How can you tell if your site has really been hacked?

Before reinstalling everything, identify the symptoms. A slow or misconfigured website can resemble an infected site. Here are the telltale signs:

  • Redirects to unknown websites — Upon clicking, your visitors land on phishing pages or fake antivirus software.
  • Google Search Console displays "Deceptive site"" — Google has detected malicious content and blacklisted your domain
  • Your hosting provider has suspended the account — Infomaniak or OVH send an alert with suspicious file names
  • New administrator users have appeared. in WordPress without you having created them
  • Unknown PHP files are lying around in wp-content/uploads/, wp-includes/ or at the root
  • The HTML source contains hidden links. to third-party sites (at the bottom of the page, in display:none style tags)
""In April 2026, 21 MogaCode customer sites were infected overnight via nullified plugins. Patrick Rary diagnosed and cleaned everything up in less than 12 hours. The attack vector: a unique backdoor encoded in each hacked plugin.""

Step 1 — Isolate and diagnose

Do not touch anything until you have a clear picture of the infection. Acting blindly risks concealing traces and leaving active backdoors.

1
Put the site into maintenance mode — activate a maintenance plugin or add a .htaccess file to block public access during cleanup.
2
Export a complete dump — Even if infected, keep a copy. Don't delete anything without a backup.
3
Run a scan with Wordfence or MalCare — These plugins compare your WordPress core files with the official originals and flag each difference.
4
Search for recently modified files — via SSH: find . -name "*.php" -newer wp-config.php -not -path "*/uploads/*""

Step 2 — DIY Cleanup (if you have SSH access)

Remove malicious files

Backdoors are often hidden in files with innocuous names: wp-includes/class-wp-clean.php, wp-content/uploads/2025/cache.php or PHP files in wp-content/uploads (uploads should never contain PHP).

find wp-content/uploads -name "*.php" -delete find wp-includes -name "*.php" | xargs grep -l "eval(base64_decode" | xargs rm grep -r "cAT3VWynuiL7CRgr" . --include="*.php" -l

Reinstall the core files

Never trust the core files of an infected site. Download a fresh WordPress installation and replace all core files (everything except wp-content/ and wp-config.php).

Change all passwords

  • WordPress password for each administrator
  • Database password (in wp-config.php)
  • FTP/SFTP password for the hosting
  • WordPress security keys (AUTH_KEY, SECURE_AUTH_KEY, etc.) — regenerate them at api.wordpress.org/secret-key/1.1/salt/

When should you call a professional?

If you encounter any of these issues, don't waste any more time trying to clean it yourself:

  • The infection recurs after cleaning (persistent backdoor or compromised admin account)
  • Google has blacklisted your domain (partial or total deindexing)
  • You do not have SSH access or the file permissions have been changed.
  • You have an e-commerce website with customer data (GDPR risk)
  • Your hosting provider refuses to reactivate the account without validation.

Is your website infected?

MogaCode handles complete cleanup, hardening, and the implementation of active monitoring. Rapid response — typically within 24 hours.

Request an intervention

Step 3 — Post-cleaning hardening

A cleaned but unhardened site will be reinfected. That's a certainty. Here are the essential measures:

Secure wp-config.php

# In .htaccess, block direct access to wp-config.php order allow,deny deny from all # Move wp-config.php one level above the web root. # WordPress will find it automatically.

File permissions are correct.

find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \; chmod 600 wp-config.php

Enable two-factor authentication

The "WP 2FA" or "Google Authenticator" plugin for WordPress adds a TOTP (Token of Validation) to the login page. This is the most effective measure against brute-force attacks on /wp-admin.

Implementing a WAF

A Web Application Firewall (Wordfence Premium, Cloudflare WAF) blocks attacks before they even reach WordPress. On our Infomaniak servers, we systematically activate Wordfence with a geo-blocking rule targeting countries with high automated scanning activity.

Never use useless plugins

This is the most painful lesson. In April 2026, 21 of our clients' websites were infected overnight via pirated versions of Elementor Pro, Ultimate Elementor, and RevSlider. These plugins all contained the same signature: cAT3VWynuiL7CRgr. A clean, discreet backdoor, already in place for weeks before activation.

WordPress Hardening Checklist

  • WordPress updates, themes and plugins — without exception
  • Removal of inactive themes and plugins
  • Limitation of login attempts (Limit Login Attempts)
  • 2FA authentication on all admin accounts
  • Weekly automatic security scan (Wordfence)
  • Automatic daily off-server backups
  • HTTPS enabled with HSTS
  • HTTP security headers (X-Frame-Options, CSP, X-Content-Type-Options)
  • Hiding the WordPress version (in the meta tags and RSS feed)
  • Disable xmlrpc.php if not used
P

Patrick Rary

Founder of MogaCode — Forensic IT expert with 30 years of IT experience. Has cleaned over 80 infected WordPress sites since 2020.