How do I know my WordPress site is hacked?

Common signs: Google flags the site as 'Deceptive site ahead' or 'This site may be hacked', visitors are redirected to spam, search results show unrelated Japanese or pharma terms, host suspends the account, or new admin users appear that you didn't create. Any of these is enough to open an engagement.

How long does a WordPress cleanup take?

Most single-site cleanups are completed within 24 hours of access being granted. Larger or multi-site engagements take longer; the triage note we send before any destructive change includes the expected timeline.

Will my site stay down during the cleanup?

Usually no. Most cleanups happen in-place against the live site. If the compromise is severe enough to require a maintenance window or if your host has suspended the account, we'll coordinate downtime with you before changing anything.

Do you only fix WordPress, or also WooCommerce?

Both. WooCommerce installs are WordPress installs plus a complex plugin and a payment surface — exactly the combination attackers target. We handle WooCommerce cleanups the same way: by hand, with a written report.

// WORDPRESS · COMPROMISED · WE CLEAN IT

Your WordPress site is hacked.
We fix it.

Manual cleanup. Entry vector identified. Written report. Flat $279, 30-day reinfection guarantee — if it comes back, we fix it free.

Bereinigung starten → What does compromise look like?

§ 01 — SYMPTOME

If any of these are true, your site is compromised.

[ BROWSER WARNING ]
Chrome, Firefox, or Safari shows a red interstitial: 'Deceptive site ahead' or 'The site ahead contains malware.'
[ GOOGLE SEARCH ]
Search Console emails a 'security issues' warning, or your listing shows 'This site may be hacked'.
[ REDIRECTS ]
Visitors arriving from Google land on a spam or scam page instead of your site. You see the real site when you visit directly.
[ STRANGE CONTENT ]
Search results for your domain include pages or terms you never published (pharma, Japanese characters, casino, loans).
[ HOST SUSPENSION ]
Your hosting provider suspended the account 'for security reasons' and is asking you to provide a clean version.
[ NEW USERS ]
An admin user appears in WP that you didn't create. Or a user whose name you recognise but whose email you don't.

If none of these match but something feels off, open an engagement anyway — triage is free.

§ 02 — WHAT GETS DONE

Every cleanup includes:

[ MALWARE ]
Backdoors, web shells (c99, WSO, FilesMan, custom loaders), and obfuscated PHP — removed by reading file diffs, not pattern-matching.
[ DB-AUDIT ]
Injected admin users, suspect cron jobs, orphaned options with autoloaded payloads — reviewed by hand.
[ CLIENT-SEITE ]
JS-Skimmer, Cryptojacker und bedingte Weiterleitungen — auch solche, die nur bei Google-Referrern auslösen.
[ ENTRY VECTOR ]
We identify how they got in. Vulnerable plugin, leaked credential, server-level issue — whichever one it is, we tell you in plain English.
[ ABSICHERUNG ]
wp-config lockdown, file permission audit, secret rotation, login surface reduction. Closes the door we just walked through.
[ AUSLISTEN ]
Antrag auf erneute Prüfung bei Google Safe Browsing, Sucuri, McAfee, Norton, Yandex eingereicht.
[ BERICHT ]
Plain-English forensic report. Hand it to a client, an insurer, or keep it on file.

§ 03 — WHY MANUAL

Scanners catch signatures. We catch the rest.

Automated scanners are pattern matchers. They detect known malicious filenames and known string patterns. They miss obfuscated PHP loaders, database-resident injections, and credential-theft backdoors that wait. They also delete and re-quarantine in a loop without ever closing the entry point.

Every engagement is touched by a human who reads diffs, audits the database, and verifies the site is clean before shipping the report.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

PAUSCHAL · EINMALIG · PRO SEITE

Manuelle Bereinigung, Eintrittsvektor identifiziert, schriftlicher forensischer Bericht. 30-Tage-Reinfektions-Garantie.

Bereinigung starten →

[ SHIELD ]

$29 / mo

PRO SEITE · JEDERZEIT KÜNDBAR

Laufendes Monitoring, Absicherung, eine Bereinigung pro Jahr inklusive.

Schützen lassen →

Auftrag starten

Seite kompromittiert? Auftrag starten.

Sende uns, was du weißt. Wir antworten mit einer Triage und einem Festpreis.

Aufnahme-Formular öffnen →