What we do
- Phase 1 diagnosis (free): investigate WordPress core, themes, plugins, and (when needed) server-level indicators; deliver a written report in your client portal.
- Optional remediation: remove malicious code and persistence mechanisms (e.g., backdoors), restore clean files/configs where appropriate, and harden security posture.
- Post-clean monitoring: observe the site for recurrence signals for 1–2 weeks (plan-based) and recommend ongoing maintenance if needed.
- Documentation: clear findings, actions taken, and next-step recommendations (no vague promises).
We do not guarantee a site will never be hacked again, but we reduce risk and improve response readiness.
Signs your WordPress site is infected
Google Safe Browsing warning
Chrome/Google flags your site as dangerous or deceptive.
SEO spam pages indexed
Pharma/Japanese/spam pages appear in Google results.
Random redirects
Visitors get redirected to spam sites (often mobile-first).
Pop-ups / overlays
Unexpected ads, gambling pop-ups, or fake update prompts.
Unknown admin users
New admin accounts or changed passwords without approval.
Hosting malware notice
Your host sends an abuse/malware report or suspends the site.
Site suddenly slow
CPU spikes, timeouts, 502/504 errors, or unusual resource usage.
Suspicious files in wp-content
Unexpected PHP files in uploads or plugin/theme directories.
Injected header/footer code
Hidden scripts/iframes injected into templates or widgets.
Spam emails from your site
Contact forms send spam, or users receive phishing emails.
Security plugin alerts
Wordfence/Sucuri reports modified core files or malware signatures.
Malware keeps returning
You remove files but the infection comes back (persistence).
Technical indicators we investigate
File & code indicators
- Modified WordPress core files or unexpected file changes
- Obfuscated PHP/JS (encoded strings, unusual eval-like behavior)
- Unexpected PHP files in
wp-content/uploads - Injected scripts/iframes in templates, widgets, or theme functions
- Suspicious scheduled tasks (cron) re-creating payloads
Config & environment indicators
.htaccessor web-server rule modifications causing redirects- Compromised admin accounts, API keys, or leaked credentials
- Database injections (spam pages, hidden links, malicious options)
- Server-level persistence (shared hosting infection, compromised user)
- Backups that include infected files (re-infecting after restore)
How it works
Agreement & Access
Approve agreement and grant required access.
Diagnosis
We investigate core/theme/server indicators.
Report
Findings + remediation plan in portal.
Remediation
Cleanup, restore, harden (optional).
Monitoring
Post-clean monitoring 1–2 weeks.
Pricing
- Staged investigation (core/theme/server)
- Root-cause analysis (when possible)
- Actionable remediation plan
- Remove malware/backdoors
- Restore clean files & configs
- Security hardening baseline
- Monitoring + backups + updates
- Security scans + human review
- Itemized PDF report each review