The Situation: A long-term client’s WordPress site was stuck in a re-infection cycle. The hosting provider had attempted to fix the site – twice – by reinstalling core files. But within hours, the site would crash again or start generating hundreds of spam posts. The client was losing business and credibility.
The Forensic Investigation
While the host’s automated scanners looked for “known viruses,” I performed a manual forensic audit. The discovery was startling. The automated “fix” had left the backdoors wide open:
Unauthorized Administrators: Two unauthorized, active admin accounts, were allowing hackers to walk right back in.
The Hidden “Master Key”: I found a compromised Application Password called “auto-bootstrap”. This allowed automated scripts to post spam content without ever needing the authorized admin accounts’ actual password.
Lingering Malware: Manual directory checks revealed malicious files (like admin.php in the /themes/ directory) that the host’s automated tools completely missed.
The Solution (The Hardening Process)
Cleaning the files was only the first step. To ensure the site stayed clean, I implemented a “hardening” protocol:
Access Revocation: I deleted the unauthorized admin accounts and revoked the compromised application passwords.
SALT Reset: I replaced the site’s secret security keys, which effectively logged out anyone currently connected to the site illegally.
Environment Upgrade: I modernized the site’s infrastructure by upgrading the PHP version from 5.6 to 8.1, closing years of legacy security holes.
Operational Lockdown: I disabled the internal file editor via the wp-config file, so that even if a hacker gained entry, they could no longer inject code into the theme files.
The Result
The site was successfully transitioned from being in a compromised state to a fully hardened environment. Final validation through deep forensic scans confirmed a Zero-Threat status. The client now has a stable, secure digital foundation that meets the high standards required by their legal and corporate partners.
The Lesson
Automated tools are a great start, but they’re no substitute for a manual security incident response. Standard malware removal is like closing a door; true security is like changing the locks. If you don’t address how the hackers are getting in, the protection is only temporary.
Is your site stuck in a hack/fix cycle? Contact me for a Security Audit today.
