Skip to main content
MAHOJE

Hidden backdoor in WordPress site discovered after years

A company's website had an advanced backdoor hidden in a WPCode snippet for years. The malware could create admin users, redirect organic traffic to spam sites and actively hid itself from the WordPress dashboard. The site was running WordPress 6.0.2 without updates. Found, cleaned and secured in under 2 hours.

WordPress
Malware
Backdoor
SEO spam

Industry

Business

Services

  • Security
  • Malware removal
  • Hardening
  • Backup

Timeframe

2 hours

Problem

The client contacted me because their WordPress site was behaving strangely. Code analysis revealed an advanced backdoor hidden in a WPCode snippet. The site was running WordPress 6.0.2, and neither Core nor plugins had been updated in a long time. The backdoor had three functions: (1) Remote admin user creation via base64-encoded cookies — completely invisible in server logs. (2) SEO spam/redirect attack: Non-logged-in visitors and Google bots were redirected to spam and phishing sites via an external server, with IP throttling (once per 24 hours per IP) making it nearly impossible to detect manually. (3) Self-concealment: The malware hid the WPCode plugin from the plugin list, blocked update notifications and disabled all cache plugins (SiteGround, WP Rocket, W3TC, LiteSpeed, Autoptimize) to ensure the malicious output was always served live.

Baseline (before)

WordPress Core

Before: 6.0.2 (outdated)
After: Latest version

Backdoor access

Before: Active (hidden admin creation)
After: Removed and blocked

SEO redirects

Before: Organic traffic sent to spam
After: 0 — all traffic clean

Hidden plugins

Before: WPCode hidden from dashboard
After: Full visibility restored

Actions

  • Complete backup of the entire site (files + database) as a safety net before changes.
  • Code analysis of the malicious snippet — identified backdoor, SEO redirect and self-concealment.
  • Removal of all malware code from WPCode snippets and wp_options (redirect URLs and domains).
  • Audit of wp_users for unauthorized admin accounts created via the backdoor.
  • Updated WordPress Core from 6.0.2 to latest version, plus all plugins and themes.
  • Removed unused and vulnerable plugins, including the compromised WPCode snippet.
  • Hardening: New passwords for all users, new security keys (salts), limited login attempts, firewall rules and tightened file permissions.
  • Set up automatic backup, malware scanning and file change monitoring.

Results

  • The site was fully cleaned and functional in under 2 hours.
  • Backdoor removed — no possibility for remote admin user creation.
  • SEO traffic now goes to the actual site — not spam/phishing pages.
  • All cache plugins working again after the malware had systematically disabled them.
  • Automatic monitoring set up to catch similar attacks immediately.

What we learned

  • Advanced malware actively hides itself: This backdoor concealed its own plugin from the dashboard and blocked updates — so the owner would never discover it.
  • IP throttling makes malware nearly invisible: Redirects only once per 24 hours per IP means manual checks rarely reveal the problem.
  • Outdated WordPress installations are an open door: Jumping from 6.0.2 to latest closed multiple known vulnerabilities.
  • Cache deactivation is a red flag: If all cache plugins suddenly stop working, investigate whether malware is actively blocking them.

Ready for a website that works?

Book 15 min and let's figure out what creates the most value for you.

Website check
Website check