Minute 0 - bot finds your unpatched plugin, drops a 39-byte backdoor disguised as .access.log.php, deletes the dropper. No trace.
Minute 1 - hidden admin account named "WordPress Maintenance" that doesn't show in your user list.
Minute 2 - payload injected into wp_options disguised as a core update transient. Survives a full WordPress reinstall.
Minute 3 - WP-Cron job registered as "wp_site_health_check_update" that re-downloads the backdoor twice a day if you delete it.
Minute 4 - four more backdoors planted across uploads, cache, upgrade, and wp-admin directories. Each uses different obfuscation.
Minute 5 - your debug.log is surgically edited to remove any evidence.
Minute 7 - your site is registered in a botnet database. They know your PHP version, hosting type, and plugin count. Wordfence still shows green checkmarks.
I've cleaned hundreds of sites that followed this exact pattern. Wrote up the full breakdown with real (sanitized) code samples for each step:
How long do you think the average site owner takes to notice they've been compromised?
Top comments (0)