Most WordPress infections are quiet by design. Attackers want to use your site — to send spam, host scam pages, or redirect your visitors — for as long as possible without you noticing. By the time something looks obviously wrong, the malware has usually been there for weeks.
Here are the signals worth taking seriously, and the safe first moves once you see them.
Common signs of an infected site
- Google shows a “This site may be harmful” warning, or your pages vanish from search.
- Visitors get redirected to sites you've never heard of — often only on mobile, or only for first-time visitors.
- New admin users, posts, or pages you didn't create appear in wp-admin.
- Your host emails you about abuse, phishing content, or suspended hosting.
- The dashboard is suddenly slow, or core files have unexpected modification dates.
What to do first (and what not to do)
Don't panic-delete files or restore a random old backup — you may erase evidence or reintroduce the same hole. Start by taking a full backup of the current (infected) state so nothing is lost, then change every password: WordPress admins, hosting/cPanel, FTP, and the database user.
Put the site into maintenance mode if it's actively redirecting visitors, and check your host's access and error logs for the entry point. The goal is to find how they got in, not just to clean what they left behind.
Why cleanup alone isn't enough
Removing injected code feels like the fix, but if the original vulnerability — an outdated plugin, a weak password, an exposed file — is still there, reinfection usually follows within days. A proper cleanup pairs malware removal with closing the door that let it in.
When to call in help
If your site is already down, hacked, or eating bandwidth, every hour of guesswork costs money. Ximbalo runs a full diagnostic, finds the root cause, and gives you a clear repair estimate before any work begins.
Book a consult or request a $250 assessment from the homepage — we get you back online and hardened against the next attack.