Waking up to a hacked website is a nightmare for any business owner.
One minute, your business is running smoothly. The next minute, your traffic drops to zero. Maybe your customers are emailing you, complaining that your site redirects them to a strange spam page selling pills. Or even worse, maybe Google has blocked your site entirely with a big red warning screen that says “Deceptive Site Ahead.”
If this is happening to you right now, do not panic.
Thousands of WordPress websites get hacked every single day. It is a scary situation, but it is completely fixable. You do not need to be a computer genius to clean it up, but you do need to follow the right steps in the right order.
This guide is your complete manual. We will show you exactly how to find the virus, how to remove it completely, and—most importantly—how to get your Google rankings back after the hack is gone.
How Do I Know If I Am Hacked?
Sometimes a hack is obvious. Other times, it is silent. Hackers in 2026 are smart. They often try to hide their tracks so they can use your server for months without you knowing.
Here are the most common signs that your WordPress site is infected:
1. The Red Screen of Death
The most obvious sign comes from Google. If you try to visit your website and Chrome, Firefox, or Safari blocks you with a bright red warning screen, you are definitely infected. Google scans websites constantly. If they find a virus, they blacklist you immediately to protect their users.
2. Strange Redirects
This is very common. You type in your website address, but you end up on a site selling illegal medicine, gambling services, or adult content.
Tricky Tactic: Hackers are smart. Sometimes, they set the virus so it only redirects mobile users. If you check your site on your laptop, it looks fine. But your customers on phones see spam. Always check your site on your phone if you suspect a problem.
3. You Cannot Login
If your username and password stop working, a hacker may have deleted your account. They often remove the real “Administrator” and create their own account to take control.
4. Your Site is Slow
Malware uses your server’s power to send spam emails or attack other sites. This eats up your resources. If your fast website suddenly becomes very slow, it might be busy doing work for a hacker.
Preparation (Don’t Skip This)
Before we start cleaning, we need to prepare. If you skip these steps, you might lock yourself out or lose your data forever.
Step 1: Put Your Site in “Maintenance Mode”
You do not want visitors (or Google bots) seeing your broken site while you fix it.
Install a simple plugin like “Maintenance” or “Coming Soon.”
Activate it.
Now, visitors will just see a friendly “We will be back soon” message, while you work on the site in the background.
Step 2: Change All Passwords
The hacker got in somehow. You must change the locks immediately. Do not just change your WordPress password. You must change all of these:
WordPress Admin: Change it to something strong and random.
Hosting Account (cPanel): This is the master key to your server.
FTP (File Transfer Protocol): This allows access to your files.
Database: This is often overlooked, but critical.
Step 3: Backup the Infection
This sounds strange. Why would you want to save a virus?
Sometimes, when you are deleting files to clean the site, you might delete something important by mistake. If you delete a critical theme file, your design breaks. If you have a backup of the broken site, you can at least restore the file and try again.
Action: Download a full copy of your site files and your database to your computer before you touch anything.
How to Remove the Malware
There are two ways to clean a site: using a plugin or doing it manually. We will cover both.
Method A: Using a Security Plugin (The Easy Way)
For simple hacks, a security plugin can do the work for you. This is the best place to start.
Install a Scanner: Use a trusted plugin like Wordfence, MalCare, or Sucuri.
Run a Full Scan: This might take a few minutes. The plugin compares your files against a list of known viruses.
Clean: If it finds malicious files, click “Delete” or “Repair.”
The Problem: In 2026, many viruses are smart enough to hide from plugins. They can disable the plugin or hide inside your database. If the plugin says your site is clean, but you still have problems (like redirects), you must use Method B.
Method B: The Manual “Core Replacement” (The Expert Way)
This is the “nuclear option.” We are going to delete your system files and replace them with fresh, clean ones from the official source. This guarantees the virus is gone because we are removing the places it likes to hide.
Warning: Be careful. Follow these steps exactly.
1. Get Fresh Files Go to the official website and download the latest version of WordPress. Unzip this file on your computer. You now have a folder with clean, safe files.
2. Connect to Your Server Use an FTP program (like FileZilla) to connect to your website. If you don’t know your FTP login, ask your hosting company. Once connected, you will see three main folders:
wp-admin(System files)wp-includes(System files)wp-content(Your themes, plugins, and images)
3. Delete the Infected Folders Select the wp-admin and wp-includes folders on your server. Delete them.
Crucial Note: Do NOT delete the
wp-contentfolder. This folder holds your photos and your design. If you delete it, your site is gone.Crucial Note: Do NOT delete
wp-config.php. This single file connects your site to the database.
4. Upload the Clean Folders Take the wp-admin and wp-includes folders from the clean WordPress file you downloaded in Step 1. Drag and drop them onto your server. You have now replaced the infected engine of your site with a brand new one.
5. Check the Uploads Folder Hackers love to hide “backdoors” in your images folder.
Open the folder
wp-content/uploads.Look through the folders. You should only see image files (like .jpg, .png, .webp, .pdf).
Action: If you see any file ending in
.php(likeimage.phpordata.php), delete it immediately. PHP files are code, and code should never be in your image folder.
Fixing Your SEO (The Recovery)
Cleaning the files is only half the battle. If Google has blacklisted you, your traffic will be zero until you fix it. You need to tell Google that you are safe.
Step 1: Remove the “Red Warning”
If users see a red warning screen when visiting your site, you are on the Google Blacklist.
Log in to Google Search Console.
On the left menu, click on “Security & Manual Actions.”
Click on “Security Issues.”
You will see a list of the infected pages. Since you have cleaned the site, click the button that says “Request Review.”
In the description box, write something simple like this:
“I identified a malware infection on my site. I have replaced all core WordPress files, removed malicious PHP files from the uploads folder, and updated all passwords. The site is now clean. Please review.”
Google usually reviews these requests within 24 to 72 hours. Once they confirm your site is clean, they will remove the red warning.
Step 2: Fix “Spam” Results (The Japanese Keyword Hack)
Sometimes hackers create thousands of fake pages on your site to sell fake products. Even after you clean the site, these pages might still show up in Google search results for months.
Go to Google and search for
site:yourdomain.com.Look at the results. Do you see pages you did not create?
If you do, you need to force Google to re-scan your site.
Go to your SEO plugin (like Yoast or RankMath) and regenerate your XML Sitemap.
Submit this new sitemap to Google Search Console. This tells Google: “Here is the list of my real pages. Ignore the rest.”
Prevention (Never Again)
You have done the hard work. You are clean. Now, let’s make sure this never happens again.
1. Update Everything
Old software is the #1 cause of hacks. Hackers know about bugs in old versions of plugins.
Plugins: Delete any plugin you are not using. Update the rest.
Themes: Even if your theme is not active, an old version can still be hacked. Delete old themes.
2. Install a Firewall
A firewall sits between your website and the internet. It checks every visitor. If a visitor looks like a hacker, the firewall blocks them before they can even touch your login page. We recommend using the free version of Wordfence or Cloudflare.
3. Disable File Editing
By default, you can edit code inside the WordPress dashboard. This is dangerous. If a hacker guesses your password, they can use this feature to destroy your site.
You can turn this off by adding a small line of code to your
wp-config.phpfile:define( 'DISALLOW_FILE_EDIT', true );
4. Backups are Life-Savers
If you get hacked again, wouldn’t it be nice to just click “Undo”? You need an automated backup system. Set up a plugin like UpdraftPlus to backup your site every night and send the file to Google Drive or Dropbox. Do not store backups on your server—if the server breaks, you lose the backup too.
Conclusion
Fixing a hacked WordPress site is stressful, but it follows a logical process.
Identify the problem.
Replace the infected files.
Tell Google you are clean.
Secure the site for the future.
If you follow these steps carefully, your site will be cleaner, safer, and faster than it was before.
Still stuck? Removing malware can be technical and risky. If you are uncomfortable deleting server files or using FTP, do not take the chance. Contact our Malware Removal Team today. We can clean your site, restore your SEO, and secure you against future attacks immediately.
