I’m MD Pabel, and I’ve been cleaning up hacked WordPress sites for years. With over 4500+ successfully fixed hacked websites under my belt, I’ve seen it all. Last month, I dealt with one of the nastiest malware infections I’ve encountered – a site completely compromised by multiple threats including Trojan.PHP.Webshell.Obfuscated, Backdoor.WordPress.FakePlugin.Injector, and several others. Here’s exactly how I removed the malware and got the site back online.
The Infected WordPress Site: Warning Signs I Noticed
The client called me because their WordPress site was acting strange. Pages were loading incredibly slow, visitors were getting redirected to spam sites, and somehow the site was sending out spam emails without their knowledge. These are classic signs of a hacked WordPress site that needs immediate malware removal.
When I logged into their hosting account, the server logs showed unauthorized access attempts everywhere. I ran a quick malware scan using Sucuri, and it lit up with alerts – VirusTotal flagged multiple trojans and backdoors. This wasn’t some amateur hack job. The attackers had used sophisticated techniques, including fake Cloudflare security prompts that tricked users into downloading malicious PowerShell scripts.
WordPress Malware Removal: What I Found During Investigation
I connected to the server via SSH and started my malware removal process by examining the wp-content/plugins directory. That’s where I found the first major problem – a fake plugin directory containing backdoor files. The Backdoor.WordPress.FakePlugin.Injector had disguised itself as a legitimate security plugin, but it was actually giving hackers remote access to the entire site.
The real challenge came when I discovered heavily obfuscated PHP files with names like “hehe.php” and “xx.php” – classic webshell signatures. These files contained layers of encoding designed to hide malicious code from standard malware scanners. Here’s what one looked like after I decoded it:
<?php
@error_reporting(0); // Suppressing error messages
session_start(); // Maintaining persistent access
$payload = base64_decode('malicious_code_here');
eval(gzinflate(str_rot13($payload))); // Executing hidden commands
?>The malware used multiple encoding techniques – base64 decoding, ROT13 character shifting, and gzip inflation – to hide command execution functions. Once decoded, I could see it was designed to run system commands directly from URL parameters, allowing hackers to browse server directories and steal sensitive files like database configurations.
How the Malware Achieved Persistence
What made this WordPress malware removal particularly challenging was how the infection maintained persistence. I found a file called “add.php” that was automatically creating new directories with random names like “xl” and “lm”. Inside each directory, it dropped base64-encoded index.php files that would survive server reboots and basic cleanup attempts.
Another file, “lf.php”, was operating as a complete spam mailing system. It was harvesting email addresses from the WordPress database, sending phishing emails through SMTP, and using MD5 hashing to evade spam filters. This explained why the client’s hosting provider had flagged their account for suspicious email activity.
My WordPress Malware Removal Process
Here’s exactly how I cleaned the hacked site:
Step 1: Complete File Audit
I identified and documented every infected file, including hidden webshells and backdoors scattered throughout the WordPress installation.
Step 2: Malware Removal
I manually removed all malicious files, including the fake plugins and obfuscated PHP scripts. Simply deleting them wasn’t enough – I had to trace their connections to other compromised files.
Step 3: Core File Restoration
I restored wp-config.php and .htaccess files from clean backups, ensuring no malicious code remained in critical WordPress files.
Step 4: Theme Cleanup
The attackers had injected JavaScript code into header.php that was loading external scripts from malicious CDNs. I cleaned all theme files and verified their integrity.
Step 5: Security Hardening
I changed all file permissions from dangerous 777 settings to secure configurations, updated all plugins to their latest versions, and installed Wordfence for ongoing malware monitoring.
WordPress Security Lessons from This Malware Removal
This WordPress malware removal taught me several important things about modern hacking techniques:
Obfuscated Code is Everywhere: Hackers in 2025 are using multiple layers of encoding to hide malware from automated scanners. Manual code review is essential for proper malware removal.
Fake Plugins are Common: The Backdoor.WordPress.FakePlugin.Injector I found looked legitimate in the WordPress admin panel. Always verify plugin authenticity before installation.
Persistence Mechanisms are Sophisticated: Modern malware doesn’t just infect – it ensures survival through multiple backup files and regeneration scripts.
Social Engineering Integration: The fake Cloudflare prompts showed how malware creators combine technical exploits with social engineering to maximize infection rates.
Preventing Future WordPress Malware Infections
Based on my experience with this malware removal and fixing over 4500+ hacked websites, here are my recommendations:
- Run weekly malware scans using tools like Sucuri or Wordfence
- Never upload files with 777 permissions
- Regularly audit your wp-content directory for suspicious files
- Keep WordPress core, themes, and plugins updated
- Use strong .htaccess rules to prevent PHP execution in upload directories
- Monitor server logs for unauthorized access attempts
Get Professional WordPress Malware Removal Help
If your WordPress site is showing signs of infection – slow loading, unexpected redirects, spam emails, or security warnings – don’t wait. As someone who specializes in WordPress malware removal and has successfully fixed over 4500+ hacked websites, I know that every hour counts when dealing with compromised sites.
The infection I described here took me about 8 hours to completely clean and secure. The client’s site came back online stronger than before, with enhanced security measures to prevent future attacks.
For more detailed technical information about the specific malware variants I encountered, including Trojan.PHP.Webshell.Obfuscated and Webshell.Priv8Uploader.Persistence, check out my complete analysis: Unmasking Trojan.PHP.Webshell.Obfuscated and Related Malware.
Final Thoughts on WordPress Malware Removal
Dealing with hacked WordPress sites is never fun, but successfully removing complex malware like Trojan.PHP.Webshell.Obfuscated gives me satisfaction every time. Each cleanup teaches me something new about hacker techniques and helps me protect future clients better. Having fixed over 4500+ hacked websites, I can confidently say that no two infections are exactly alike.
If you’ve dealt with similar WordPress malware infections, I’d love to hear about your experience. Feel free to reach out – I’m always interested in discussing malware removal techniques and sharing knowledge with fellow WordPress security professionals.
Remember: the best defense against WordPress malware is prevention, but when prevention fails, quick professional malware removal can save your site and reputation.
