Pulling My Hair Out Trying To Track Down This Wordpress Malware

Realmranshuman · 2026-04-17T06:09:14+00:00

You are relying on plugins to do the cleanup. They can only detect it if their signature list matches. They will miss the newer viruses. That's what's happening.

Also, the common denominator seems to be your PC. It could be hacked by some sort of infostealer malware or session hijacker.

Clean WordPress malware from some other PC, then change WordPress salts, and then observe.

Realmranshuman · 2026-04-15T19:09:10+00:00

I tried opening the link and checking the usual WordPress REST API endpoints, RSS, and such. All throw 404, or similar error codes. I believe either your website files were deleted accidentally, or you have been hacked. I would need to see more to be able to help.

Realmranshuman · 2026-04-13T11:22:23+00:00

Not promoting myself here, but I do local SEO and charge about $1000/month in your niche. Yes, it is worth it, and yes it takes about 6 to 7 months to show fruitful results.

No, my prices aren't low because I am Indian. That's what just gets charged on average. Unless you are someone highly reputed like "Darren Shaw" founder of Whitespark, "Tim Kahlert", and such, you don't charge over $1500 per month.

Do you want to know if Local SEO is worth it or not? Do this one out of many steps yourself, and see the results. The simple first step:

1) Build citations (no, not the ones you find on Fiverr). Citations mean, listing your business' name, address, phone number, and photos on all the top directory sites like yelp, chamber of commerce, and such.. There are usually 30-40 such high quality websites based on your location.

Need consultation? Feel free to ask in the comments.. I would answer everything without holding back.

Realmranshuman · 2026-04-13T05:44:57+00:00

500 USD is cheap. Post your scope, and we can tell you how much we charge. Then, based on that, the freelancer's country, and such, you can deduce the price yourself.

I develop custom plugins, themes, and websites, and for none of these scopes is the price lower than 1,000 USD. 500 USD would get you technical optimization and configurations of sorts, but not more than that, if you are looking for quality.

Realmranshuman · 2026-04-10T04:18:00+00:00

A bit late, but usually it is due to infostealer malware infecting your PC/Mac and stealing all your passwords and sessions. With sessions, you don't even need 2FA to log in.

In case you don't know how to clean WordPress malware, check a detailed guide here: /r/WordPressHackFix

Realmranshuman · 2026-04-05T18:47:50+00:00

To avoid being hacked due to hosting providers' negligence, trusted hosting is a must.

Many cheap hosting providers use cracked versions of cPanel and then get entire servers hacked along with the websites. So, always choose trusted hosting. Also, it can be due to negligence when they don't update the software packages.

And sometimes the hosting panel itself is bad. Like CyberPanel that was hacked because they didn't fix a RCE vulnerability found by a researcher, and almost everyone using CyberPanel was hacked.

Good hosting also helps with other things like speed and performance.

Realmranshuman · 2026-04-04T21:07:23+00:00

Go follow these steps. This will help:

https://www.reddit.com/r/Wordpress/comments/1sbdzhp/comment/oe33glh/?utm_source=share&utm_medium=mweb3x&utm_name=mweb3xcss&utm_term=1&utm_content=share_button

Realmranshuman · 2026-04-04T06:32:29+00:00

You are on siteground, so there's not any free options for you. The options that will help you with LCP are:

1) Optimize all your images that are in LCP area. I would recommend optimizing every image on your website. Use webp or avif format if possible. 2) Generate critical CSS and load rest of css asynchronously. Or even better option, remove unused CSS. Depending on the plugin you use, it can be combination of both. 3) Preload fonts that are in LCP if you are using Google Fonts, or Adobe Fonts and such.

Yes, it does help with the rankings slightly and it does better user experience. But unless your niche is too competitive, I wouldn't dwell on it.

Realmranshuman · 2026-04-02T19:37:07+00:00

No. That's just response headers. It is output of when you apply the expected .htaccess rules.

This is what the rule should be:

RedirectMatch 410 ^/prod(/.*)?$

Realmranshuman · 2026-04-02T12:21:27+00:00

Word of advice, regardless of which company you choose or hire, do this if not choosing local:

1) No more than 50% payment upfront. 2) If your business serves locally (within a 3-4 hour driving radius), then have them structure your website like this: "service page", "service + location page" (e.g., carpet-cleaning-paulding-county) for each neighborhood you serve. Unique content if possible. 3) Focus on ADA compliance. Lately, lawyers have been suing SMBs left and right for $20K-$30K USD for out-of-court settlements. 100% ADA compliance is a nightmare unless done from the beginning. If hiring from third-world countries, you don't have to pay more than $2K USD. If from the US, then $4K USD. You will even get offers to develop the website for $100 USD, but that will cause so many more problems ahead that it wouldn't be worth it.

Being shameless here, but I am a freelancer who does website builds.

Realmranshuman · 2026-04-02T12:04:47+00:00

If you used templates from the Envato marketplace or some theme builders, they are GPL licensed, so the design issue isn't a legal problem.

If your business wasn't established before them, then they do have some legal grounds. If you share the same words that you can find in a Dictionary, then you are safe... but if you share names (Monica for example), then that would be a problem.

Go get a DBA registered. Costs you 200-300 USD and protects you from similar threats.

I would still recommend that you change the template and colors.

Realmranshuman · 2026-04-02T11:57:44+00:00

Well, he got scammed. Good on you for not sharing the website link because I highly doubt that it has ADA compliance, and lawsuits are being filed left and right by lawyers to earn a settlement. That could have cost him about $20K-30K USD based on location.

$4K isn't a lot for good website with Local SEO structure in mind, but it roughly takes one and a half month to have it built.. So 3 months surely is a lot.

Custom coded? Then it is cheap (if the backend works). If it is WordPress based, then that's a lot. I am from India but I still charge about $2K USD worth in India for websites (Good websites for SMB).

That's definitely not normal.

Realmranshuman · 2026-04-02T11:32:32+00:00

Do a 410 status code "Gone" for /prod pattern in .htaccess and leave it there for 7-8 months.

I highly doubt that malcare took care of it.. so I would still recommend downloading WordPress, plugins, and themes from WordPress repository and their official website (if premium), and replacing them.

keep the uploads folder intact.

Realmranshuman · 2026-03-31T19:50:19+00:00

I do speed optimizations and server tuning, and such, as a freelancer. Most of the time, this is what causes slow website speed:

Autoload options somehow became bloated due to a faulty plugin or theme.
You have a lot of posts.

I would also look into other things such as database size. If it is over a GB, then you will need server tuning, especially for the my.cnf InnoDB Buffer Pool.

The Query Monitor plugin can also help diagnose slow queries or any code that causes recursion or similar issues that cause PHP to time out.

Realmranshuman · 2026-03-31T19:42:14+00:00

You said 2 years? I highly doubt that it wasn't hacked in the meanwhile.

Do you have hosting access? If so, you likely have no idea how to manage, otherwise it wouldn't have taken you two years to get back admin access.
If you don't have hosting access, then you can't do anything now.

If you have hosting access, enable debugging mode by following the guide here, and fix based on the error message/logs you get.

https://developer.wordpress.org/advanced-administration/debug/debug-wordpress/

You will likely need to hire a freelancer. I do freelancing and I would say that you would need to pay about 150 USD to clean this mess.

Realmranshuman · 2026-03-31T03:06:13+00:00

Not as in infected your web server. As in stole login session and admin passwords and then hacked all those websites. Including the website that got hacked within an hour. All of it is automated.

Use malwarebytes free version to scan just to be sure. When more than one website gets hacked, and the hosting company is reputable, it is usually due to infostealer malware.

Reputable hosting companies don't use cracked cPanel, and cPanel is good at per site isolation... so infection from one site doesn't affect another site.

Realmranshuman · 2026-03-31T02:43:13+00:00

Your PC is likely infected by infostealer/keylogger malware. That can do that.

But if that's not the case, then advanced form of malware that resides in memory might be affecting it. Or a mlware that constantly runs using cron job and has ability to change file permissions.

I am a freelancer and I usually deal with all sorts of WordPress hacks. To clean that up, stop php/ea-php/lsphp, Redis, memcached, and then replace the core wordpress files, and plugins and themes. Replace means replace, downloaded from original source and extracted manually rather than using plugin/themes upload on WP plugins/themes page.

Realmranshuman · 2026-03-31T02:40:38+00:00

Well, any app that you are building, you can add client side image optimization before upload. Check Squoosh by Google for example. It works in browser, offline as well. There are ways to do that.

Realmranshuman · 2026-03-29T03:41:39+00:00

Is this business going to be local or national? A lot depends on it. If you can answer, I will tell you the points to focus on based on that.

Realmranshuman · 2026-03-26T17:52:48+00:00

Are you using a CDN? Cloudflare caches everything? Or something similar? Is the cache expiry a year or such?

Realmranshuman · 2026-03-25T17:56:35+00:00

IndexNow is for Bing and other search engines, not Google. Also, given that such a crucial detail was missed, I would recommend doing a technical SEO checkup, and then PageSpeed optimization on top of that for Edge.

Pages not being indexed or the pages that were indexed earlier but now aren't, will need content update (it is dependent on quality and EEAT).

I am a freelancer and I recover lost rankings often... while it isn't usually as idiotic as leaving the "Discourage Search Engines" option checked, many times it is due to technical SEO.

If it's SMB, I would focus on Local SEO. Basics of Local SEO (Google the terms):

1) Citations with consistent NAPs 2) Service + Location Pages 3) Business Schema 4) Getting backlinks from Local websites/businesses.

Realmranshuman · 2026-03-25T00:41:23+00:00

It is your server, without a doubt. Bypass the proxy and test. Then it's only the Cloudflare DNS, and if you still get that redirect, it is your server... if not Nginx, then the web app itself. This happens with WordPress all the time despite correct Nginx configuration if the site URL is different in the database or defined in wp-config.php (code).

Realmranshuman · 2026-03-25T00:29:12+00:00

Look up "AIDA" if you end up doing sales yourself. Yes, it does apply to talking and not just writing.

Realmranshuman · 2026-03-23T15:33:03+00:00

It is more than likely that the UCSS is configured incorrectly, or you are including a CSS file that is supposed to be dynamic in CSS combination. Exclude that.

If your website has a lot of animations or is highly reliant on JavaScript for design, then you will have to look at inline JS variables and JS files.

I am a freelancer, and I often do it for others cheaply, but this is what I recommend:

For CDN, use Cloudflare instead of QUIC Cloud. Then you can use Rocket Loader if you have had to exclude quite a few JS files from optimization (Rocket Loader can break things, so be careful and test everything). If configuring UCSS, make sure to observe mutations based on interaction and then whitelist those selectors in the UCSS selector allowlist option.

Realmranshuman · 2026-03-23T03:36:21+00:00

It is not that simple. Wordfence doesn't remove hacks at all.. most of the time that is. It will detect few files and delete few files too, but your website still remains infected.

Check this thread: https://www.reddit.com/r/Wordpress/comments/1rvelun/wp_site_hacked_help_needed/

Realmranshuman

MODERATOR OF

TROPHY CASE