WordPress Malware Removal & Security Setup

The Challenge

An online store owner woke up to find their WooCommerce site suspended by their hosting provider due to CPU resource exhaustion. When accessed, Google Chrome displayed a full-screen red warning saying: 'The site ahead contains malware'. The owner was losing hundreds of dollars in hourly sales.

Technical Diagnosis

I requested SSH access to the server. Running command line checks and inspection of file timestamps revealed:

• Over 1,200 PHP files in wp-content/uploads containing base64-encoded web shell backdoors (e.g. eval(base64_decode(...))).
• Malicious redirects in the root .htaccess file sending mobile users to spam gambling domains.
• Rogue administrator accounts added directly to the wp_users database table.

Steps Taken

1. System Sanitation: I booted the server into a sandbox, replaced the core WordPress directories (wp-admin and wp-includes) with clean versions, and swept theme directories.
2. Backdoor Purge: I ran terminal grep searches to find and delete nested backdoor files inside the wp-content/uploads folder.
3. Database Cleaning: I purged malicious users and script links from the wp_users and wp_options database tables using phpMyAdmin.
4. Hardening: I updated plugins, configured Wordfence WAF, set PHP file execution limits inside upload directories, and updated salts in wp-config.php.
5. Request Review: I submitted a malware clearance request in Google Search Console, describing the security measures applied.

Before vs After Results

Within 6 hours of work, the file structure was completely cleaned. The host reactivated the account. Google completed their security review 4 hours later, removing the red warning screen. Customers returned to the store, and WooCommerce orders resumed safely.

Lessons Learned

Never use nulled or pirated themes. Always restrict execution permissions in uploads directories so that even if a hacker uploads a malicious PHP file, the web server refuses to run it.