All posts
WORDPRESS · SECURITY · RECOVERY

Your WordPress Site Got Hacked. Here's What to Do.

A WordPress hack drops your rankings, scares customers, and gets you blacklisted by Google. Here's the 48-hour cleanup plan, plus how to make sure it never happens again.

June 24, 2026/8 min read/By Circuit Coders

You Googled your own business and saw Viagra ads

Here's how most owners find out. You search your shop's name on a Tuesday morning, and under your title in Google it says something about cheap pharmaceuticals or a casino in a language you don't speak. Your homepage looks fine when you click it. The hack is hiding from you and showing itself to Google.

I get this call a couple times a month from businesses around North County — a Vista contractor, a Carlsbad boutique, a San Diego landscaper who hadn't logged into their site since 2021. The site still 'works.' It's also quietly injecting 4,000 spam pages, and Google is about to slap a red 'this site may be hacked' warning under every result.

This is not the end of your business. But the clock matters. Every day a hacked site sits live, you lose rankings, you train customers to distrust your name, and you inch closer to Google blacklisting the whole domain. Move now.

If Google shows 'This site may be hacked' under your listing, you can lose 50–80% of organic traffic within a week. Speed beats perfection here.

The first 48 hours: what to actually do

Don't panic-delete things. Don't pay the random 'we'll fix it for $50' guy in your DMs. Work the list in order. Most of this you can do today, and the parts you can't, a real developer can knock out fast.

The single most important move is taking the site offline or into maintenance mode while you work. A hacked site that's still live is still spreading and still being re-crawled by Google as spam.

  • Put the site in maintenance mode or take it offline so Google stops crawling the spam pages
  • Change every password — WordPress admin, hosting/cPanel, FTP, and the database. Don't reuse the old ones
  • Download a fresh backup of the whole site and database before you touch anything, so you have evidence and a fallback
  • Scan with Wordfence or Sucuri (free versions are fine) to find the injected files and backdoors
  • Delete every plugin and theme you're not actively using — abandoned plugins are the #1 way in
  • Update WordPress core, all plugins, and your theme to the current version once it's clean
  • Request a malware review in Google Search Console after cleanup so the warning gets removed (typically 1–3 days)

What to cut — the stuff that wastes your time

Half of hacked-site recovery is people doing expensive things that don't fix anything. A new logo doesn't remove a backdoor. Neither does a $300/year 'premium security suite' bolted onto a site that's already compromised.

If your site has been hacked twice, restoring the same infected backup over and over is not a strategy — you're just reloading the malware. At some point the cheapest path forward is a clean rebuild, not a fourth cleanup.

  • Don't just restore an old backup and call it done — if you don't find the backdoor, it comes right back in a week
  • Don't buy a $99/year 'security plugin bundle' as your only defense — it's a band-aid on a knife wound
  • Don't ignore your hosting account — hackers often plant scripts outside WordPress entirely
  • Don't leave 'admin' as a username or keep inactive user accounts a former employee set up
  • Don't pay a recovery service that won't tell you exactly which files were infected and how they got in

Why WordPress sites get hacked (it's almost never WordPress core)

People love to blame WordPress. The truth is the core software is reasonably secure when it's updated. What gets you hacked is everything bolted onto it — that contact-form plugin from 2019 the developer abandoned, the 'nulled' premium theme someone downloaded for free, the slider plugin with a known vulnerability sitting unpatched.

A typical small-business WordPress site runs 15–25 plugins. Each one is a door. Each one is maintained by a different person who may have quit years ago. You're trusting two dozen strangers to keep your business safe, and most owners have no idea which plugins are even installed.

This is the part nobody tells you when they sell you a $2,000 WordPress build: you just signed up for a maintenance job. Skip the updates for a year and you're not running a website, you're running a target.

Roughly 90% of hacked CMS sites are WordPress — not because it's bad, but because it runs 40% of the web and most installs are never updated.

Getting your local rankings back after the cleanup

Cleaning the malware is step one. Repairing what the hack did to your local SEO is step two, and it's the part most cleanup services completely ignore. A pharma hack can inject thousands of junk pages that Google indexed, and those need to be cleared out, not just hidden.

Start in Google Search Console: submit a malware review request, then use the URL removal tool on the worst spam pages. Re-confirm your real pages are indexed. Then go reassure Google your business is the real thing — your Google Business Profile, your name-address-phone matching across local citations, and clean schema.org LocalBusiness markup on your site so search engines re-verify who you are.

If you serve specific towns, your real pages should still target the searches that matter — 'electrician Oceanside,' 'detailer Carlsbad,' 'roofer San Marcos.' A hack often buries those under spam. Once the junk is gone and the markup is back, legitimate rankings usually recover within 30–60 days, sometimes faster if you act before Google blacklists you.

  • Submit a security review in Google Search Console to clear the 'hacked' label
  • Use the URL removal tool on injected spam pages so they drop out of the index
  • Re-verify NAP (name, address, phone) consistency across your Google Business Profile and local citations
  • Re-add LocalBusiness schema.org markup so Google can re-confirm your business identity
  • Rebuild your real '[service] + [city]' pages if the hack damaged or buried them

What this costs — and where $499 beats a $200/mo retainer

A professional malware cleanup runs $150–$500 one-time from most services. Then they offer you a security retainer at $50–$200 a month to keep watching the same fragile WordPress install you just paid to fix. Over two years that's $1,200–$4,800 to keep a hacked-prone site on life support.

Here's the math nobody does for you. If your WordPress site has been hacked once, the cleanup plus a year of monitoring often costs more than just rebuilding clean on something that doesn't have this problem in the first place.

That's what we build. Circuit Coders does a custom site on Next.js and Vercel for $499 flat, 48-hour turnaround, free mockup first. There's no WordPress, no two dozen plugins, no admin login for a bot to brute-force, no database for someone to inject. It's static and serverless — there's almost nothing to hack. Hosting and updates are an optional $50/mo if you want us handling it, but the attack surface that got you hacked is just gone.

A modern static site has no WordPress admin, no plugins, and no database — you remove the three things that get small-business sites hacked in the first place.

Hacked once, hacked again — or get off the hamster wheel

I'll be straight with you. If your site was hacked once and you clean it and change nothing else, the odds it happens again inside a year are high. The vulnerability was the architecture, not bad luck. Patching it buys you months, not safety.

So you've got two roads. Road one: clean it, pay the monthly retainer, keep your fingers crossed every time a plugin needs updating. That's legitimate, and a good developer can do it well. Road two: rebuild clean on a platform that doesn't have an admin panel for bots to attack, and stop thinking about this entirely.

If you're not sure which road makes sense for your business, I'll look at your site for free. Send me your URL and I'll tell you exactly what got hacked, whether it's worth cleaning, and what a clean rebuild would look like — plus a free mockup of the new version if you want one. No retainer, no pitch you didn't ask for. $499 flat, 48 hours, one round of revisions, and a site there's nothing left to break into.

Frequently asked

How long does it take to clean a hacked WordPress site?

A straightforward cleanup usually takes a few hours to a day for a developer who knows what to look for. Getting Google to remove the 'this site may be hacked' warning after you submit a review typically takes another 1–3 days.

Will a hack hurt my Google rankings?

Yes — a live hack can cost 50–80% of your organic traffic within a week once Google flags the site. After a clean removal and reindex, local rankings usually recover within 30–60 days.

Should I just restore a backup to fix it?

Only if the backup predates the hack and you've also closed the hole that let them in. Otherwise you'll re-upload the malware or get re-infected through the same vulnerable plugin within days.

Is it cheaper to clean my hacked site or rebuild it?

Cleanup runs $150–$500, plus $50–$200/mo if you want ongoing monitoring. If it's been hacked once already, a clean $499 flat rebuild on a platform with no plugins or database often costs less than a year of cleanup-and-monitoring.

Why does WordPress get hacked so often?

It's almost never the core software — it's outdated plugins and themes, which the average site has 15–25 of. WordPress runs about 40% of the web, so it's the biggest target, and most installs go months without an update.

$499 FLAT · 48-HOUR TURNAROUND

Ready to see what a real site looks like?

Send us your URL. We'll build you a free mockup within 48 hours. If you like it, you pay $499 and we ship. If not, walk away — no cost.

Request a free mockup