21 Infected WordPress Sites in One Night: MogaCode's Experience Report
During the night of April 21-22, 2026, 21 client websites hosted on MogaCode's main Infomaniak account were simultaneously compromised. Here is the full story—attack vector, cleanup method, 14 backdoors removed, and the lessons learned.
The Discovery — 2 a.m.
It all starts with a Wordfence alert on a first site. An unknown PHP file has just been modified in wp-content/plugins/. Upon opening the file, the signature is immediate: an obfuscated block of code with a recurring string — cAT3VWynuiL7CRgr.
By cross-referencing this signature across other sites belonging to the same Infomaniak account, the conclusion is undeniable: 21 out of 21 sites contain the same pattern. The infection is systematic, methodical, and dates back several weeks.
The attack vector — null plugins
The investigation quickly traced the problem back to its source. The plugins in question are all "null" (cracked) versions of premium WordPress plugins:
- Elementor Pro — null version, downloaded from an unofficial repository
- Ultimate Elementor (EU) — same origin
- RevSlider — backdoor included in the activation code
A useless plugin is never free. The "price" you pay is a persistent backdoor waiting for instructions. The hacker activates the payload when they decide—not during installation.
In our case, the backdoor had been dormant for weeks. Activation occurred simultaneously on all sites on the same evening, likely via an automated request to each compromised installation.
Cleanup operation — the night of April 22
First Wordfence alert. Identification of the signature cAT3VWynuiL7CRgr on the first site. Scan launched on all sites of the account.
21 confirmed infected sites. SSH connection to the Infomaniak server. Recursive grep on the entire account to list all compromised files.
The most critical sites (e-commerce, contact forms) are being put into maintenance mode. No customer will be notified of any incident — the cleanup will be seamless.
Systematic removal of each backdoor. On some sites, up to 3 separate infected files. On the CRM (crm.coden.lu), 14 individual backdoors and a 485 MB archive of exfiltrated data were found.
Replacement of all WordPress core files on all 21 sites. Removal of all useless plugins. Installation of official versions.
Rotate all passwords (WP, database, FTP). Regenerate WordPress security keys. Activate Wordfence Premium on all sites. Review file permissions.
All 21 sites have been cleaned, hardened, and brought back online. No customer data was lost. The longest service interruption was 4 hours at a single site.
The CRM case — the most critical
Our internal CRM (Perfex, hosted by Infomaniak) was the most severely affected site. 14 individual backdoors had been deployed, and a 485 MB archive was being exfiltrated to an external server at the time of detection.
The exfiltration was interrupted before completion. Analysis of the contents of the (partially recovered) archive shows that it mainly contained database exports and configuration files.
All credentials were immediately invalidated and regenerated. Customers were proactively notified of the access reset via WhatsApp—without mentioning the incident, through a planned maintenance communication.
What we found in the infected files
Three recurring patterns in backdoors:
- Eval + base64_decode — execution of remote code encoded in base64, almost invisible in a large PHP file
- Remote Shell — SSH-like access from a browser, allowing the execution of system commands
- Cache file uploader — a POST form accepting any file, disguised as a real plugin script
Are you using useless plugins?
Have your installation audited now. A backdoor can be present for months without any visible symptoms.
Request a free auditThe lessons — what we have changed
1. Zero tolerance for useless plugins
This is the most obvious lesson, yet the most ignored. A premium plugin costs €50 to €200 per year. An infection of this type costs dozens of hours of work, poses GDPR risks, and potentially damages your customers' trust. The math doesn't add up.
2. Active monitoring at each site
Before this incident, Wordfence was installed on some sites but not all. Since then, every MogaCode site has Wordfence Premium active with daily scans and immediate alerts in case of file modifications.
3. Separation of hosting accounts
Having 21 sites on the same Infomaniak account is convenient for management—but disastrous in case of infection. We have since migrated some sites to isolated accounts. A compromise on one account must no longer be able to infect neighboring accounts.
4. Daily off-server backup
Infomaniak backups exist but remain on the same server. We have implemented automatic daily backups to independent S3 storage. If the server is compromised, the backups are not.
5. Security keys and passwords should be rotated periodically.
We've adopted a quarterly rotation of WordPress security keys and database passwords across all managed sites. This isn't industry standard—but after tonight, it's our standard.
Post-incident checklist — what we now check at each site
- All plugins come from the official WordPress.org repository or the publisher's website — never from a third-party source
- Wordfence Premium active with daily scan and email alerts + WhatsApp
- No unknown administrator accounts in the WP user list
- No PHP files in wp-content/uploads/
- WordPress security keys regenerated within the last 6 months
- Database password different from FTP password, different from WP password
- Off-server backup tested and restoreable
MogaCode Care — security that never sleeps
Active monitoring, updates, off-server backups, and incident response. So you never have to experience that kind of night again.
Discover MogaCode Care