Isolation + forensic backup
Full backup before any cleanup (kept for analysis). Activation of a temporary maintenance page if Google has already blacklisted. Immediate change of all passwords (WP admins, FTP, DB, host).
🦠 Site infected · Full disinfection
Is your WordPress
Is your WordPress
infected?
we disinfect, harden and monitor.
Full WordPress malware cleanup and security hardening
Redirects to illegal pharmacy, casino popups, Chrome showing “Deceptive site ahead”, suspicious PHP files, phantom admins: the malware is in your code. We clean the infection, close the doors, and install the monitoring that will prevent the next attack.
✓ Free 30 min scan
✓ Quote within 24 business hours
✓ From €60/h excl. VAT
✓ 30-day warranty
🚨 Warning signs
The 7 signs of active malware
By severity. The more you tick, the more advanced the infection.
🔴 1. Google Search Console sends an alert
Notification “Site contains harmful content” or “Malware detected” in GSC, Security & manual actions section. Level: red. Without cleanup, your rankings drop within 7 days.
🔴 2. Chrome shows a red “Deceptive site ahead”
Google Safe Browsing warning page instead of your site. Your visitors see “The site ahead contains harmful programs”. Traffic divided by 10 instantly.
🟠 3. Redirects to suspicious sites
Your visitors are redirected to illegal pharmacy, casino, adult content sites or downloads. Often only from Google (not on direct access) or only on mobile — the malware targets specific referrers.
🟠 4. Injected code in the HTML source
Inspect the page source (Ctrl+U). Presence of <script src="https://random-cdn-xyz.tk/...">, eval(base64_decode(...)) in PHP templates, or invisible iframes pointing to unknown domains.
🟠 5. New admin accounts you didn't create
In Users > All Users, presence of admin accounts with strange names (admin_backup, wp_admin, support_wp) or random Gmail/ProtonMail emails. These are attacker backdoors.
🟡 6. Foreign PHP files in
/wp-content/uploads/
The uploads folder should never contain .php. Presence of uploads/2024/12/wp.php, uploads/cache.php = uploaded backdoor. Detection via find /wp-content/uploads/ -name "*.php" over SSH.
🟡 7. Performance degraded for no apparent reason
Your site is suddenly twice as slow, server CPU stuck at 80-100%, your host warns of a CPU quota overrun. Likely cause: the malware is cryptomining (Monero, usually) on your server resources in the background.
🩺 Cleanup protocol
Our method in 6 steps
Always in this order. No improvising, no shortcuts that bring the infection back.
Multi-tool scan
Sucuri SiteCheck + Wordfence CLI + MalCare + manual SSH scan with known patterns (
eval(base64_decode, preg_replace.*\/e, str_rot13). Results cross-checked to miss nothing.
Entry point identification
Server log audit over a rolling 30-day window: suspicious POST requests to
/xmlrpc.php, /wp-login.php, /wp-content/plugins/...vulnerability.../. Identification of the exploited vulnerable plugin / theme / WordPress version.
Layered cleanup
(a) Removal of foreign PHP files (
find + diff against clean WordPress install). (b) Cleanup of injections in core files (diff against official WordPress checksum). (c) DB cleanup: removal of rogue accounts, malicious auto-load options, injected posts/comments.
Security hardening
Update WP + plugins + themes. Removal of unused plugins/themes.
DISALLOW_FILE_EDIT in wp-config.php. xmlrpc.php disabled. Strict filesystem permissions (chmod 644 / 755). Wordfence or Sucuri in continuous monitoring.
Google review request
If the site was blacklisted: review request via GSC > Security & manual actions > Detect issues > Request review. Precise description of the cleanup carried out. Google response time: 1 to 7 days.
Security report + 30-day follow-up
List of cleaned files, removed accounts, sealed entry point, updated plugins, hardening measures applied. Wordfence/Sucuri scan follow-up over 30 days. Re-intervention warranty if recurrence on the same entry point.
💰 Pricing
Pricing stated up-front
Free scan. For the cleanup, you know exactly what it costs before we touch the code.
🔍 Scan
Scan + diagnostic
measure the extent of the infection
0€free
30 min · no commitment
- Scan Sucuri + Wordfence + manual SSH
- Inventory of infected files + rogue accounts
- Firm quote sent immediately
- You decide if we continue
⚡ Most requested
🔧 Cleanup
Cleanup + hardening
disinfect and close the doors
from 60€excl. VAT
per scope · price stated up-front
- Forensic backup before cleanup
- Cleanup of files + DB + rogue accounts
- Hardening (updates, permissions, passwords, monitoring)
- Google review request if blacklisted
- 30-day warranty · re-intervention if recurrence
🛡️ Maintenance
Security maintenance
avoid the next infection
from 50€/ month
24/7 monitoring · no commitment
- Daily Wordfence scan · alert on suspicious pattern
- Daily backups automatically externalised
- WordPress + plugin updates within 48 h of CVE publication
- Priority intervention on incidents
🧭 Don't confuse
“WordPress malware” is not...
❌ Not just “hacked WP”
“Hacked” covers any intrusion (admin access compromised, defacement, data theft). “Malware” is the malicious code left behind. The two interventions overlap but our pages detail different angles.
Hacked WP page → ❌ Not a critical errorIf WordPress displays “There has been a critical error”, it's a PHP bug, not necessarily malware. Different diagnostic.
Critical error page → ❌ Not just a slow siteIf the site is slow but with no signs of infection (no Google alert, no redirect, no foreign PHP files), it's an ordinary performance issue. Dedicated page.
Slow WP page →
❓ FAQ
WordPress malware — frequently asked questions
Seven warning signs: (1) GSC alert “Malware detected”, (2) red Chrome screen “Deceptive site”, (3) redirects to pharmacy/casino/adult, (4) injected code in HTML source (script to weird domains), (5) new admin accounts you didn't create, (6) PHP files in
/wp-content/uploads/ (never normal), (7) degraded performance (cryptomining consuming CPU). Tools: free Sucuri SiteCheck, Wordfence, MalCare.Three steps in order: (1) Fully clean the malware — without that, Google re-blacklists within 48 h. (2) Request GSC review: Security > Detect issues > Request review, with cleanup description. (3) Wait 1 to 7 days. For third-party blacklists (Norton, McAfee, Cisco Talos): separate submission. Fast removal once the cleanup is validated.
A hack = the intrusion (someone obtained access). Malware = the code left behind (redirects, mining, theft). In practice almost always linked: malware found → entry point investigated. Different angle: malware = clean the injected code; hack = close the door (passwords, user audit, permission hardening, vulnerable plugin updates). Our intervention covers both: cleaning without closing the door makes no sense.
Free scan (30 min): Sucuri + Wordfence + MalCare, scope identification. Intervention on quote from €60/h excl. VAT. Moderate malware (JS injections, a few PHP files, 1-2 rogue admin accounts): 4 to 8 hours. Deep infection (sites compromised for months, malware in DB, multiple backdoors): 12 to 25 hours. Quote within 24 business hours. Preventive maintenance from €50/month avoids the next one.
30-day warranty: if the same malware reappears on a missed backdoor, we come back for free. Hardening included: WP + plugins + themes update, removal of unused, change of all passwords, XML-RPC disabled, file-edit lock in admin (
DISALLOW_FILE_EDIT), Wordfence/Sucuri monitoring. At this level, reinfection rate < 5% over 12 months. Without continuous monitoring, warranty expires after 30 days.Three options: (1) Temporary maintenance mode on the frontend to protect your visitors (45 min). (2) Site fully offline if Google has already blacklisted: wait for cleanup + review before bringing it back. (3) Site kept online with injection neutralised if critical traffic and only bot redirects observed. We decide together. GDPR notification recommended if a customer data leak is possible.
🔗 Related topics
Other issues I handle
Suspected infection on your WordPress?
Free 30 min scan: we measure the exact scope, we quote. Quote within 24 business hours. 30-day warranty on the cleanup.