Hi, BHW members, First of all, thank you all BHW members who gave me advice and helped me solve the login problem. The thread: http://www.blackhatworld.com/seo/help-is-my-wordpress-website-attacked.845413/ Let me explain my problem: 1, I noticed that my site has lots of urls which were not created by me, I didn't know what they are and how to describe the problem at that moment. After resolving the login problem, I found in my wordpress account that there were two more users besides me (I didn't add them myself). All I know is my site has been hacked. 2, I found that there are suddenly numerous irrelevant backlinks (according to Ahrefs and Majestic) pointing to my site (actually pointing to these hacker's urls), those backlinks started from 16, 05, 2016. It is increasing everyday. These hacker's urls are like this: http://www.mysite.com/?q=irrelevant-keyword When I click these hacker's urls, they redirect to other websites related to the irrelevant-keyword. It seems the hacker didn't create a real page on my site for his url, he just use it to redirect to other site. Then, the hacker created lots of backlinks pointing to these urls. (google search console, Ahrefs and Majestic) Finally, I received emails in my google webmaster account that shows: URL Injection. I eventually know what these urls are and what the problem is. The actions I have taken: 1, I changed the WP password; 2, I deleted the two unknown users; 3, I use CloudFlare to protect my site. Now, when I click these hacker's urls, They don't redirect to other site any more. They show my homepage. But these urls and these backlinks are still there. Google asks me to clean my site and then submit a reconsideration request. My questions: 1, What should I do to remove these hacker's urls from my site properly? 2, What about those backlinks pointing to these urls? 3, How to better protect my site from being hacked? Thank you in advance!