Hacked WordPress Website Sending Spam Emails: Reasons and Fixes

May 2, 2019

Hacked WordPress Website Sending Spam Emails: Reasons and Fixes

May 2, 2019

If your WordPress website is sending spam emails to your customers, you can be almost sure that you’ve been hacked! Being in such a situation is a nightmare to any website owner as it bears severe consequences.

The worst part is you have no control over the content that’s being sent to your valuable customers in the email. You not only stand to lose your customers but your reputation can also be irreparably damaged. Hacks like this can SCARE THE (LIVING) DAYLIGHTS OUT OF SOMEONE and lead to some serious loss of visitors and business.

In such situations, it is imperative that you stop hackers from misusing your site’s resources or redirecting your visitors to their website. Now, it isn’t always easy to find the hack and get rid of it. But we’re here to guide you through the process that will efficiently and effectively fix the hacked website and keep you protected.

Spam emails being sent from your account is a cause for panic! It can seriously damage your business. But if you have the right tools, you can get rid of the malware that’s causing spam emails to be sent. Use our security plugin MalCare to clean up the hack quickly and get back to business.


Why WordPress Emails are Going Into Spam?

Any email that your business sends out falls under the CAN-SPAM Act – a law that governs the commercial email segment. Most online business owners know and follow the rules of this Act. The main rules being:

    • Don’t use misleading or false header information
    • Don’t use deceptive subject lines
    • Disclose that your message is an advertisement
    • Include a valid postal address of your location
    • Include options to opt-out of receiving emails from you
    • Accept opt-outs promptly
    • Monitor what others such as marketing agencies are doing on your behalf

However, when your site is hacked and spam emails are being sent out, hackers will ignore these rules. For instance, hackers will most likely use your wp mail account to send out malware with deceptive headlines and CTA buttons to trick recipients into downloading it.

This will result in your emails being flagged as spam. Recipients can also start flagging your emails as spam. This is bad news for any business website as all emails sent (whether it was sent from the hacker or from you) will end up in the ‘Spam Folder’ of recipients. This is especially important with WooCommerce sites as customers receiving notifications for their orders will end up lost in spam!Needless to say, many of your emails will be left unopened when this happens.

Before you get to finding and fixing the hack, we need to understand what’s going on with email spam – how and why it happens.


If you’ve followed the above rules and your WordPress site isn’t hacked, but your emails are still going to spam folders of recipients, it could be because your web host IP address is blacklisted. This means if you’re using a shared hosting plan, you share an IP address with other websites. These websites that are hosted on the same server could be sending spam emails and therefore, you might’ve been blacklisted too. In this case, you can consider migrating to another host or a dedicated server.

What Causes Spam Email Hacks?

Sometimes, your WordPress website may have vulnerabilities present which hackers use to their advantage to gain access. There are many common hack attacks in which hackers gain access to your site. Here, we’ve covered the three most popular website hacks:

1. Outdated Software

In most cases, this happens because websites are running on outdated software. Updates can be rolled out to introduce new features or fix bugs and compatibility issues. They’re also rolled out when security flaws are found in themes or plugins, and in the WordPress installation itself. Developers fix it and release security patches in their updates.

Once the user updates their software, the vulnerability is fixed.

But if a website owner ignores the update, it becomes easy for hackers to find the vulnerability and hack in.

In March 2019, the Easy WP SMTP Plugin had a vulnerability in Version 1.3.9. This security flaw could allow attackers to set up a normal subscriber account which had hidden admin powers. They could use this to hijack sites and redirect hacked sites. The developers fixed the issue and released V

2. Guessing Game

They also use a method called Brute Force Attacks in which they use automated bots to try to guess your username and password. If your credentials are weak, they could easily hack your site.

3. Using Pirated Software

Getting premium themes or plugins for free is very alluring. But most of these cracked or pirated versions of themes and plugins carry malware or WordPress backdoors. Sometimes the default plugin settings will create a vulnerability. Once you’ve installed the wp software on your site, the hacker gets an entry point. They can then access your site and begin their malicious activities such as sending spam emails.

Once in, they acquire admin privileges and take over your email activities. They can also do this by uploading malicious script to your WordPress servers. These scripts will establish a connection to your mail server and start constructing spam messages. The hackers disguise their code which is why it can go undetected for a while.

If you suspect your website is sending out emails, there are ways to find out if you’ve been hacked.

Signs of an Email Spam Hack

Many times, a hacker sends spam emails to your customers and you may not notice it for a while. It can go under the radar for days! There are a few ways you can find out when is your WordPress hacked or at least suspect it:

    • If you’re lucky, a customer may bring it to your notice
    • You may get a notice from Google stating that your site has been blacklisted on account of malware present on it
    • Your WordPress site suddenly slows down. If a large amount of spam has been added to your MTA (mail transfer agent) queue, it will take a toll on your site’s performance. You might also see messages like “MTA queue is too large.”)
    • You get too many failed email delivery or similar errors appear in your email logs.
    • The internet service provider warns you that there is a large amount of outbound spam from your site

Steps to Take When Your Email has Been Hacked

Emails are a pillar of communication with your customers. If your email is compromised, customers can lose their trust in you to maintain confidential information such as their email addresses.

Therefore, if your business has sent out spam emails, you need to carry out damage control.

1. Check all the accounts added in your wp-admin dashboard. Lock all accounts temporarily till you can be sure none of them have been breached.

2. Reach out to your email recipients. It’s your responsibility to inform everyone – customers, clients, business associates – that they should ignore all emails from you and not to fall prey to any deceptive tactics hackers may use. It’s best to apologize and explain the situation.

3. If you’re running a business large enough, you would need to prepare your teams especially customer service to handle incoming queries from recipients.

4. Contact your email provider’s customer support. They should be able to stop any more spam from going out.

5. The most important step you need to take is to find the hack and clean it.

6. Fix the vulnerability that caused the hack in the first place.

7. Implement stringent security protocols to ensure it doesn’t happen again.

In the next sections, we’ll detail the last three vital steps.

How to Detect WordPress Email Spam Hacks

There are manual ways in which you can comb through your website’s files and folders and try to find the hack. But we don’t recommend it because it’s time-consuming, labor-intensive and risky.

The manual method entails going into the files of your WordPress site using File Manager in cPanel of your web host account or using an FTP client like FileZilla. The thing is the slightest misstep can break your site. Plus, it takes hours and sometimes days to find the hack.

When it comes to fixing a hacked website, time is of the essence. Since the manual malware removal method has many challenges to overcome, we’ll skip to the method we know is the most reliable and the fastest way to find the hack.

Detecting an Email Spam Hack Using a Plugin

The fastest way to find a hack is by using a security plugin. Since the process is automated, it can scan all your website’s files in just a few minutes. However, even among security plugins, there are some that might be slow or may not be able to find the hack.

Before you choose a security plugin, take these points into consideration:

    • Many malware scanner plugins use outdated methods of trying to find hacks. They are programmed to look for malware that’s already been found. So if there’s new malware created, these plugins will miss it.
    • Hackers are smart and disguise their malware. Many plugins are not designed to detect hidden malware.
    • Some of these plugins use your own website’s server to run its process. This will slow down your site as it eats up the resources provided by your WordPress hosting provider.

The scanner you choose should be able to overcome the challenges mentioned above. It should be capable of finding any kind of malware – old or new, hidden or disguised.

You need a scanner that’s smart enough to analyze the behavior of the code and check for unusual activity. It needs to be able to carry out a deep scan to check every nook and corner, including hidden malicious files.

Detecting Email Spam Hack Using MalCare

MalCare is one such WordPress security plugin that can do this with a guarantee of finding any kind of malware present. This is because the scanner is developed to analyze the behavior of code. This means it will go through all the code and see how it’s being executed, where it’s located, what it’s supposed to do and what it’s actually doing, etc.

Plus, using the MalCare plugin is easy. Download and activate it on your site and you can start scanning your site for free. In a few minutes, it will notify you if there’s malware present on your site. It will also tell you how many files are hacked.


malcare malware scanner

MalCare alerts you on how many files are hacked.


Note: Before you detect and clean the hack, we recommend you take a backup of your website. This will ensure all your data is copied and you won’t have to face any data loss. If you have chosen to install MalCare, then a backup powered by BlogVault will automatically be taken for you.

Cleaning up ‘WordPress Sending Email Spam’ Using a Plugin

As we mentioned above, trying to clean up any kind of hack manually is an extremely risky affair. If you want to clean up your hacked website manually, you would need to find malicious code and delete them.

We strongly don’t recommend this method because hackers are getting smarter by the day. They find ways to disguise their code. They use codes such as eval base64_decode that are legitimately used in some plugins. So you may think it’s malicious and delete it. But in doing so, you’ll break your website or cause it to malfunction.

Next, by deleting the malicious code, it only means you’ve removed the malware. It doesn’t mean you’ve removed the hack. So apart from being time-consuming and cumbersome, it’s also ineffective.

This is why we’re going to jump straight to a security plugin – consider it your website antivirus. Since we recommended MalCare to scan your site – for good reason – we’ll show you how to clean up spam email hacks using the same.

Once MalCare finds malware present, all you need to do is click the ‘Auto-clean’ button.


malcare auto-clean option

One-click option to instantly clean malware


The plugin will start the cleaning process and once it’s done, it will notify you that your website is clean.

That’s it. Your website is clean of any hacks and any backdoors that a hacker might’ve created on your site.

Remove Vulnerabilities on Your WordPress website

Next, you need to identify what caused the hack in the first place. There are common points of entry that hackers use based on which we recommend the following steps:

    • Update your WordPress core installation. Also, update all your themes and plugins.
    • Delete any inactive and unused plugins and themes on your site.
    • Delete any pirated software and vow to never use any again.
    • Remove any rogue users present on your wp-admin dashboard.

Finally, you need to ensure you never get hacked again.

Stay Protected: How To Avoid Sending Email Spam in the future?

Going through this ordeal once is stressful enough! You wouldn’t want it happening again. Apart from that, customers may be forgiving the first time, but the second time around shows that you haven’t taken security seriously. You’ll lose their trust.

Worse, you could face serious legal issues as well if customer data such as their email addresses are leaked.

You need to secure your website for good. If you used the MalCare plugin to clean your website, you’re already protected. Here’s how:

    • It puts up a firewall that will proactively block malicious bots and IP addresses from visiting your site.
    • It regularly scans your site for any kind of malware.
    • MalCare enables simple captchas before login so no bots can crack their way in.
    • You can also limit login attempts.
    • It enables you to implement website hardening measures. These are a few security steps recommended by WordPress that you can take to make your site very difficult to break into.

These measures help you protect your site and in turn, make it hard for hackers to gain access. Hackers like sites that have weak security. They’re easy to break into. Once they find that your site has security measures in place, they’ll move on.

Tip: After cleaning up your site of malware, if you’re still unable to connect or getting error messages with email delivery, try the WP Mail SMTP plugin. It will help in figuring out the issue and reconfiguring your server settings correctly.

Final Thoughts

We sincerely hope that you found this this guide helpful and easy to follow. Before you close your browser, here’s what we suggest –

  1. Make website security a priority. Do not wait for a disaster to happen. It’s always best to install a security plugin like MalCare and protect your website.
  2. Take website hardening measures to ensure that your website remains protected and hack-free.
  3. All set? Right, now focus on growing your business.

We hope this article has been helpful in taking control of your website’s email back and insightful in learning more about WordPress security.

Put an end to the spam – Try MalCare Now

wordpress sending spam email
Share via
Copy link