Key Takeaway
- Subtle SEO errors are often the first—and only—sign that a client’s website has been compromised.
- During our investigation, we found the attackers had created a hidden administrator account named “Bot” to maintain persistent access.
- We traced the entry point to a compromised password combined with a critical vulnerability in a popular, outdated premium plugin.
- The malware used a sophisticated “cloaking” technique, showing a spam page to human visitors while appearing normal to Google.
- A successful recovery requires a methodical process: patching the entry point, performing a deep file scan, auditing all user accounts, and a full credential reset.
A local business owner recently approached our team with a perplexing issue. Their WordPress website appeared perfectly normal to them, but their SEO reports were in chaos.
Google’s testing tools were showing a completely different site—a Japanese e-commerce page. This was the first thread our team pulled in an investigation that unraveled a sophisticated, multi-layered cyberattack.
This is a real-world case study of how we diagnosed the hack, dismantled the malware piece by piece, and restored our client’s website. It’s a detailed look at how modern attacks operate and a guide for what to do if you find your site in a similar situation.
What Was the First Sign of the Compromise?
The only initial symptom was a technical error that only an SEO or developer tool could detect.
The client’s homepage looked fine, but when our team ran the site through Google’s Rich Results Test, the preview was not their content. This immediately raised a red flag. We opened the browser’s developer console and confirmed the presence of JavaScript errors trying to load scripts from an unknown, suspicious domain.
This discovery is a critical lesson: a modern website hack isn’t always a defaced homepage with a big “You’ve been hacked” message.
Often, the attack is silent, designed to hijack your site’s authority without you ever noticing.
How Was the Malicious Code Discovered?
Our team found the infection hidden in a block of intentionally scrambled code at the top of a core WordPress file.
Knowing the site’s code was compromised, our next step was a full file system audit.
We began with index.php, the primary file that loads the entire WordPress framework. At the bottom, the code was standard, but at the very top, we found a dense, unreadable block of PHP.
This technique is known as obfuscation. The code was intentionally written to be confusing, using commands like goto to jump all over the file and hiding plain text inside coded strings. It was like a secret message only the attacker could easily read, designed to evade detection and analysis.
What Was the Malware’s Purpose?
The script was a “cloaking” backdoor designed to hijack the client’s website traffic for a massive SEO spam campaign.
After de-obfuscating the code, our team determined its two primary functions:
- It acted as a gatekeeper. The script would analyze every visitor to the site. If it detected a search engine crawler like Googlebot, it would allow WordPress to load normally. This deception kept the site’s search rankings intact.
- It served a fake page. If the visitor was a real person, the script would contact a remote server controlled by the attacker and display the fake Japanese spam page instead of the client’s actual content.
This “cloaking” allowed the attackers to leverage the client’s established domain authority to promote their own spam content, all while hiding the evidence from Google.
How Did the Attackers Breach the Website?
Our investigation revealed a multi-stage attack that started with a hidden administrator account and a vulnerability in a popular premium plugin.
The client had a security plugin, so how did the attackers get in? They didn’t break through the firewall; they used a key to walk through the front door.
- The Hidden User: The first thing our team looked for was unauthorized access. Buried in the WordPress user list was a new administrator account we knew the client didn’t create. Its name was simply “Bot,” with a generic email like “bot@localhost.com.” This was the attacker’s hidden key.
- Exploiting a Plugin: Once logged in as this fake “Bot” user, the attacker exploited a known vulnerability in an outdated premium SEO plugin the client was using. This plugin had a legitimate feature to import settings from a file.
- The Malicious Upload: The attacker created a special settings file that appeared normal but contained a hidden malicious payload (a PHP Object Injection). When they used the plugin’s import feature to upload this file, the website unknowingly executed the hidden code.
This action gave the attacker the ability to write files anywhere on the server. Their first move was to inject the backdoor script into index.php, giving them permanent control. Because the attack was performed by a “trusted” logged-in administrator, the firewall didn’t stop it.
What Was the Step-by-Step Recovery Process?
Our team executed a multi-phase recovery plan to eradicate the malware, patch the entry point, and harden the website against future attacks.
- Lockout: Our first action was to delete the unauthorized “Bot” administrator account, immediately locking the attacker out of the dashboard.
- Patching: We updated the vulnerable SEO plugin to the latest, patched version to close the security hole.
- File System Sanitization: We manually deleted the infected index.php and .htaccess files, replacing them with pristine copies from a fresh WordPress download.
- Deep Scanning: We then installed a robust security scanner and ran a site-wide scan. The scan located several other copies of the same backdoor hidden in other theme and plugin files, which we then removed.
- Credential Reset: We reset the passwords for all remaining administrator accounts, generated new WordPress security salts in the wp-config.php file, and guided the client on changing their database password through their hosting panel.
A Hacked Site is More Than a Technical Problem
Navigating the technical cleanup of a website hack is overwhelming, but the damage to your brand’s reputation and customer trust can be even more severe.
As a PR Agency, our expertise lies at the intersection of technology and communication.
Frequently Asked Questions About WordPress SEO Cloaking
What are the first signs of a WordPress hack?
First signs are often subtle technical issues, like errors in Google’s tools, strange browser console messages, or a sudden performance drop, rather than a visible defacement of the homepage.
How do you check for fake admin users in WordPress?
Go to the “Users” section in the WordPress dashboard. Carefully review the list of all users, especially those with the “Administrator” role. We recommend deleting any user that you or your team did not explicitly create.
Can a website be hacked even with a security plugin?
Yes. A security plugin’s firewall is excellent at blocking external attacks, but it can be bypassed if an attacker logs in with a stolen or newly created administrator password, as they are then considered a “trusted” user.
How do you clean a hacked WordPress file?
Never try to edit the malicious code. The safest professional method is to delete the infected file entirely and replace it with a fresh, original copy from an official source, such as a WordPress.org download.
What is code "obfuscation"?
It’s the process of deliberately making code unreadable and confusing. Attackers use it to hide their malware’s purpose and make it harder for website owners and basic scanners to find and remove it.
Why is updating plugins so important for security?
Plugin updates frequently contain critical patches for security vulnerabilities. In this client’s case, a single outdated premium plugin was the key that allowed the attacker to take full control of the server after they logged in.
