Threat Intel
43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available 43% of all websites run WordPress — making it the #1 attack surface worldwide 1 in 25 WordPress sites is actively infected with malware right now 97% of CMS-based attacks specifically target WordPress plugins & themes 50,000+ vulnerabilities indexed · WPScan threat database 71% of hacked WordPress sites had a backdoor silently installed 4,000+ plugins carry known, unpatched security vulnerabilities Average breach goes undetected for 197 days — is your site clean? Outdated plugins are responsible for 52% of all WordPress infections SQL injection & XSS remain the top two WordPress attack vectors 60% of infections exploit a vulnerability that already had a patch available
Scan Free →
wp-scan.org
Get started
Security Alert

WordPress Site Hacked?
Find & Fix It in 30 Seconds

Run a free external scan to detect malware, backdoors, spam injection, and hidden redirects — no plugin, no login, no credit card.

22 security checks  ·  No signup required  ·  External scan only (no plugin)

No install needed
Results in seconds
Privacy-first
Completely free

8 Signs Your WordPress Site Is Hacked

Hackers often hide their tracks. Your site may be infected without any obvious visible signs. Here are the most common indicators:

1
Google "This site may be hacked" warning
Google Safe Browsing detected malicious content or injected spam links on your pages.
2
Visitors redirected to spam sites
A hidden redirect script sends users — often mobile-only or first-time visitors — to pharmacy, casino, or adult sites.
3
Hosting provider suspended your account
Hosts scan for malware automatically and suspend sites running malicious PHP or sending spam email at scale.
4
Unknown admin users in WordPress
Attackers create hidden admin accounts to maintain access after you change your own password.
5
Antivirus tools block your site
Sucuri SiteCheck, VirusTotal, Norton, or your browser's built-in protection warns users before they visit you.
6
Google Search Console shows "Security issues"
GSC's Security Issues report flags deceptive pages, harmful downloads, or malware detected by Googlebot.
7
Spam pages appear in Google's index
Searching "site:yourdomain.com" shows pages about casino, pills, or adult content — SEO spam injection.
8
Site is unusually slow or sends spam email
Malicious scripts running for crypto mining, spam sending, or DDoS attacks cause abnormal server load and email blacklisting.
Not sure if you're hacked?
Our scanner checks for all of the above and 22 more security indicators — for free.
Run Free Scan →

Why WordPress Sites Get Hacked

WordPress powers 43% of the web, making it the biggest target for automated attacks. The most common entry points:

Outdated plugins and themes
Over 56% of WordPress hacks exploit known vulnerabilities in plugins or themes with available patches. Keeping them updated is the single most effective prevention.
Weak or reused passwords
Brute force attacks target wp-login.php and XML-RPC with millions of password combinations per hour. A compromised credential from another breach is often all an attacker needs.
Nulled themes and plugins
Pirated WordPress software almost always contains backdoors pre-installed. The "free" premium plugin is the infection vector — hackers distribute them deliberately.
Insecure shared hosting
On poorly configured shared servers, one compromised site can infect every other site in the same account through the filesystem. Cross-contamination is extremely common.
File upload vulnerabilities
Poorly coded plugins allow attackers to upload PHP webshells disguised as image files. Once uploaded, the shell gives persistent root-level access to your server.

How to Fix a Hacked WordPress Site

Follow these steps in order. Skipping steps — especially step 1 and step 3 — is the most common reason sites get re-infected within days.

  1. 1
    Scan your site to identify the infection
    Before you do anything else, run a free scan on wp-scan.org/malware-check. The report will identify exactly which checks failed — backdoors, spam injection, dangerous files, security header gaps — so you know what you're dealing with before you start cleaning.
  2. 2
    Take the site offline / enable maintenance mode
    Put your site in maintenance mode immediately to stop serving malicious content to visitors and prevent further Google blacklisting. Most hosts have a one-click option. Alternatively, add a maintenance plugin or temporarily rename your index.php.
  3. 3
    Change every password immediately
    Change your WordPress admin password, FTP/SFTP credentials, database password (update wp-config.php), hosting control panel password, and email account password. Use a unique, randomly generated password for each. If an attacker has one of these, they can reinstall their backdoor after you clean everything else.
  4. 4
    Remove the infected files
    Using the wp-scan.org findings as a guide, delete the specific files identified in the report. For PHP backdoors and webshells: delete the file entirely — do not just comment out the code. For injected content in core WordPress files (wp-settings.php, wp-login.php, etc.), reinstall WordPress core via the admin dashboard or by uploading a fresh copy via FTP.
  5. 5
    Update everything — core, plugins, themes
    Update WordPress core to the latest version. Update every plugin and theme. Delete any plugins or themes you don't actively use — deactivated but installed plugins are still a vulnerability. Delete any nulled or pirated software permanently.
  6. 6
    Remove unknown admin accounts
    Go to WordPress Admin → Users and delete any accounts you don't recognize. Check especially for accounts created recently or with administrator roles. Also check your database directly: SELECT * FROM wp_users ORDER BY user_registered DESC in phpMyAdmin.
  7. 7
    Harden your site against re-infection
    Add a Web Application Firewall (Cloudflare free tier or Wordfence). Disable XML-RPC if you don't use it (add_filter('xmlrpc_enabled','__return_false')). Enable two-factor authentication on all admin accounts. Set correct file permissions (644 for files, 755 for directories, 600 for wp-config.php).
  8. 8
    Request Google review to remove blacklisting
    Once your site is clean, go to Google Search Console → Security Issues and click "Request a Review". Google typically reviews within 1–3 days. Run a final scan on wp-scan.org before submitting to confirm all issues are resolved.

Scan Your WordPress Site Now

Free. No plugin. No account. 30 seconds to a complete security report.

22 security checks  ·  Backdoors, spam injection, malicious JS, headers, and more

Frequently Asked Questions

My WordPress site was hacked — where do I start?
Start with a free scan on wp-scan.org to identify exactly what was compromised. The report tells you which files contain backdoors, what type of malware is present, and what security weaknesses were exploited. From there, follow the 8-step fix guide above. Do not skip step 3 (change all passwords) — it's the most commonly skipped and the main reason sites get re-infected.
How did my WordPress site get hacked?
The most common causes: (1) an outdated plugin or theme with a known vulnerability that was exploited by automated scanners, (2) a weak or reused admin password brute-forced via wp-login.php or XML-RPC, (3) a nulled/pirated plugin with a pre-installed backdoor, (4) cross-contamination from another hacked site on the same shared hosting account. The wp-scan.org report often indicates which entry point was used based on the type and location of malicious files found.
Can I recover a hacked WordPress site myself?
Yes, in most cases. The wp-scan.org free scan identifies the specific infected files and security gaps, giving you a targeted remediation list rather than requiring you to audit every file manually. For straightforward infections (a single backdoor file, injected spam links), recovery is typically 1–2 hours following the fix guide. For severe infections with database-level spam injection or multiple backdoors, professional cleanup services may be more efficient.
How do I stop my WordPress site from being hacked again?
The most effective hardening steps: keep WordPress, plugins, and themes updated automatically; use unique strong passwords with 2FA on all admin accounts; disable XML-RPC if not needed; add a Web Application Firewall (Cloudflare or Wordfence); limit login attempts; set correct file permissions (644/755/600 for wp-config.php); delete deactivated plugins and themes; use a managed WordPress host with server-level malware scanning; take regular off-site backups.
Will Google remove the "This site may be hacked" warning after I fix it?
Yes. Once your site is clean, go to Google Search Console → Security Issues and click "Request a Review". Describe the steps you took to clean the site. Google typically completes the review within 1–3 business days and removes the warning if no malicious content is found. Run a final scan on wp-scan.org before submitting the review request to confirm all issues are resolved.
Should I restore from a backup or clean the infection?
If you have a clean backup from before the infection, restoring it is often faster than manual cleaning — but you must also close the vulnerability that allowed the hack in the first place, or the attacker will simply re-infect the restored site. If your only backups are recent and may themselves be infected, manual cleaning (using the scan report as a guide) is necessary. Always scan the site after restoring a backup to confirm it is truly clean.