WordPress Malware Case Study: Removing Hidden Executable Files After a Bluehost Account Suspension
A client contacted me after Bluehost completely suspended their hosting account due to malware detection.
Unlike typical WordPress infections, this case involved a large number of malicious executable files scattered across the hosting account, listed by Bluehost in a file named malware_bin.txt.
Bluehost clearly stated that all listed files must be deleted before account access could be restored.
If even one file remained, the account could be reinfected and suspended again.
This was not a standard WordPress cleanup. This was a hosting-level malware incident.
Initial Assessment
The hosting account contained multiple WordPress sites, and malware was detected in areas often considered safe, such as:
-
/wp-content/plugins/ -
/wp-content/themes/
For example:
-
jetpack/jetpack_vendor/automattic/jetpack-masterbar/src/admin-color-schemes/compat42x -
bluehost-wordpress-plugin/vendor/newfold-labs/wp-module-solutions/includes/addtocart -
all-in-one-wp-migration/lib/vendor/servmask/filetypes.inc
These files were not part of normal plugin or theme functionality.
A legitimate WordPress installation normally consists of:
-
PHP
-
JavaScript
-
HTML / CSS / SCSS
-
Images and media
-
Document files
Executable or random system-style files inside plugins/themes are red flags.
This indicated:
-
Malware existed inside plugin and theme directories, not just outside WordPress
-
Plugin-based scanners could easily miss these hidden files
-
Incomplete cleanup could immediately trigger reinfection
Why Security Plugins Failed
WordPress security plugins focus on:
-
Modified core files
-
Known plugin/theme exploits
-
Database injections
In this case:
-
Malware lived in legitimate plugin directories but used strange filenames (
insert_hw,addtocart,filetypes.inc) -
Some files were hidden deep inside vendor libraries
-
Others mimicked standard plugin assets (
compat42x) to evade detection
Bluehost detected the malware at the hosting level, which is why WordPress scanners did not flag it.
Mandatory Step: Full Backup
Before removing anything:
- A full hosting account backup was taken
- All files and databases were preserved
This step is critical.
Mass deletion without a backup can permanently break websites or destroy forensic evidence.
Malware Cleanup Strategy
Identifying the Malware
From malware_bin.txt, I extracted approximately 50–80 unique malicious file names.
These filenames appeared repeatedly across different directories in the hosting account.
Each filename was manually reviewed to confirm:
- It was not part of WordPress core
- It was not used by any plugin or theme
- It was not a legitimate application file
Only after verification was removal approved.
Why Manual Deletion Was Not an Option
- Files were scattered across hundreds of directories
- Many filenames appeared multiple times
- Missing even one file could re-trigger the infection
- cPanel file managers are too limited for this scope
This required a server-level, SSH-based automated cleanup.
⚠️ Warning: Advanced Malware Removal – Only Attempt If You Have Server Experience
This case study describes a highly technical, server-level malware removal process involving SSH access, filename loops, and manual deletions across WordPress plugins, themes, and hosting directories.
Do not attempt this if you are not experienced with Linux, SSH, or WordPress server administration.
Mistakes can lead to:
-
Permanent data loss
-
Broken WordPress installations
-
Re-infection of your hosting account
-
Possible hosting account suspension
If you are unsure, it’s strongly recommended to hire a professional to safely perform these steps.
SSH-Based Malware Removal Using a Loop
To ensure complete removal, I used an SSH loop that iterated through the list of malicious filenames and deleted every occurrence across the entire hosting account.
Simplified Example of the Logic Used
files=(
"rvsMasterCompoDB"
"phpthumb.unsharp"
"currencyVars.inc"
"cron.bak"
"toolbadex.hacked"
".key-daemon"
".pulse-listener"
".sys-config"
"bigocaptcha"
)
for file in "${files[@]}"; do
find /home/username/ -type f -name "$file" -delete
done
This method ensured that:
- All malicious files were located regardless of directory depth
- Duplicate payloads were fully removed
- No reinfection vectors were left behind
- Cleanup was consistent and verifiable
This level of cleanup cannot be achieved using WordPress plugins or control panel tools.
Post-Cleanup Verification
After removal:
- File permissions were reviewed
- No unexpected executable or system-like files remained
- WordPress core integrity was validated
- Bluehost re-scanned the hosting account
The hosting account was fully restored.
No reinfection occurred.
Key Takeaways From This Case
- Not all WordPress malware lives inside WordPress
- Executable files in a WordPress hosting account are a major red flag
- Hosting providers often detect malware that plugins miss
- Cleaning only
wp-contentis not enough - SSH-level access is critical for serious infections
If your hosting provider suspends your account, the problem is often bigger than WordPress itself.
How to Prevent This Type of Infection
- Restrict executable permissions on shared hosting
- Regularly scan non-WordPress directories
- Do not rely solely on security plugins
- Harden hosting-level security, not just WordPress
Without these steps, reinfection is only a matter of time.
Final Note
If your hosting provider has:
- Disabled your account
- Sent a malware report you do not understand
- Flagged executable or system-style files
- Rejected plugin-based cleanups
You are dealing with a server-level or shared hosting malware infection.
This type of issue requires manual, SSH-based remediation, not automated tools.
For professional cleanup, reinfection prevention, and hosting restoration, you can reach me through mdpabel.com.
