You Googled your own business and saw Viagra ads
Here's how most owners find out. You search your shop's name on a Tuesday morning, and under your title in Google it says something about cheap pharmaceuticals or a casino in a language you don't speak. Your homepage looks fine when you click it. The hack is hiding from you and showing itself to Google.
I get this call a couple times a month from businesses around North County — a Vista contractor, a Carlsbad boutique, a San Diego landscaper who hadn't logged into their site since 2021. The site still 'works.' It's also quietly injecting 4,000 spam pages, and Google is about to slap a red 'this site may be hacked' warning under every result.
This is not the end of your business. But the clock matters. Every day a hacked site sits live, you lose rankings, you train customers to distrust your name, and you inch closer to Google blacklisting the whole domain. Move now.
The first 48 hours: what to actually do
Don't panic-delete things. Don't pay the random 'we'll fix it for $50' guy in your DMs. Work the list in order. Most of this you can do today, and the parts you can't, a real developer can knock out fast.
The single most important move is taking the site offline or into maintenance mode while you work. A hacked site that's still live is still spreading and still being re-crawled by Google as spam.
- Put the site in maintenance mode or take it offline so Google stops crawling the spam pages
- Change every password — WordPress admin, hosting/cPanel, FTP, and the database. Don't reuse the old ones
- Download a fresh backup of the whole site and database before you touch anything, so you have evidence and a fallback
- Scan with Wordfence or Sucuri (free versions are fine) to find the injected files and backdoors
- Delete every plugin and theme you're not actively using — abandoned plugins are the #1 way in
- Update WordPress core, all plugins, and your theme to the current version once it's clean
- Request a malware review in Google Search Console after cleanup so the warning gets removed (typically 1–3 days)
What to cut — the stuff that wastes your time
Half of hacked-site recovery is people doing expensive things that don't fix anything. A new logo doesn't remove a backdoor. Neither does a $300/year 'premium security suite' bolted onto a site that's already compromised.
If your site has been hacked twice, restoring the same infected backup over and over is not a strategy — you're just reloading the malware. At some point the cheapest path forward is a clean rebuild, not a fourth cleanup.
- Don't just restore an old backup and call it done — if you don't find the backdoor, it comes right back in a week
- Don't buy a $99/year 'security plugin bundle' as your only defense — it's a band-aid on a knife wound
- Don't ignore your hosting account — hackers often plant scripts outside WordPress entirely
- Don't leave 'admin' as a username or keep inactive user accounts a former employee set up
- Don't pay a recovery service that won't tell you exactly which files were infected and how they got in
Why WordPress sites get hacked (it's almost never WordPress core)
People love to blame WordPress. The truth is the core software is reasonably secure when it's updated. What gets you hacked is everything bolted onto it — that contact-form plugin from 2019 the developer abandoned, the 'nulled' premium theme someone downloaded for free, the slider plugin with a known vulnerability sitting unpatched.
A typical small-business WordPress site runs 15–25 plugins. Each one is a door. Each one is maintained by a different person who may have quit years ago. You're trusting two dozen strangers to keep your business safe, and most owners have no idea which plugins are even installed.
This is the part nobody tells you when they sell you a $2,000 WordPress build: you just signed up for a maintenance job. Skip the updates for a year and you're not running a website, you're running a target.
Getting your local rankings back after the cleanup
Cleaning the malware is step one. Repairing what the hack did to your local SEO is step two, and it's the part most cleanup services completely ignore. A pharma hack can inject thousands of junk pages that Google indexed, and those need to be cleared out, not just hidden.
Start in Google Search Console: submit a malware review request, then use the URL removal tool on the worst spam pages. Re-confirm your real pages are indexed. Then go reassure Google your business is the real thing — your Google Business Profile, your name-address-phone matching across local citations, and clean schema.org LocalBusiness markup on your site so search engines re-verify who you are.
If you serve specific towns, your real pages should still target the searches that matter — 'electrician Oceanside,' 'detailer Carlsbad,' 'roofer San Marcos.' A hack often buries those under spam. Once the junk is gone and the markup is back, legitimate rankings usually recover within 30–60 days, sometimes faster if you act before Google blacklists you.
- Submit a security review in Google Search Console to clear the 'hacked' label
- Use the URL removal tool on injected spam pages so they drop out of the index
- Re-verify NAP (name, address, phone) consistency across your Google Business Profile and local citations
- Re-add LocalBusiness schema.org markup so Google can re-confirm your business identity
- Rebuild your real '[service] + [city]' pages if the hack damaged or buried them
What this costs — and where $499 beats a $200/mo retainer
A professional malware cleanup runs $150–$500 one-time from most services. Then they offer you a security retainer at $50–$200 a month to keep watching the same fragile WordPress install you just paid to fix. Over two years that's $1,200–$4,800 to keep a hacked-prone site on life support.
Here's the math nobody does for you. If your WordPress site has been hacked once, the cleanup plus a year of monitoring often costs more than just rebuilding clean on something that doesn't have this problem in the first place.
That's what we build. Circuit Coders does a custom site on Next.js and Vercel for $499 flat, 48-hour turnaround, free mockup first. There's no WordPress, no two dozen plugins, no admin login for a bot to brute-force, no database for someone to inject. It's static and serverless — there's almost nothing to hack. Hosting and updates are an optional $50/mo if you want us handling it, but the attack surface that got you hacked is just gone.
Hacked once, hacked again — or get off the hamster wheel
I'll be straight with you. If your site was hacked once and you clean it and change nothing else, the odds it happens again inside a year are high. The vulnerability was the architecture, not bad luck. Patching it buys you months, not safety.
So you've got two roads. Road one: clean it, pay the monthly retainer, keep your fingers crossed every time a plugin needs updating. That's legitimate, and a good developer can do it well. Road two: rebuild clean on a platform that doesn't have an admin panel for bots to attack, and stop thinking about this entirely.
If you're not sure which road makes sense for your business, I'll look at your site for free. Send me your URL and I'll tell you exactly what got hacked, whether it's worth cleaning, and what a clean rebuild would look like — plus a free mockup of the new version if you want one. No retainer, no pitch you didn't ask for. $499 flat, 48 hours, one round of revisions, and a site there's nothing left to break into.