Hacked & Security
My WordPress Site Was Hacked
wordpress site hacked
What's happening
Your site is doing something it shouldn't: redirecting visitors to spam, showing pharmaceutical or gambling ads, sending emails you didn't write, or triggering a "this site may be hacked" warning in Google. Search traffic may have dropped overnight. Someone — or, more likely, an automated bot — got in and is using your site for their own ends.
Why it happens
Almost every hacked WordPress site was running something out of date with a known security hole — an old plugin, theme, or core version — that a routine update would have closed. Weak passwords and missing security layers make it easier. It's rarely personal; bots probe millions of sites looking for the unlocked door.
What you can safely try
- Change your passwords (WordPress, hosting, and email) from a device you trust.
- Take the site offline or put up a maintenance page if it's actively harming visitors.
- Don't assume one cleanup is enough — if the hole isn't closed, it comes right back.
When to call us
A hack is the moment to bring in someone who does this daily. We remove every trace of the infection, find and close the vulnerability that let it in, harden the site against reinfection, and handle the requests to clear any Google or browser warnings — so you come out clean and stay that way.
Common questions
- Should I just delete everything and start over?
- Usually not — that throws away your content and your search ranking, and it doesn't address how they got in. A proper cleanup removes the infection, keeps your site intact, and closes the door so it can't happen again.
- Google is showing a 'this site may be hacked' warning — can that be removed?
- Yes. Once the site is genuinely clean and the vulnerability is patched, a reconsideration request gets the warning lifted. The key word is *genuinely* — submitting before it's fully cleaned just resets the clock.
Related terms
Want this fixed for you?
Hacked Site Recovery