WordPress Sending Spam Emails? Detect and Fix the hack

Did you find emails being sent from your website that are not from you?

Worried that your subscribers and clients are being spammed?

If you’re facing such issues, it’s likely that your website is hacked and the consequences are devastating. Subscribers that you worked hard to get will be quick to unsubscribe and report your email as spam. Your website and email address will be blacklisted and any email you send will end up in the spam folder. 

Unfortunately, this is quite a common issue. So, don’t worry, we’ve helped many of our clients overcome this. We’ll show you how to fix it the right way and fast! 

TL;DR – 

To stop WordPress from sending spam, you need to detect and fix the hack on your website. Install MalCare on your website to automatically scan it. The plugin has a smart scanner that can detect any kind of malware, even if the hacker has hidden or disguised it. Once the infected files are found, you can get rid of the hack in under a few minutes using the auto-clean feature.

Note: This article details how to find and fix spam emails being sent out from your WordPress. This article is for you if you’re seeing errors such as the following:

  • Multiple failed delivery messages in your inbox
  • Your Internet Service Provider (ISP) warned you that there’s large amounts of outbound spam
  • You received a message saying ‘MTA queue is too large!’

If you’re dealing with WordPress spam comments, we have a detailed guide on how to stop spam comments.If you’re facing emails going into the spam folder, skip ahead to where we show you why your emails are being flagged as spam and how to fix the issue.

Cautionary Steps For Hacked WordPress Sending Spam Emails

Emails are a pillar of communication with your customers. If your email is compromised, customers can lose their trust in you to maintain their personal data such as their email addresses. 

Therefore, if your business has sent out spam emails, you need to carry out damage control by taking these precautionary measures before you proceed to finding and fixing the hack.

1. Visit your wp-admin panel and check all user accounts. We suggest disabling all accounts temporarily till you can be sure none of them have been breached. If you see an account that you don’t recognize, this could be added by the hacker. You need to delete it immediately.

2. Reach out to your email recipients. As embarrassing as it may be, if spam emails have been sent out from you, it’s your responsibility to make amends with your recipients.

A well-worded message should be sent out to customers, clients, business associates – that they should ignore all emails from you and not to fall prey to any deceptive tactics hackers may use. It’s best to apologize and tell them you are doing your best to resolve the issue immediately.

3. If you’re running a business large enough, you would need to prepare your teams especially customer service to handle incoming queries from recipients.

4. Contact your email provider’s customer support. They should be able to stop any more spam from going out.

Once done, you can proceed to fixing your hacked site and stop the spam. We guide you in the steps you need to take next. 

How To Fix Hacked WordPress Sending Spam Emails?

It goes without saying that you need to find and fix the hack on your WordPress site. But is that enough? Unfortunately, the answer is no. You also need to find the reason why hackers were able to hack into your site in the first place. So in this guide, we’ll show you how to:

Let’s get started. 

When it comes to fixing a hacked website, time is of the essence. The fastest and most effective way to find a hack is by using a WordPress security plugin. 

Note: In case a plugin is not your preferred choice, you can try cleaning up your website manually. We have covered the manual method in this guide. But we don’t recommend it because it’s time-consuming, labor-intensive, and risky. The manual method entails going into the files of your WordPress site using File Manager in cPanel of your web host account or using an FTP client like FileZilla. The slightest misstep can break your site and make matters worse.

In this guide, we’ll show you how to use a plugin to fix and clean your site in no time.

1. Detect And Clean Hacked WordPress Site Sending Spam Email

There are many plugins available in the WordPress repository that can help you fix your hacked site. However, it’s always best to do research to determine the right one. We’ve done the homework and listed out the best WordPress security plugins to choose from.

Consider the following when choosing the right security plugin:

1. Hackers usually hide or disguise their malware on your site. The plugin should be capable of finding such malware. Choose a plugin that scans your entire website – files and database.

2. Check the method of malware detection used. Most plugins use outdated methods called ‘pattern or signature matching’ that find only known malware. These plugins miss out on any new malware that’s created. Your site may be declared as ‘Clean’ when it’s actually hacked. 

3. Some plugins have a long-drawn process to clean up the hack. You need to contact the support team and they will assign someone to clean up your site. This can take days. Select a plugin that can clean up your site immediately.

4. Lastly, some plugins use your website’s resources to run scans and cleanups. This will slow down your site. Plugins that use offsite servers to run their processes would be a better choice. 

Our MalCare security plugin meets all of the above. Its smart scanner analyzes the behavior of code on your website and thus is able to find any kind of malware – hidden, disguised, or new. It also checks every nook and corner of your website and leaves no stone unturned. Plus, it has an auto-clean feature that will clean up your site in under a few minutes.

Next, we show you how to use MalCare to, find and fix the malware.

You can use any plugin you like, the steps will remain more or less the same. 

A. Find the hack on your WordPress website 

PRO TIP: Before you proceed, we recommend you take a backup of your website. This will ensure all your data is copied and you won’t have to face any data loss. If you have chosen to install MalCare, then a backup powered by BlogVault will automatically be taken for you.

Step 1: Install MalCare on your site. Activate the plugin and access it from your WordPress dashboard. 

Step 2: Enter your email address and select Secure Site Now.

malcare scan

Step 3: MalCare will redirect you to its independent dashboard where it will automatically run a scan on your website. When it detects the infected files on your website, it will display a prompt like so:

Hacked WordPress site after scan

B. Clean the hack on your WordPress website 

Step 1: Once the hack has been detected, MalCare provides you with an option to ‘Auto-Clean’ your site. 

malcare auto-clean

Simply click on this button. MalCare will automatically clean up your website in just a few minutes. Once done, you’ll see a confirmation message that your site is clean:

malcare clean site

That’s it! You’ve successfully cleaned up your hacked WordPress site. 

But the job’s only half done. Now, you need to fix vulnerabilities on your site that allowed the hacker to break in. Then, we’ll show you how to prevent such attacks in the future. 

2. Remove Vulnerabilities On Your WordPress Website

There are common points of entry that hackers use based on which we recommend the following steps:

A. Update your WordPress core installation, themes and plugins


Outdated software is one of the biggest reasons why WordPress sites are hacked. 

Updates can be rolled out to introduce new features or fix bugs and compatibility issues. They’re also rolled out when security flaws are found in themes or plugins, and in the WordPress installation itself. Developers fix it and release security patches in their updates.

Once the user updates their software, the vulnerability is fixed.

But if a website owner ignores the update, it becomes easy for hackers to find the vulnerability and hack in.

In March 2019, the Easy WP SMTP Plugin had a vulnerability in Version 1.3.9. This security flaw could allow attackers to set up a normal subscriber account which had hidden admin powers. They could use this to hijack sites and redirect hacked sites. The developers fixed the issue and released v1.3.9.1.

B. Delete any inactive and unused plugins and themes on your site

The more elements you have on your website, the harder it is to manage. It becomes easy to miss updates or follow up on which plugins have been abandoned by their maker. 

It’s best to get rid of any unwanted plugins and themes and keep only the ones you use. Also do scan your site current theme and plugins regularly for malicious codes.

C. Delete any pirated software and vow to never use any again

Pirated software is tempting because it gives you access to premium features for free. However, pirated versions of plugins and themes are often riddled with malware. Once you install it on your website, the malware infects your site and allows hackers to enter. 

Always use only trusted versions of plugins and themes. WordPress is home to a plethora of free plugins! You’ll most definitely find one that’s satisfactory.

D. Remove any rogue users present on your wp-admin dashboard

As we mentioned earlier, when hackers break into your site, they often add an admin user so that they can gain entry to your site even after you clean it. 

Check your wp-admin panel again and go through the list of users on your website. If you spot any users that you don’t recognize, delete them.

These measures will resolve the vulnerabilities present on your site. 

3. Stay Protected: How To Avoid Sending Email Spam In The Future?

Going through this ordeal once is stressful enough! You wouldn’t want it happening again. Apart from that, customers may be forgiving the first time, but the second time around shows that you haven’t taken security seriously. 

Worse, you could face serious legal issues as well if customer data such as their email addresses are leaked. You need to secure your website for good.

If you used the MalCare plugin to clean your website, you’re already protected. Here’s how:

  • It puts up a firewall that will proactively block malicious bots and IP addresses from visiting your site.
  • It regularly scans your site for any kind of malware.
  • MalCare enables simple captchas before login so no bad bots can crack their way in.
  • It enables you to implement website hardening measures. These are a few security steps recommended by WordPress that you can take to make your site very difficult to break into.
  • It also alerts you if there are any vulnerabilities on your site. You can fix these issues from the MalCare dashboard itself. 

These measures help you protect your site and in turn, make it hard for hackers to gain access. 

Hackers like sites that have weak security. They’re easy to break into. Once they find that your site has security measures in place, they’ll move on.

PRO TIP: After cleaning up your site of malware, if you’re still unable to connect or getting error messages with email delivery, try the WP Mail SMTP plugin. It will help in figuring out the issue and reconfiguring your server settings correctly.

Now, there are times, despite all the precautions and measures you take, you’ll notice your emails are going into the spam box of your recipients. 

When your website has been hacked, this is a common consequence. We show you how to fix this next.

Are Your WordPress Emails Going Into Spam?

There are online spam detection services that monitor servers that send out emails. If they detect that spam is being distributed or if users start reporting your emails as spam, then they blacklist your server IP address. 

No matter what security measures you take, if your server IP is present on these blacklists, your email will end up in the recipient’s spam folder. 

Follow these steps to check if your server IP is blacklisted:

Step 1: Find your Server IP address

Login to your web hosting account. You should see your server IP address displayed here.


cpanel hosting server

If you cannot find it, contact the customer support and request for it.

Step 2: Use tools to detect email blacklisting 

Open any one of these free online tools in your browser and enter your IP address and check for blacklists:

Step 3: Request for blacklist removal

If your site shows up on any blacklist, you will need to contact that particular online service and request for blacklist removal. 

Some services even allow you to remove the blacklist yourself on their website. However, if it gets flagged again, it won’t be removing it the second time. You need to make doubly sure that you have met all requirements and that your site is clean and protected.

To make the process easier, you can take a screenshot of your website status showing ‘Clean’ on the MalCare dashboard. This will serve as evidence that your site is malware-free. 

This process can take a few hours upto a few weeks depending on the severity of spam and the spam detection service.

With that, we come to the end of solving the issue of WordPress sending spam emails. Your WordPress site should be free of any malware and blacklists now.

Final Thoughts

Email spam is a serious global issue. Subscribers, clients, email providers, and spam detection services don’t take it lightly. It shows them that you haven’t taken security seriously.

To avoid this problem in the future, here’s what we suggest:

  • Make website security a priority. Use a reliable security plugin like MalCare and protect your website.

If you liked this article, you would find the next one insightful – WordPress security.

Put an end to the spam – Try MalCare Now!


Melinda is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Melinda distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap