WP Munk > Blog > WordPress Tutorials > Spam Emails being sent from your WordPress site? Here’s how you can fix it.

Spam Emails being sent from your WordPress site? Here’s how you can fix it.

Whatever your business, there is nothing customers hate more than spam. If you run a subscriber-driven business, your customers have trusted you with their personal information so they can avail of special offers, discounts, or product updates. But what if,  instead, they start receiving spam from your official email address? 

This can destroy all your hard-earned reputation and wipe off months and years of work  in a matter of a few hours. It can eventually lead to your customers taking their business elsewhere never to return!

But how are your customers bombarded with spam emails in the first place? The most likely possibility is that your WordPress website has been hacked, and your data has been compromised. Once your site is hacked, hackers can easily use your official email address to repeatedly send spammy or malicious emails to your customers. Fortunately, there is a way to fix this. In this article, we show you how. 

What Are The Immediate Measures You Should Take

Before you begin fixing the hack, your immediate priority should be towards damage control with your customers. Here are some of the immediate measures that you can take:

  • Send out a well-worded apology email to all your customers, while also mentioning that you are trying to fix the problem on a war footing. Advise them to ignore all such spam emails and delete them from their Inbox.
  • Check out all your user accounts on the wp-admin panel. Disable all your current user accounts temporarily until you find a fix. Also, check if any new or unidentified user has been added and remove the user immediately.
  • Contact your official email provider to ensure that further outgoing emails are blocked from your company’s email address.
  • If you have a professional customer support or servicing team, notify them of the problem and prepare them to handle urgent calls and queries from customers.

How to Fix the Spam Email Problem?

Now that that’s out of the way, let’s understand how you can get rid of the spam email problems and remove this malware from your website. Having said that, it is not just enough to fix the problem, you also need to ensure that such an attack is not successful the next time around. There are primarily two methods you can use to fix the spam email issue:

  • With a security plugin: This is a faster and more fool-proof  method of getting rid of spam email forever.
  • Manually: This is recommended only if you are an advanced user with some WordPress know-how and prior experience. 

We will discuss each of these methods in detail in the following sections. But before you implement either of the methods, we recommend you take a complete website and database backup. An easy way to do this is to use a backup plugin like BlogVault to back up an entire site in less than five minutes.

With a Security Plugin

No matter which type of malware attacks your website, security plugins like MalCare or Sucuri can counter them effectively. That is the popularity of the WordPress platform – you always have a host of tools designed for them.

Why are security plugins more effective when it comes to malware detection and removal? Mainly because they are easy to use and do a thorough job of detecting and cleaning malware. For instance, let us see how easy it is to fix your spam email problem using the MalCare tool:

  1. The first step you need to perform is to sign up on MalCare using your email ID. .
  2. The next step is to sign in to your account, add your URL, and install the security plugin for your site.
  3. Once you have installed it, the MalCare automatically starts scanning your website and database for malware infections. This will not take more than a few minutes. Once the scanning is complete, it displays the total number of infected files in the “Security” section of your dashboard.
  1. The final step is to click the “Auto-Clean” button and clean all your infected files.

Just a few more minutes and you will get a clean and fresh website. You can then set up periodic scans for your site so malware is easily detected the next time around. 

Security plugins like MalCare also have other features such as an inbuilt firewall that provides continuous protection to your site by examining every IP request to your site and blocking out suspicious IDs or those with a history of malicious behaviour. It also offers WordPress recommended hardening measures that can protect you from hacks like WP-VCD, Pharma Hack and Japanese Keyword Hack.

(Source: MalCare website)

Manual Method

Before we begin, a note of caution- manual methods are quite risky because even a single error like accidental deletion of critical backend code can break your entire website. 

  1. The first step is to scan your Core WP files and see if they have been infected. For this, you need to compare them with the original Core files with the same version. Here are the main steps:
    1. Download your entire WordPress installation folder to your computer – using an FTP tool like FileZilla.
    2. Download a fresh WP file from the WordPress.org site – one with the same version as your installation.
    3. For comparing the two sets of Core files, use a tool such as Diffchecker that compares each file, and reports any mismatch.
    4. If there is any mismatch, then replace your Core WP file with the corresponding file from the other set – or a pre-infection backup.
  1. The next step is to check for any hidden backdoors in your installation. Backdoors are malicious code inserted by hackers into legitimate files – and can result in your website getting hacked even after a complete clean-up.
  1. For this step, check for PHP functions such as eval, preg_replace, base64_decode, or str_rot13 in your backend installation files.
  2. If you find any unknown or malicious code, then remove them immediately.
  3. Hackers can also take control of your Admin user account to add their users. The third step is to check and remove any Admin user accounts that you have not created.
  4. Apart from the Core files (as discussed in Step 1), you also need to scan each of your installed plugins and themes for any malware code.
    1. Like Step 1, use the Diffchecker tool to compare your installed plugins/themes with new plugin/theme files with the same version.
    2. Replace any modified plugin/theme from your installation with the corresponding plugin/theme file from a fresh download – or your backup.
  5. The final manual step is to check for any malware code in your database.
    1. Use a database tool like phpMyAdmin to search for keywords like <script>, eval, or base64_decode in your database tables.
    2. If found, simply remove the malware code or the database record.

Even if you are an experienced WordPress professional, you need to perform these five manual steps carefully to avoid any mistake that can cause your website to malfunction. As you can see, most pf these steps are repetitive and can mean a significant investment of time and effort. 

Additional Measures to Take

As mentioned earlier, it is not just sufficient to fix the spam email problem on your website; you also need to ensure that such attacks do not happen again in the future.

How do you do that? As a rule of thumb, always keep your site updated to the latest available version. That ensures that hackers have no known vulnerabilities to take advantage of. 

Other measures that you can take to fortify your website include:

  • Installing a website firewall that can block all unwanted requests to your web server.
  • Using two-factor authentication (2FA) to secure your login page.
  • Installing a security plugin like MalCare to scan and remove malware regularly from your website.
  • Installing an SSL certificate for your website.
  • Strengthening the login credentials for all users.


While spam might seem rather commonplace today, customers today have very little tolerance for it. If your website is spamming your customers because of a hack, you need to act fast. You could try MalCare’s emergency cleanup services to immediately take action to clean your site. 

In the long term, make website security a part of your regular website maintenance plan. Or, you could invest in a security plugin to take this off your to-do list.  Not only does a security plugin protect your site, it also lets you take immediate action in case anything slips through the cracks and affects your site.  

Have you ever faced the spam email problem on your website? How did you deal with it? We would love to hear your comments and suggestions, so do post them in the section below.

About The Author

Akshat Choudhary

Akshat Choudhary is the Founder and CEO of BlogVault, and MalCare - successful WordPress plugins designed for complete website management and security against website hacks. Akshat's core belief when building any product is to ensure the end-user doesn't need assistance and to assist them in the best possible manner if they do.

More free templates for download at: Google Slides Themes

Copyright © 2020 WP Munk.
Built with Munk and Powered by WordPress.