Back to Case Studies
How a Former Developer Hijacked a WordPress Site

How a Former Developer Hijacked a WordPress Site

Published: 10/4/2025
publish

A website security story that shows why it’s so important to remove a worker’s access when they leave.

The Start of the Problem

A client needed help with her GoDaddy WordPress website. When people tried to visit her site, they couldn’t see it. Instead, they saw a maintenance page with a message in another language. At first, the fix seemed easy. But the problem came back, showing a much bigger security issue. It was caused by a former worker who still had access to her accounts.

The First “Quick Fix”

When I looked at the website, I saw a maintenance page with a message written in a language I didn’t understand. A WordPress plugin was making this page show up. I thought it was just an old plugin left on by mistake, which happens a lot. So, I just turned off the plugin.

The website went back to normal right away. It took less than 10 minutes to fix. The client was happy, and I thought the job was done. But this quick fix only hid the problem. It didn’t solve the real cause.

The Problem Comes Back

The very next day, the client called me with the same problem. The “Pay our bills” page was back. I logged in and saw that the plugin was turned on again. This told me that someone was doing this on purpose.

I started to look deeper:

  1. I translated the message: “Pay our bills” showed that someone was angry and probably felt they were owed money.
  2. I checked the activity logs: In the WordPress dashboard, I could see that another user had logged in after I did my fix and had turned the plugin back on.
  3. I found the user: The client knew the user account. It belonged to a developer she had worked with before. She told me to delete the user, so I did. I also removed the bad plugin. It seemed like the problem was finally solved.

The Problem Gets Worse

Two days later, the client called me again. Now she had a bigger problem. Her whole website was sending visitors to a different website. This was a major issue, and it was confusing because we had already removed the old developer’s user account from WordPress. How could he still control the site?

The problem had to be outside of WordPress. I checked her account at GoDaddy, where she hosts her site. In the DNS settings, I found the problem. A “domain forward” was set up. It was telling GoDaddy to send all of her website visitors to the other site.

This proved the attacker had access to her GoDaddy account, not just WordPress. A final check of her GoDaddy account showed me how he got in. The former developer’s email was still listed in the Delegate Access section. This gave him the power to manage her domain, hosting, and more. The client forgot to remove his access when he stopped working for her.

How We Fixed It for Good

These were the final steps to make her website safe:

  1. Remove Delegate Access: We took away the former developer’s access in GoDaddy immediately.
  2. Fix the DNS: We removed the rule that sent her visitors to the wrong site.
  3. Full Security Check: We did a full check of the WordPress site. We changed all the passwords, scanned for any hidden backdoors, and made sure no other strange users or plugins were there.

This story is a good reminder of simple security steps that were missed.

Simple Security Ideas:

  • Access Control: This is about who can use or change your website and accounts. The client failed to control access at two levels: the WordPress admin account and the much more powerful GoDaddy account.
  • Insider Threat: This is a security problem caused by someone who works for you now or who worked for you in the past. The angry former developer was an “insider threat.”
  • Give Only the Access People Need: People should only have the permissions they need to do their job, and nothing more. The developer shouldn’t have had admin access to WordPress and GoDaddy after his work was done.
  • Steps for When a Worker Leaves (Offboarding): When an employee or contractor leaves, you need a checklist to make sure you remove all of their access. This includes WordPress, hosting accounts, domain accounts, and any other tools they used.

Conclusion

What looked like a small plugin problem was actually a very serious security issue. It happened because a former worker’s access was not completely removed. This story shows that website security is not just about firewalls. It is also about having good rules for when people join and leave your team. A good plan to remove all access when someone leaves is one of the most important things you can do to keep your business safe online.

0 Comments

💬

No comments yet. Be the first to share your thoughts!

0/2000

By commenting you agree to our terms.