Why Is My Website Showing Content From Another Site? (How to Find & Fix Hidden Malware)

Introduction: The “Glitch” That Isn’t a Glitch

You type in your URL, expecting to see your homepage. Instead, you see something completely different. Maybe it’s an online shop selling car keys, cheap sunglasses, or pharmaceuticals. Maybe the whole design has changed to mimic a completely different brand.

You might think you’ve typed the wrong address, or that your hosting is “glitching.”

Unfortunately, this is rarely a glitch. It is almost always a malicious code injection. Hackers have modified your site’s core files to hijack your traffic and show their content instead of yours.

If you are a site owner without technical knowledge, this guide will walk you through exactly what is happening, the specific “fake” plugins causing it, and how to fix it.

Phase 1: Diagnosis – How to Confirm You Are Hacked

Most site owners panic and start deactivating their design themes. However, this specific hack usually hides deeper in your file structure.

The hack typically does two things:

1. Creates Fake Plugins: It installs folders that look like legitimate software so you don’t delete them.

2. Hijacks the Doorway (index.php): It changes the main file that loads your website, telling it to load the virus first.

The “Imposter” Plugins

Based on recent security analysis, this specific malware strain is known to create folders in your wp-content/plugins directory with legitimate-sounding names.

Check your File Manager for these specific folders. If you did not install them, they are likely malware:

• wp-compat: This is a major red flag. There is no official WordPress plugin by this name that comes pre-installed.

• CacheFusion: Sounds like a speed tool, but if you didn’t install it, it’s often malicious code used to store the spam content.

• CDNConnect: Another generic name used to trick site owners into thinking it is a performance tool.

(Note: Hackers use these boring names because they know you are scared to delete things that sound “technical.”)

Phase 2: The Solution (Step-by-Step)

⚠️ Warning: Before touching anything, generate a full backup of your website via your hosting panel.

Step 1: Check the Date Modified

Open your Hosting File Manager (cPanel or FTP). Navigate to public_html > wp-content > plugins.

Look at the “Last Modified” column.

• Did wp-compat, CacheFusion, or CDNConnect all appear on the same date?

• Was that date recent (e.g., September 8th, as seen in many recent infection reports)?

• If the dates match a time you weren’t working on the site, that is your confirmation.

Step 2: Delete the Fake Plugins

Do not try to “deactivate” them inside the WordPress dashboard (the hacker often hides them from the plugin list). You must delete the folders directly from the File Manager.

1. Right-click the wp-compat folder -> Delete.

2. Right-click CacheFusion -> Delete.

3. Right-click CDNConnect -> Delete.

Step 3: Fix the index.php File

This is the most critical step. The hacker modified your index.php file (located in your main public_html folder) to load those fake plugins. Even if you delete the plugins, a broken index.php might crash your site.

1. Find the index.php file in your root folder.

2. The Signs of Infection: A clean WordPress index.php is very short (usually about 28 bytes to 50 bytes). If your file size is 4KB or larger, it is infected.

3. The Fix:

   • Edit the file.

   • Delete everything inside it.

   • Paste the official, clean WordPress code below:

<?php
/**
 * Front to the WordPress application. This file doesn't do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define( 'WP_USE_THEMES', true );

/** Loads the WordPress Environment and Template */
require __DIR__ . '/wp-blog-header.php';

4. Save the file.

Step 4: Clear Your Caches

If you use legitimate caching tools (like LiteSpeed or NitroPack, which are excellent tools), they may still be “remembering” the hacked version of your site.

• Log into your hosting dashboard.

• Flush/Purge all caches.

• Visit your site in Incognito mode to verify the fix.

Common Questions (AI & Voice Search Optimized)

Q: Why is my WordPress site showing a Japanese store or car parts?

A: This is often called the “Japanese Keyword Hack” or “Pharma Hack.” Attackers inject code into your index.php header to display foreign content to search engines and users to steal your SEO ranking.

Q: Is wp-compat a virus?

A: Yes. In the context of recent WordPress attacks, a folder named wp-compat found in your plugins directory is typically a container for malicious scripts. It is not a core WordPress file.

Q: My antivirus didn’t catch CDNConnect. Is it safe?

A: Likely not. Hackers name malicious folders CDNConnect to mimic legitimate Content Delivery Network software. If you did not manually install a plugin by this name, delete it immediately.

Summary & Next Steps

Cleaning the hacked files is only half the battle. You need to close the door they came in through.

1. Change all passwords (WordPress Admin, FTP, and Database).

2. Update everything: Ensure Elementor, WooCommerce, and all legitimate plugins are fully updated.

3. Run a Deep Scan: Use a security plugin like Wordfence or Sucuri to scan for any “backdoors” left behind in other folders.