What Went Wrong
Client's law firm website appeared normal when visited directly, but Google search results showed their pages with titles like 'Buy Cheap Viagra' and 'Online Pharmacy.' Their Google Search Console was flagged with a manual action for 'Hacked site — Injected content.'
The client's previous developer had looked at the source code and files and declared the site clean — he could not find any malware. But Google continued to flag the site, and their organic traffic had dropped 85% over 2 months.
What We Found
The malware was using cloaking — serving different content to Googlebot than to regular visitors. Used curl with a Googlebot user agent string and immediately saw the injected pharmacy links in the HTML output.
Traced the injection to a backdoor in a nulled (pirated) premium plugin the previous developer had installed. The malware consisted of:
1. A base64-encoded PHP file disguised as wp-blog-header.php in a subdirectory
2. An eval() call injected into the active theme's functions.php that loaded the backdoor
3. A cron job registered via wp_schedule_event that re-downloaded the payload if removed
4. Modified .htaccess with conditional rewrite rules for search engine bots
The malware had been active for 3 months, much longer than the client realized.
How We Fixed It
1. Took the site offline temporarily (maintenance mode) to stop further Google indexing of spam content
2. Removed all four malware components — backdoor file, functions.php injection, scheduled cron, and .htaccess modifications
3. Removed the nulled plugin and replaced with legitimately licensed version
4. Scanned every PHP file against WordPress core checksums — found and replaced 3 modified core files
5. Reset all user passwords and regenerated WordPress salts
6. Installed and configured Wordfence with real-time file monitoring
7. Implemented PHP-FPM isolation with open_basedir to prevent lateral file access
8. Submitted reconsideration request to Google with detailed cleanup report
9. Set up automated file integrity monitoring via server cron
Outcome
Google lifted the manual action within 5 days of the reconsideration request. Organic traffic recovered to pre-infection levels within 3 weeks as Google re-crawled and re-indexed the clean pages.
The file integrity monitoring has since caught and blocked 2 subsequent attack attempts (automated vulnerability scanners) before any damage occurred.