The Problem
A UK digital marketing agency discovered their WordPress site had been compromised — Google Search Console showed security warnings, Cloudflare was flagging malicious redirects and the agency's hosting provider had suspended the account due to spam email sending from the server.
The client had lost two enterprise contracts in 48 hours due to the security warning appearing to their clients. Google had blacklisted the domain.
Our Investigation
Our security team gained access and immediately found a sophisticated multi-component backdoor:
- A PHP webshell hidden inside a WordPress default theme (Twenty Twenty-One) — disguised as a CSS cache file
- A malicious cron job running every 5 minutes sending spam email via Sendmail
- Base64-encoded malware injected into 47 plugin PHP files
- A rogue admin user account created 3 weeks prior via an outdated Elementor addon vulnerability
- Database entries in wp_options containing obfuscated JavaScript redirects
The Cleanup
- Immediately took site offline and revoked all database credentials
- Ran ClamAV full scan — identified 312 infected files
- Manually reviewed every PHP file — removed all backdoors and injections
- Deleted all default themes not in use
- Restored wp-core, wp-admin and wp-includes from fresh WordPress download
- Removed rogue admin account and all suspicious database entries
- Rotated all credentials: database, admin, SFTP, wp secret keys
- Implemented WAF rules, Fail2Ban for wp-login and file change monitoring via AIDE
- Submitted reconsideration request to Google
Results
Google's blacklist warning was lifted within 48 hours. The hosting suspension was resolved same day. The site has had zero reinfections since — AIDE file monitoring alerts us immediately to any unauthorised changes.