Initial assessment — free
Before I quote anything, I look at the site. What's the infection? How severe? Is there a clean backup? What's the likely entry point? The answers determine what the work involves and what it costs. I won't quote blind.
Free assessments answered same day
WordPress malware removal — cleaned, closed, kept out.
Your WordPress site is compromised. Visitors are being redirected, Google is showing the red warning screen, or you've been locked out entirely. Whatever the symptom, the underlying problem is the same — unauthorised code is running on your website. I'm a senior UK developer, and I fix this properly: malware removed from files and database, hidden backdoors found, and the entry point identified and closed so the same attack can't simply walk back in. It starts with a free assessment — what you're dealing with, what the fix involves, and what it'll cost. Same-day response.
The Symptoms
Is your WordPress site compromised?
Malware doesn't always make itself obvious. Some infections are loud — your site redirects every visitor to pharmacy spam. Others are quiet — hidden backdoors sitting unused, waiting. Here's what a hacked WordPress site actually looks like:
- Visitors being redirected to other websites — spam, pharma, or adult sites
- “This site may be hacked” in Google results, or Search Console security warnings
- The red “Dangerous site” warning screen — the Google blacklist that kills traffic overnight
- Hosting account suspended or flagged by your hosting provider
- Can't log in to WordPress admin — even with the correct credentials
- New admin users in your dashboard that you didn't create
- Unfamiliar files appearing in your WordPress directories
- Pages or posts published on your site that you didn't write
- Spam emails being sent from your domain
- Unusual spikes in server load or bandwidth with no traffic to explain them
If any of these match what you're seeing, the site is compromised. The question isn't whether to act — it's how quickly, and what the right approach is.
The Hard Truth
Why most malware removal doesn't actually work.
There are hundreds of services offering WordPress malware removal for £15–£80. Most work like this: run an automated scanner, delete the files it flags, maybe reinstall WordPress core, mark the job done. That's not malware removal — that's symptom suppression. Here's what those services typically don't do:
- Identify how the attacker got in — plugin vulnerabilities account for 96% of disclosed WordPress vulnerabilities. If the entry point isn't found and closed, the attacker's script simply walks back in.
- Check the database — malware injections in the WordPress database are common and invisible to file-only scanners.
- Verify backdoor removal — sophisticated infections leave hidden backdoors specifically designed to survive a surface clean.
- Confirm integrity — a properly cleaned site matches known-good WordPress core and plugin checksums, not just “no scanner alerts”.
Cheap services remove what's visible and declare the job done. The infection they missed is how you get hacked again two weeks later. Root cause identification isn't optional — it's the whole job.
The Work
What proper malware removal looks like.
Six stages, every job. The difference between a site that stays clean and one that's reinfected by the end of the month is whether stages four and five happened at all.
Backup before anything is touched
A clean offsite backup changes the recovery options significantly. If there isn't one, I snapshot the current state before work begins. You can't do this job responsibly without a rollback position.
Identification & removal
Full sweep: files, database, wp-config, .htaccess, active plugins and themes. Manual review of flagged files — not just scanner output — with WordPress core compared against official checksums.
Root cause investigation
The part cheap services skip. I work backwards from the infection to the entry point — which plugin was vulnerable, which theme was nulled, which account was brute-forced — and close it before the site goes back online.
Hardening
Security keys regenerated, passwords changed, file permissions reviewed, unnecessary plugins removed, security plugin configured, hosting-level security checked. Not just clean — significantly harder to compromise than before.
Written report
What was found, what was removed, what the likely entry point was, and what was done to prevent recurrence. A clear account for your records — and your hosting company, if they asked questions.
Your Situation
Recovery depends on what you're working with.
Anyone who quotes a fixed price for WordPress hack recovery before seeing the site is guessing. These are the three situations I actually find — and what each one honestly means for the work:
Clean backup exists, simple site
A recent offsite backup from before the infection, on a standard brochure or blog site — the cleanest recovery path. Restore from backup, identify and close the entry point, harden, re-scan to confirm clean.
No backup — or the backup is infected too
We clean the live infected installation rather than restoring. More labour-intensive, more careful verification needed. Still fixable in most cases — and if the infection is severe enough that a rebuild is the better option, I'll tell you that honestly rather than billing for a losing battle.
WooCommerce or e-commerce site
If the compromised site processes payments or stores customer data, there's a dimension beyond the technical cleanup: under UK GDPR, certain breaches carry a 72-hour notification window to the ICO. I'll flag this during the assessment if it applies. A site that takes payments gets a more thorough recovery and proper documentation — the risk profile demands it.
Process
How it works.
Free assessment — same day
Send me the site URL and describe what you're seeing. I run an initial review — external scan, visible indicators, hosting situation — and come back with an honest picture of what you're dealing with and what recovery involves.
Scope and fixed quote
Based on the assessment, you get a clear scope and a fixed price — what's involved, what's included, what it costs, before anything starts. If I can't fix it properly within a realistic scope, I'll tell you that too.
Backup and containment
Before any work begins: backup taken, and the site optionally put into maintenance mode so visitors stop hitting infected pages. If the site is already down, we work to get it stable first.
Clean, investigate, harden
Malware removed from files and database. Root cause identified and closed. WordPress hardened. Full re-scan to verify clean status before the site goes back to normal service.
Report and handover
A written report covering what was found, what was done, and what to watch for. Recommendations for ongoing security where relevant — flagged honestly, not upsold.
Investment
Honest pricing — scoped after assessment, not before.
I don't publish a fixed price for malware removal, because anyone who does is either underselling — and won't do the job properly — or padding the price to cover unpredictable complexity. The assessment is free; the quote that follows it is fixed. Typical engagements:
- Initial assessment — honest scope, no obligation Free
- Simple brochure site, good backup, surface infection From £350
- Brochure site, no backup or deeper infection From £500
- WooCommerce / e-commerce site From £650
- Severely compromised — backdoors, server-level access From £800
- Post-cleanup security hardening (standalone) From £250
- Ongoing security monitoring From £75/mo
E-commerce sites are priced higher not because the work is harder, but because the required thoroughness is higher — and the implications of an incomplete job are greater.
✓
No fix, no fee
If I assess the site and can't clean it to a standard I'm confident in, I won't charge for the attempt. I'll tell you what happened and what your options are.
Why no fixed menu price?
Backup status, infection depth, entry point, and whether customer data was exposed all change what recovery involves. The free assessment answers those questions — then you get one fixed price for the agreed scope. No hourly metering, no surprises.
After the Clean
Cleaning it once isn't enough.
A cleaned WordPress site is more secure than a compromised one — but it isn't invulnerable. The most common cause of reinfection isn't a new attack; it's the same old one, through a different vulnerable plugin or an account that was never properly secured.
After cleanup, you get a clear set of recommendations. Some you can handle yourself — updates, strong passwords, two-factor authentication. Some you might want me to handle on an ongoing basis, alongside the WordPress work and managed hosting I already do for clients.
Ongoing security monitoring
Not an expensive retainer — regular scanning, update monitoring, and a human who knows your site and will notice when something looks wrong.
From £75/month
Questions
The honest answers.
The questions every hacked-site conversation starts with. Anything else — ask, and you'll get a straight answer the same day.
Can you guarantee the malware won't come back?
I can guarantee that when I identify the entry point and close it, that specific attack vector is blocked. What nobody can guarantee is that a different, unrelated vulnerability won't be exploited in future. What I can do is leave your site significantly harder to compromise than it was, with clear guidance on keeping it that way.
What if I don't have a backup?
It changes the work, not whether it's possible. Cleaning a live infected installation is more complex than restoring a clean backup — it takes longer and carries more uncertainty. I'll be honest during the assessment about whether a clean recovery is achievable, or whether the infection is severe enough that a rebuild is the more sensible option.
My site is down completely. Can you still help?
Yes — though I'll need hosting access or FTP/SFTP credentials to work with a site that's fully offline. Get in touch with whatever access details you have and we'll work out what's possible from there.
Do I need to report this to anyone?
For most personal blogs and brochure sites — no. But if your site collects or processes personal data (contact forms, customer accounts, payments), a compromise that exposed that data may trigger a 72-hour reporting obligation to the ICO under UK GDPR. I'll flag it if it applies to your situation — worth knowing before assuming it's purely a technical problem.
How did this happen — and how do I stop it happening again?
The overwhelming majority of WordPress infections come from one of four sources: an outdated plugin with a known vulnerability, a nulled (pirated) theme or plugin bundled with malware, a weak or reused admin password, or a shared-hosting neighbour being compromised. The root cause investigation identifies which applies to you, and that entry point gets closed. Long-term prevention is mostly keeping things updated and running fewer plugins — and I can help with that ongoing if you want it.
Site compromised?
Start with the assessment.
Tell me what you're seeing — the symptoms, whether you have backups, and how business-critical the site is. I'll come back the same day with an honest picture of what you're dealing with and what the fix involves. No commitment, no invoice before we've agreed scope. If it's simple, it'll be quick and affordable. If it's complex, I'll tell you that plainly rather than taking your money and delivering a surface clean.
No fix, no fee UK-based senior developer Same-day response