Introduction
Imagine waking up one morning to dozens of panicked emails from customers: "Your website is redirecting me to strange pharmacy ads!" Or worse, seeing Google's dreaded warning: "This site may be hacked." That's exactly what happened to one of my recent clients—a mid-sized e-commerce store built on WordPress.
The site had been running smoothly for years, generating steady revenue. Suddenly, traffic dropped by over 70%, Google de-indexed several pages, and the client risked permanent reputation damage. They reached out in desperation, and within 48 hours, the site was clean, secure, and back to normal.
In this article, I'll walk you through the exact process I followed to diagnose and remove the malware—a real-world case study (with details anonymized for privacy). As a cybersecurity specialist with 3+ years in ethical hacking and ongoing training at Arena Web Security, I've cleaned dozens of compromised WordPress sites. This guide combines manual techniques with reliable tools, so you can learn how to handle similar incidents.
Whether you're a site owner, developer, or fellow security enthusiast, you'll find actionable steps here. Let's dive in.
Recognizing the Symptoms
The client first noticed issues when their analytics showed unusual spikes in bounce rates and redirects to unrelated domains (mostly pharmaceutical spam—a classic "pharma hack").
Common red flags included:
Google Search Console alerts about deceptive pages
Unknown admin users in the WordPress dashboard
Suspicious files appearing in the theme folder with recent modification dates
Site loading slowly or displaying Japanese keywords (another common SEO spam indicator)
Emails from the server about high resource usage
These are textbook signs of a compromised site. If you see any of these, act immediately—delays allow attackers to entrench deeper.
Initial Assessment and Preparation
My first priority was preventing further damage.
Took full control: Requested WP admin credentials, hosting cPanel/FTP access, and database details.
Created a complete backup: Used UpdraftPlus to back up files and database to an offsite location (Google Drive). Manual ZIP of the entire site via FTP as a secondary backup.
Put the site in maintenance mode: Installed a simple maintenance plugin to block visitors while working.
Ran preliminary scans:
Sucuri SiteCheck (free online scanner)—confirmed malware presence
VirusTotal scan on suspicious files
Wordfence free scan from inside WordPress
The scans revealed obfuscated PHP code in theme files and malicious entries in the database.
Identifying the Infection Source
Digging deeper revealed the entry point: a nulled (pirated) premium plugin the client had installed months earlier. Nulled plugins often contain hidden backdoors.
Key findings:
Malicious code in functions.php using base64_decode and eval to execute remote payloads
Injected scripts in the database (wp_posts and wp_options tables), creating hidden spam pages
A backdoor file disguised as a core WordPress file (e.g., wp-feed.php with extra code)
I used:
Local code search with grep -r "eval(" and grep -r "base64_decode".
WPScan CLI for vulnerability scanning:
wpscan --url example.com --api-token YOUR_TOKEN
Manual inspection of recently modified files via FTP
The Cleanup Process—Step by Step
Here's the exact cleanup workflow:
Replaced core files: Downloaded a fresh WordPress copy matching the site's version and overwrote /wp-admin and /wp-includes folders (never overwrite wp-content or wp-config.php blindly).
Removed compromised plugins/themes:
Deleted the nulled plugin entirely
Replaced the active theme with a fresh copy from the official repository
Manual file cleanup:
Searched for and removed obfuscated code blocks like
PHP
<?php @eval(base64_decode("malicious_payload_here")); ?>
Deleted fake files like wp-feed.php, hello.php, etc.
Database cleanup:
Exported the database
Searched for suspicious strings (e.g., eval(), base64_, spam URLs)
Removed malicious rows from wp_posts, wp_postmeta, and wp_options
Example SQL to find spam posts:
SQL
SELECT * FROM wp_posts WHERE post_content LIKE '%viagra%' OR post_content LIKE '%<script%';
Password reset: Changed all passwords—WordPress admin, database user, and hosting/FTP.
Updates and patches: Updated WordPress core, all plugins, and themes to the latest versions.
Final re-scan: Ran Wordfence and Sucuri again—clean!
Post-Cleanup Hardening
Cleaning isn't enough—I implemented prevention measures:
Installed and configured Wordfence Premium (firewall + real-time scanning)
Enabled 2FA with Google Authenticator
Changed file permissions (755 for folders, 644 for files)
Added security keys to wp-config.php
Disabled file editing in dashboard
Changed login URL with WPS Hide Login
Set up automatic backups
Results and Key Lessons
Within 24 hours, the site was clean. Google removed the warning after I submitted a review request in Search Console (took ~48 hours total).
Key takeaways:
Never use nulled/pirated plugins or themes—they're the #1 infection vector
Regular updates and backups are non-negotiable
One vulnerability can cost thousands in lost revenue
Professional cleanup is faster and safer than DIY attempts
Final Thoughts
This case reminded me how vulnerable even established WordPress sites can be. The good news? Most infections are fixable with the right approach.
If your site is showing similar symptoms or you want a professional security audit, malware cleanup, or penetration test, I'm here to help.
Check out my services on Fiverr:
https://www.fiverr.com/mahbubulhaqu817/wordpress-malware-removal-and-fix-hacked-wordpress-security
Have you ever dealt with a hacked WordPress site? Share your experience in the comments—let's learn together!
Top comments (0)