How I Removed 12,000+ Casino & Gambling Posts and Stopped Cron Job Malware on a Compromised Site

A WordPress website was severely compromised by hackers who injected spam, casino, and gambling content. The attack caused a broken UI, non-functional multi-language (Polylang) features (English & Arabic), and left malware in WordPress core files, plugins, and themes.

Even after updating WordPress to version 6.8.3, PHP to 8.3, and updating plugins/themes, malware regenerated repeatedly, indicating a hidden cron-job-based infection on the cPanel server.

Our goal was to fully clean the website, restore all functionality, remove malicious content, and implement strong security measures to prevent future attacks.

---

Initial Assessment

The assessment revealed multiple critical issues:

• Broken UI: Pages and site design were disrupted.

• Spam/Casino & Gambling Posts: Over 12,000 unauthorized posts were injected, harming SEO and credibility.

• Non-Functional Language Switcher: Arabic version was not loading; English version partially functional.

• Inactive or Outdated Plugins & Themes: Some plugins/themes were outdated, inactive, or from untrusted sources.

• Malware in Core Files: Malware detected in WordPress core, plugins, and themes.

• Database Pollution: Spam content present in the database affected overall site health.

This was a high-risk infection, requiring a careful, multi-step approach.

---

Malware Removal & Cleanup Process

1. Site Scan & Initial Cleanup

• Conducted a full malware scan using Wordfence Security plugin to detect infected files in WordPress core, plugins, and themes.

• Cleaned all detected malware.

• After this step, the English version of the site worked, but the Arabic version and UI were still broken, suggesting deeper issues in the content and database.

---

Backup Restoration

The Arabic version and UI issues indicated that some content might have been lost or corrupted. To restore full functionality, we tested multiple backups on a temporary staging site. After careful evaluation, the correct backup was restored to the live site, providing a clean starting point for further malware removal.

Steps taken:

1. Created a temporary staging site to safely test backups.

2. Restored multiple backups sequentially to identify the latest fully functional version.

3. Restored the correct backup to the live site, fixing broken UI and restoring content.

3. Removal of Casino & Gambling Posts

The website contained over 12,000 spam/casino posts. Initially, we used WP Bulk Delete plugin, but the process was slow due to the large volume. To speed up cleanup, we executed direct SQL commands on the database, ensuring complete removal without affecting other content.

Steps taken:

1. Attempted WP Bulk Delete to remove spam posts.

2. Executed SQL commands to delete posts containing keywords like “casino” and “gambling”.

3. Cleaned related post meta to ensure database integrity.

4. Detection & Removal of Cron Job Malware

Even after cleaning files and removing spam posts, malware regenerated automatically. The site was hosted on cPanel, and manual inspection revealed a malicious cron job running every second. Standard scanners could not detect it. Removing this cron job was critical to stop automatic reinfection.

Steps taken:

1. Checked cPanel cron jobs for unusual scripts.

2. Identified a cron job executing every second, running a script that regenerated malware, backdoor.

3. Safely removed the infected cron job to stop reinfection permanently.

---

5. Security Hardening

• Installed and configured Wordfence Security & Firewall.

• Installed and configured All In One WP Security & Firewall.

• Secured login forms and other forms using Cloudflare Turnstile and honeypot anti-spam techniques. Learn more about protecting your WordPress site from spam in this detailed guide.

• Deactivated unlicensed or unnecessary nulled plugins and replaced them with trusted, fully licensed plugins to ensure complete site security and reliability.

• Updated all outdated plugins and removed unnecessary themes to improve website security, performance, and overall WordPress stability.

• Removed unnecessary or suspicious users and updated administrator passwords.

---

Challenges Overcome

1. Casino & Gambling Posts: Removed all 12,000+ spam posts efficiently using a combination of plugin and SQL commands.

2. Broken UI & Multi-Language Issues: Restored both English and Arabic versions.

3. Cron Job Malware: Detected and removed manually via cPanel, which standard scanners could not detect.

4. Database Pollution: Cleaned all malicious content while maintaining data integrity.

5. Plugin & Theme Security: Replaced untrusted and unlicensed plugins with secure alternatives.

---

Ongoing Security Recommendations

• Keep Everything Updated: WordPress core, plugins, and themes.

• Use Trusted Sources: Only install plugins/themes from official or trusted developers.

• Strong Credentials: Use unique, strong passwords for all accounts.

• Regular Backups: Maintain daily or weekly offsite backups.

• Regular Malware Scans: Use Wordfence or similar tools for early detection.

• Monitor Cron Jobs: Regularly check cPanel cron jobs for suspicious scripts.

---

Conclusion

The website is now fully cleaned, functional, and secure:

• All casino and gambling posts were removed.

• Broken UI and multi-language features were fully restored.

• The cron-job malware was detected and removed, stopping reinfection.

• Security hardening ensures long-term protection against future attacks.

This case highlights the seriousness of hidden cron job malware and the need for combined plugin, database, and server-level interventions for complete WordPress security.

If your WordPress site is facing malware, spam content, or security issues, hire me to Remove Malware From WordPress site, Secure, and optimize your website efficiently and reliably.