The situation
A trades business found out their website was hacked the way most do: a customer mentioned that Google was showing a red warning page. The WordPress site had been quietly compromised through an outdated plugin and was serving spam to search engines while looking normal to the owner.
What we did
Recovery first: the malware was located and removed, the vulnerable plugin closed off, every password rotated, and Google’s review process pushed through until the warning cleared. The site’s rankings — years of accumulated local search value — came through intact.
Then the honest conversation: this site had a dozen plugins doing what a modern site does with none. Rather than sign the owner up for an eternal patching subscription, we rebuilt it as a fast, static site with the same content, the same URLs and nothing left to compromise.
The outcome
The site loads faster than it ever did, the maintenance line item is gone from the budget, and the next plugin vulnerability announcement is somebody else’s problem. This is the WordPress Exit Strategy in its natural habitat — recovery is how the conversation starts; removing the risk permanently is how it should end.