How do I know my WordPress site is hacked?

Common signs: Google flags the site as 'Deceptive site ahead' or 'This site may be hacked', visitors are redirected to spam, search results show unrelated Japanese or pharma terms, host suspends the account, or new admin users appear that you didn't create. Any of these is enough to open an engagement.

How long does a WordPress cleanup take?

Most single-site cleanups are completed within 24 hours of access being granted. Larger or multi-site engagements take longer; the triage note we send before any destructive change includes the expected timeline.

Will my site stay down during the cleanup?

Usually no. Most cleanups happen in-place against the live site. If the compromise is severe enough to require a maintenance window or if your host has suspended the account, we'll coordinate downtime with you before changing anything.

Do you only fix WordPress, or also WooCommerce?

Both. WooCommerce installs are WordPress installs plus a complex plugin and a payment surface — exactly the combination attackers target. We handle WooCommerce cleanups the same way: by hand, with a written report.

// WORDPRESS · COMPROMISED · WE CLEAN IT

Your WordPress site is hacked.
We fix it.

Manual cleanup. Entry vector identified. Written report. Flat $279, 30-day reinfection guarantee — if it comes back, we fix it free.

Start a cleanup → What does compromise look like?

§ 01 — SYMPTOMS

If any of these are true, your site is compromised.

[ BROWSER WARNING ]
Chrome, Firefox, or Safari shows a red interstitial: 'Deceptive site ahead' or 'The site ahead contains malware.'
[ GOOGLE SEARCH ]
Search Console emails a 'security issues' warning, or your listing shows 'This site may be hacked'.
[ REDIRECTS ]
Visitors arriving from Google land on a spam or scam page instead of your site. You see the real site when you visit directly.
[ STRANGE CONTENT ]
Search results for your domain include pages or terms you never published (pharma, Japanese characters, casino, loans).
[ HOST SUSPENSION ]
Your hosting provider suspended the account 'for security reasons' and is asking you to provide a clean version.
[ NEW USERS ]
An admin user appears in WP that you didn't create. Or a user whose name you recognise but whose email you don't.

If none of these match but something feels off, open an engagement anyway — triage is free.

§ 02 — WHAT GETS DONE

Every cleanup includes:

[ MALWARE ]
Backdoors, web shells (c99, WSO, FilesMan, custom loaders), and obfuscated PHP — removed by reading file diffs, not pattern-matching.
[ DB AUDIT ]
Injected admin users, suspect cron jobs, orphaned options with autoloaded payloads — reviewed by hand.
[ CLIENT-SIDE ]
JS skimmers, cryptojackers, and conditional redirects — including the ones that fire only for Google referrers.
[ ENTRY VECTOR ]
We identify how they got in. Vulnerable plugin, leaked credential, server-level issue — whichever one it is, we tell you in plain English.
[ HARDENING ]
wp-config lockdown, file permission audit, secret rotation, login surface reduction. Closes the door we just walked through.
[ DELIST ]
Reconsideration requests submitted to Google Safe Browsing, Sucuri, McAfee, Norton, Yandex.
[ REPORT ]
Plain-English forensic report. Hand it to a client, an insurer, or keep it on file.

§ 03 — WHY MANUAL

Scanners catch signatures. We catch the rest.

Automated scanners are pattern matchers. They detect known malicious filenames and known string patterns. They miss obfuscated PHP loaders, database-resident injections, and credential-theft backdoors that wait. They also delete and re-quarantine in a loop without ever closing the entry point.

Every engagement is touched by a human who reads diffs, audits the database, and verifies the site is clean before shipping the report.

§ PRICE

Flat $279. One-time. Per site.

[ RESCUE ]

$279

FLAT · ONE-TIME · PER SITE

Manual cleanup, entry-vector identification, written forensic report. 30-day reinfection guarantee.

Start a cleanup →

[ SHIELD ]

$29 / mo

PER SITE · CANCEL ANY TIME

Continuous monitoring, hardening, one cleanup per year included.

Get protected →

Site compromised? Let's talk.

Send us what you know. You get a triage and a fixed quote in return — no obligation.

Open intake form →