Back to Case Studies
How I Restored a WordPress Site After a 53,000+ File Slot Gambling Malware Attack
Case Study

How I Restored a WordPress Site After a 53,000+ File Slot Gambling Malware Attack

In August 2025, I saved one of my client’s websites from a terrible malware attack. During this attack, 53,771 files were compromised, and their professional website was turned into a slot-gambling portal. For 6–8 hours, their Google Ads kept sending real customers to a fake “JAKARTASLOT88” interface, which not only affects their credibility but also costs them a lot of money. Today, in this case study, I will explain how I decoded the geo-targeted malware, removed every trace of the infection, including the defacement TXT files with the hacker’s signature Hacked by L4663r6666h05t x Single Attacker,” and put in place strong defenses to stop a further attack.

How a Professional WordPress Website Was Replaced with a Slot-Gambling Page

When I first clicked on the client’s URL to fix the hacked WordPress site, I saw a flashy slot machine interface instead of their business website (you can see the screenshot below). However, because of this attack, customers who visited the site they saw a fake gambling page, which damaged trust and wasted business money on ads.

Hacker Signatures Found Across the Entire cPanel

While working to remove malware from their WordPress site, I discovered thousands of seemingly harmless .txt files spread throughout the entire cPanel, including site directories. Each of these files contained the alarming message:

Hacked by L4663r6666h05t x Single Attacker

When the site owner discovered this hacking, it felt as though the hacker was mocking them and sending a creepy message that someone else was in control of their brand. These widespread TXT files complicated the WordPress malware removal process.

Decoding the Obfuscated PHP Injection in index.php

The real danger in this hack was a heavily obfuscated PHP injection in index.php, which displayed a fraudulent gambling page instead of the client’s original homepage for targeted visitors. Unlike a redirect, the malicious code replaced the homepage content directly, which shows that the site itself had become a gambling portal.

goto P1kOa; E5FKM: $nZuEo = puO1P(); goto yc4Bj;

ee0Ow: $CfnXq = file_get_contents($kES4i); goto FBVGD;

q2wU5: if (!($zPV0B["\x63\x6f\x75\x6e\x74\x72\x79\x43\x6f\x64\x65"] === "\x49\x44"

    || $zPV0B["\x63\x6f\x75\x6e\x74\x72\x79\x43\x6f\x64\x65"] === "\x55\x53"))

{ goto eqXVk; } goto h37vR;

iV6IJ: include "\x69\x6e\x64\x65\x78\x2d\x31\x2e\x68\x74\x6d\x6c"; goto ewSKG;

Decoded Strings

  • countryCode → checks visitor’s country
  • ID / US → Indonesia or United States
  • index-1.html → the injected gambling page

Workflow

  1. Harvest visitor IP from headers.
  2. Query http://ip-api.com/json/{IP} for geolocation.
  3. If you are in ID or the US, show the gambling page to people while hiding this from others.

With this undetected geo-targeted injection and the defacement marks throughout cPanel, the hack was both technically complex and stressful for the client.

Step-by-Step WordPress Malware Removal and Site Restoration

Phase 1: Holding the Problem

To clean the hacked WordPress website, I have turned it to maintenance mode and backed up all files, including TXT files that show proof of the “(Hacked by…” files).

Phase 2: Surgical Removal

# Remove defacement TXT files

find /home/client/public_html -type f -name '*.txt' \
  -exec grep -l 'Hacked by L4663r6666h05t' {} \; | xargs rm -f
  • Changed all of WordPress’s core files to originals that have been checked.
  • Deleted the files that were added to the database.

Phase 3: Fortification

  • Updated core, plugins, and themes; removed risky plugins
  • Set up off-site backups, file integrity monitoring, and two-factor authentication (2FA)
  • Installed Web Application Firewall (WAF)

Restoring Client Trust and Securing the WordPress Site

All 53,771 infected files were removed, including the defacement TXT files. The WordPress site was restored and live within 90 minutes, well before the hacker could notice the cleanup. Ongoing monitoring now blocks new attacks instantly. With transparent updates and timely communication helped restore the client’s reputation.

As a web security expert who has helped thousands of clients recover from WordPress hacks, I understand how stressful it is to see your site compromised. I provide fast, expert support to clean, secure, and regain control of your website so you can focus on your business with peace of mind.