DIY Cleanup (Advanced Users Only)

If you're technically comfortable:

  1. Make a backup first—even of the infected site
  2. Scan with multiple tools—Wordfence, Sucuri scanner, etc.
  3. Replace core files—download fresh WordPress from wordpress.org
  4. Remove unknown plugins and themes—especially ones you don't recognize
  5. Check the database—malware sometimes injects into the database
  6. Reset all passwords—WordPress admin, hosting, FTP, database
  7. Update everything—WordPress core, all plugins, all themes
  8. Check for backdoors—common locations include wp-content/uploads and random PHP files

Be warned: incomplete cleanup often leads to reinfection. Malware hides in places you wouldn't think to look.

What About Security Plugins?

Here's our honest take: we're not fans of security and firewall plugins.

They give a false sense of security. A plugin can only react after malicious traffic has already reached your server. By the time the plugin sees it, the attack is already in progress.

Real security requires:

  • Edge-level protection: A WAF (Web Application Firewall) like Cloudflare that blocks attacks before they reach your server
  • Server-level scanning: Real-time malware detection at the hosting level, not the application level
  • Kept-up software: Current WordPress, plugins, and themes close the vulnerabilities, malware exploits

A plugin is one layer, but it shouldn't be your only layer—and it's not the most important one.

If You're Hosted With Us

On FatLab hosting, malware is rarely an issue. Our infrastructure includes:

  • Cloudflare Enterprise WAF: Edge-level attack blocking
  • Imunify360: Real-time server-level malware detection and automatic cleanup
  • Regular updates: Maintained servers with current security patches

If something does get through, open a support ticket. We'll investigate, run comprehensive scans, and clean up anything found—covered under your hosting.

Getting Off Google's Blacklist

If Google has flagged your site, you'll need to:

  1. Clean the infection completely
  2. Verify the cleanup with scanning tools
  3. Submit a review request through Google Search Console

This process takes time—usually a few days to a couple of weeks. Services like Sucuri can help navigate this process.

Prevention

  • Keep everything updated: Core WordPress, plugins, themes
  • Use quality hosting: Security should be built into your infrastructure
  • Don't install random plugins: Every plugin is a potential vulnerability
  • Use strong passwords: Especially for admin accounts
  • Remove unused themes and plugins: They can still be exploited even when deactivated
  • Have monitoring in place: Know about infections quickly, rather than weeks later

Concerned about malware? Contact our support team—we can scan your site and help you understand what you're dealing with.

This article is part of our WordPress Troubleshooting guide—a complete resource for diagnosing and fixing common WordPress errors.