How do I know my WordPress site is hacked?

Common signs: Google flags the site as 'Deceptive site ahead' or 'This site may be hacked', visitors are redirected to spam, search results show unrelated Japanese or pharma terms, host suspends the account, or new admin users appear that you didn't create. Any of these is enough to open an engagement.

How long does a WordPress cleanup take?

The triage note I send before any destructive change includes the expected timeline for your site.

Will my site stay down during the cleanup?

Usually no. Most cleanups happen in-place against the live site. If the compromise is severe enough to require a maintenance window or if your host has suspended the account, we'll coordinate downtime with you before changing anything.

Do you only fix WordPress, or also WooCommerce?

Both. WooCommerce installs are WordPress installs plus a complex plugin and a payment surface — exactly the combination attackers target. I handle WooCommerce cleanups the same way: manually, with a written report.

WordPress · compromised · I clean it

WordPress malware removal.

Manual cleanup. Entry vector identified. Written report. Flat $279.

Start a cleanup What does compromise look like?

Symptoms

If any of these are true, your site is compromised.

Browser warning
Chrome, Firefox, or Safari shows a red interstitial: 'Deceptive site ahead' or 'The site ahead contains malware.'
Google search
Search Console emails a 'security issues' warning, or your listing shows 'This site may be hacked'.
Redirects
Visitors arriving from Google land on a spam or scam page instead of your site. You see the real site when you visit directly.
Strange content
Search results for your domain include pages or terms you never published (pharma, Japanese characters, casino, loans).
Host suspension
Your hosting provider suspended the account 'for security reasons' and is asking you to provide a clean version.
New users
An admin user appears in WP that you didn't create. Or a user whose name you recognise but whose email you don't.

If none of these match but something feels off, open an engagement anyway — triage is free.

What gets done

Every cleanup includes:

Malware
Backdoors, web shells (c99, WSO, FilesMan, custom loaders), and obfuscated PHP — removed by reading file diffs, not pattern-matching.
DB audit
Injected admin users, suspect cron jobs, orphaned options with autoloaded payloads — reviewed one by one.
Client-side
JS skimmers, cryptojackers, and conditional redirects — including the ones that fire only for Google referrers.
Entry vector
I identify how they got in. Vulnerable plugin, leaked credential, server-level issue — whichever one it is, I tell you in plain English.
Hardening
wp-config lockdown, file permission audit, secret rotation, login surface reduction. Closes the door I just walked through.
Delist
Reconsideration requests submitted to Google Safe Browsing, Sucuri, McAfee, Norton, Yandex.
Report
Plain-English forensic report. Hand it to a client, an insurer, or keep it on file.

Why manual

Scanners catch signatures. I catch the rest.

Automated scanners are pattern matchers. They detect known malicious filenames and known string patterns. They miss obfuscated PHP loaders, database-resident injections, and credential-theft backdoors that wait. They also delete and re-quarantine in a loop without ever closing the entry point.

Every engagement is touched by a human who reads diffs, audits the database, and verifies the site is clean before shipping the report.

Pricing

Cleanup

$279

flat, one-time, per site

Manual cleanup, entry-vector identification, written forensic report.

Start a cleanup

Monitoring

$29 / mo

per site, cancel any time

Continuous monitoring, hardening, one cleanup per year included.

Get protected

Part of threatover's broader security practice. Penetration testing, bug bounty consulting, triage, and security advisory.

See all services →

Email [email protected] or use the contact form.