Years ago, I tried to share a post on Facebook from one of my websites. Instead of seeing the title I expected, I saw an advertisement for an overseas pharmacy. I was able to catch and repair the issue before being penalized by the search engines.

I still see “this site may be hacked” error messages in search often. Here is one I saw today:

wordpress error message WordPress attacks

This website in particular is under attack at all times, every day. WordPress powers over 20% of the Internet’s websites. It is a big target. Many people here WordPress’s praises and install it. Well, that is just the beginning; WordPress needs to be secured, backed up, and updated on a regular basis.

What to do if you see “This site may be hacked” on your WordPress website:

  1. Identify the attack. You can test your website quick and free with a website such as All WordPress hacks are different. The site above in particular has “SEO Spam”, meaning someone has injected links into the site just like happened to me once long ago. I wrote about this spam here: MW:SPAM:SEO infection. Most attacks inject spam like this, others are even more serious and contain malware which harms people’s computers.
  2. Remove the spam/malware. Some clean ups are more involved than others. You may need to export your database, repair it, and put it back into your MySQL server. If this is beyond you, hire someone. Occasionally I will take on a client for WordPress repair. Repairing WordPress is not too bad. Not all infections are equal though, and most companies that specialize in this are much cheaper than I am.
  3. Secure your site. This includes finding out how the attacker gained access, plugging the hole, updating WordPress and all plugins, and securing your site.
    Notify the search engines. Please note that Google has in place a slightly different set of steps that I do. You can read them here. Some webmasters can discover the attack before the search engines do. If you create content on a regular basis, Google probably crawls your site very little. If you create content regularly, Google and other searchengines probably hit your site daily. Don’t forget Bing.

This is what Securi will tell you if you are infected:

Securing WordPress

I could go on for an hour writing about how to secure WordPress. I will leave you instead with my 3 favorite tools.

  • Duplicator – For backing up WordPress
  • WordFence – WordPress Firewall.
  • iThemes Security – WordPress hardening.

Hacked sites are bad for SEO

Of course, people are much less likely to click on your site if they see that it is infected. Some SEO spam doesn’t even affect the user of the site. Still, people will be worried that they’ll get a virus if they visit your site. Search engines want to help you recover after an attack. If you do not fix the problem though, they will be forced to remove your site from their index, which would be very bad news. If you need SEO assistance feel free to reach out to me.

  1. I happen to face this problem several years ago. And yes sucuri dot net is the best way to check whether our blog contain malware or not

  2. I had MW:SPAM:SEO infection a small WP site I had been neglecting. The attacked used a XSS (Cross Site Scripting) attack to slip in through a vulnerable social plugin. There was a sentence of spam in every blog post, and there was an outbound link in my RSS feed- took me a while to figure out but the database was infected. I exported it and manually cleaned up the DB before putting it back in place.

    Fun times. 🙂

Leave a Reply