Your WordPress is sending spam

Your domain is sending spam emails without your knowledge, your host is warning you, or your mail is landing on a blacklist? Here is the cause and how to put a stop to it.

By WP-Detox 6 min read

When a WordPress site sends spam, you almost never see it directly. It’s the host that warns you about a mass send, a customer who reports that your mail is landing in their junk folder, or your address that stops working overnight. Behind it, a malicious script is running on your server and shipping out thousands of messages in your name. Here is how to confirm the problem and stop it.

The telltale signs

Several symptoms point to a site being used as a sending platform:

  • Your host sends you an alert along the lines of “abnormal email sending,” “SMTP quota exceeded,” or simply suspends your account.
  • Your legitimate mail (quotes, contacts, confirmations) no longer reaches its recipients, or always lands in spam.
  • You receive hundreds of non-delivery reports (NDRs, “mail delivery failed”) for messages you never wrote.
  • A checking tool reports that your domain or the server’s IP appears on a blacklist (RBL).

If you tick one or more of these boxes, assume the site is compromised until proven otherwise.

Spoofing or actual sending: not the same problem

Before you tear anything apart, you need to settle one question. Is the spam really leaving your server, or is a spammer simply impersonating your address from somewhere else?

Spoofing (impersonation). Anyone can write you@yourdomain.com in the sender field of a mail sent from their own machine. Your site isn’t touched, your server sends nothing. You get the bounces because recipients return the errors to the displayed address, which is yours. It’s annoying, but your WordPress isn’t hacked.

Actual sending. Here, a script is running on your hosting and emitting mail. This is the case that matches a compromised site, and it’s the only one that calls for a cleanup.

How do you tell the difference? Look at the full headers of a suspicious message (your recipients can forward you one, or search the logs). If the mail leaves from your host’s IP and passes through your server, it’s actual sending. If it comes from a foreign IP with no connection to your hosting, it’s spoofing. The volume in the host’s SMTP logs settles it too: thousands of outgoing sends recorded on your account means actual sending.

Where the sending comes from

On a compromised site, the spam almost always comes from one of these entry points:

  • A PHP file dropped into wp-content/uploads, a folder that should only ever contain images. A .php there is abnormal by definition.
  • A vulnerable extension, often a poorly protected contact form or newsletter plugin, hijacked to send in bulk.
  • A backdoor installed elsewhere (theme, wp-content, root) acting as a mailer.
  • Stolen SMTP credentials, if you use a third-party sending service configured in the site.

The mechanism is almost always the same: the script calls PHP’s mail() function, or hooks into an SMTP connection, to ship the mail without going through WordPress.

Diagnosing

Check the sending logs

Ask your host for the account’s SMTP logs, or find them in your admin panel. There you’ll see the outgoing volume, the sending times, and sometimes the source script. A spike of sends at night or thousands of messages per hour leaves no doubt.

Hunt for the malicious script

The goal is to find the mailer. Over SSH, two quick searches already give you a lot:

# Hidden PHP files in the media folder (always suspect)
find wp-content/uploads -name "*.php"

# Files containing mail() calls coupled with obfuscation
grep -rl "base64_decode" wp-content/ | xargs grep -l "mail("

Be wary of recently modified files, of names that mimic the WordPress core (wp-cache.php, class-wp-mailer.php in an odd location), and of code encoded with base64 or eval(). A mailer doesn’t always hide well, but it’s rarely alone: find one, and there’s often a backdoor next to it to reinject everything after your cleanup. If you want the full method to flush it out, see how to find the backdoor responsible.

Check the extensions

Review your form and emailing plugins. An outdated or abandoned plugin is suspect number one. Note its version and check it against known vulnerabilities.

Cleaning up

Order matters. If you clean without cutting off sending, the site keeps spamming while you work and the host may suspend the account.

  1. Cut off sending. Ask the host to temporarily block outgoing SMTP, or disable the sending function for the duration of the work.
  2. Delete the script. Erase every illegitimate .php found in uploads and any identified backdoor. Don’t just empty the file’s contents, delete it.
  3. Handle the vulnerable extension. Update it if a fix exists, otherwise remove it and replace it with a maintained alternative.
  4. Change all passwords. WordPress admin, database, FTP/SSH, and the SMTP credentials if you use any. A mailer often goes hand in hand with compromised access.
  5. Reinstall the WordPress core at the same version, from an official source, to overwrite any modified system file.

Only reopen sending once these steps are done. If you have the slightest doubt about how thorough the cleanup was, follow the full guide for when WordPress is hacked: a mailer left in place always comes back.

Getting off blacklists and repairing deliverability

Once the site is clean, your domain and IP may stay penalized. Two tasks.

Blacklist removal

Test your domain and your server’s IP on a tool like MXToolbox. For each list (RBL) where you appear, follow the removal procedure given: most offer a delisting form. Removal is only granted if the spam sending has actually stopped, which is why cleaning first matters. Depending on the list, delisting takes anywhere from a few hours to a few days.

SPF, DKIM, DMARC

These three DNS records authenticate your mail and make it harder to impersonate your domain.

  • SPF — declares which servers are allowed to send for your domain.
  • DKIM — cryptographically signs your messages to prove they haven’t been tampered with.
  • DMARC — tells receiving servers what to do with a mail that fails the two previous checks.

Without them, anyone can impersonate your address and your legitimate mail lands in spam more easily. With them, you rebuild your sending reputation and close the door on spoofing. Most hosts offer an assisted setup for these records.

Finally, harden the install so you don’t replay the same scenario: that’s the point of hardening the site after the cleanup.

Frequently asked questions

Can my domain be blacklisted without my site being hacked? Yes, in a spoofing case: a third party impersonates your address and gets it blacklisted without ever touching your server. Check the host’s sending logs. No abnormal outgoing sends on your side? The site is probably clean, the problem is the impersonation, and SPF/DKIM/DMARC are your answer.

How long to get off a blacklist? A few hours to a few days after delisting, provided the spam sending has actually stopped. If you request removal before cleaning, you’ll be relisted right away.

Is deleting the guilty plugin enough? Rarely. The plugin is the entry point, but the attacker has almost always dropped an independent file that survives the uninstall. You have to find and remove that file on top.

If you’d rather not handle the server yourself, WP-Detox takes care of it. We run a free scan to confirm where the sending originates, back up the site before any action, then remove the mailer and the backdoor, deal with the vulnerable extension, and put proper authentication back in place. Count on about 30 minutes, €149 all-in, refunded if we can’t fix it.

Read next