If you are running a WordPress site and suddenly your traffic drops, and when you check Google, you see that “This site may have been hacked by a third party” and your search rank drops significantly, there is almost a 100% probability that your site has been hacked and tampered with. In this article, we will explain how to deal with this situation.
In this article, we will explain how to deal with this situation.

Why does “This site may have been hacked by a third party” appear?

Google searches and indexes sites independently. If a link to a particular domain is embedded in a site, or if an illegal file (JS, etc.) is loaded in the HTML of a site, Google detects it and determines that the site has been tampered with. This is based on considerable evidence (100% of the time when WordPress Doctor was consulted, the site was a victim of tampering), so let’s first examine the damage to the site.

Find traces of tampering

When WordPress is tampered with, various traces of the tampering can be seen in the admin panel and access to the site. Here are some of the most common ones

Unknown increase in the number of WordPress administrator users.
●The number of accesses is increasing rapidly.
(This is often indicated in the server access logs, not in the access analysis.
●The number of e-mails sent is increasing rapidly.
This is a case where the site is a stepping stone for spam. (This is also often indicated in the server access log, not in the access analysis.
A large number of unintelligible words or URLs are being written in comments.
A large number of folders or files have been added to the WordPress directory without your knowledge.
●The site has become very heavy.
When a malicious file is loaded from the server where the malware was distributed, the malicious file distribution destination may have already disappeared, and this file cannot be retrieved, resulting in a heavy site.
Some functions on the posting screen are no longer available.
This is caused by tampering code interfering with WordPress functions.
The layout of the site suddenly collapsed.
This is caused by the tampering code interfering with the WordPress theme.
I can’t log in anymore.
The password for the administrator privilege has been rewritten.

In addition, you should also check your website for viruses at the following sites

Trend Micro Site Safety Center
http://safeweb.norton.com/
Norton Safe Web
http://global.sitesafety.trendmicro.com/index.php
SUCURI (recommended)
https://sitecheck.sucuri.net/

How to eliminate hacking tampering from a site? (First Aid)

Eliminating hacking from a site requires very specialized knowledge. We scan the site for tampering patterns collected from various requests and restore the site by eliminating the tampering code. Please note, however, that this is only a stopgap measure and will not stop all the entry points for site tampering. (If left unchecked, there is a risk of re-infection.)
This is a measure to stop secondary damage such as the sending of spam mail or the distribution of malware once it has occurred.

0 Back up the site and the database

1 Download a new template and replace the site with that template.
2 Stop all plug-ins. If you must use a plugin, download the ZIP file from the site, delete the old plugin via FTP, and reinstall it.
3 Update WordPress itself.
4 Delete the increased number of users and change the password for the administrator user.
5 Delete the increased number of comments. Deactivate all comment functionality on the site

Perform virus check again

After the above first aid measures are completed, check the site infection status again.

Here is a free malware scanner created by WordPress Doctor
[Free WordPress tampering, hacking, malware, and virus scanning (detection) WP malware scanner LITE

SUCURI (check from outside the site)
https://sitecheck.sucuri.net/

If first the infection is detected, and then it is not detected, then the first aid measure has been successful! We can then perform a more detailed inspection to eliminate the virus, regenerate plug-ins and themes, and take measures to prevent re-infection, so please contact us.

We have notified Google that the site has been restored.

Once the site is completely free of viruses and hacking tampering and security measures have been taken, we notify Google via the Google Search Console site that the viruses have been removed and we will ask Google to reinspect the site.

Register your site in the Search Console and request a review of the [security issue].

Check the box next to “I fixed the problem with my site” and click the “Request Review” button.