How We Recovered a Hacked WordPress Server in Under Two Hours

At 6:43am a client’s monitoring alert told us their site was redirecting visitors to a spam pharmacy page. By 8:30am the site was clean, hardened and back to normal. Here’s exactly how we handled the compromise — and what you can learn from it.

Step 1 — Contain before you clean

The first rule of incident response is to stop the bleeding. We put the site into maintenance mode, rotated all credentials (WordPress admins, database, SSH, FTP) and took an immediate forensic snapshot of the server before touching anything. That snapshot matters: it preserves evidence so you can understand the attack later.

Step 2 — Find the malware, not just the symptoms

The redirect was the symptom. The cause was a set of injected files and a database-level redirect. We scanned the filesystem for recently modified files and obfuscated PHP:

find /var/www -name "*.php" -mtime -7 -print
grep -rl "eval(base64_decode" /var/www

That surfaced three web shells and a malicious must-use plugin. We removed them, then checked wp_options and wp_posts for injected JavaScript and cleaned the database.

Step 3 — Close the door they came through

Cleaning a site without finding the entry point guarantees re-infection. Access logs pointed to an outdated plugin with a known file-upload vulnerability. We patched it, updated core and every plugin, and removed two abandoned plugins entirely.

Step 4 — Harden so it can’t happen again

• Disabled PHP execution in the uploads directory
• Locked file permissions and disabled the file editor in wp-admin
• Added a web application firewall and rate-limited the login page
• Enabled 2FA for all administrators
• Confirmed Google had not blacklisted the domain, and requested a review where needed

Speed matters in a compromise, but so does method. Containing, cleaning, finding the root cause and hardening — in that order — is what turns a potential disaster into a footnote.

---

#hacked website #incident response #malware removal #wordpress security