I got an emergency call a few weeks back. A new client’s site was redirecting to some shady online pharma store. They’d been fighting it for days. They’d run the usual malware scans, deleted suspicious files, even restored a backup. But two hours later, the hack was always back. Total nightmare. They were convinced it was a sophisticated server-level attack. It rarely is.
This kind of thing is where WordPress security stops being theoretical. My first sweep found the obvious stuff—some nasty base64 encoded junk in wp-content. I cleaned it out, the site came back, and I told the client to keep an eye on it. An hour later, my phone rings. It’s back. Here’s the kicker: the malware was just the symptom. The real problem was the open backdoor the attacker was using to get back in, and my initial cleanup hadn’t closed it.
Real WordPress Security Is About Closing Doors
Everyone’s focused on scanning and cleaning, but that’s like mopping the floor while a pipe is still leaking. The only thing that matters is finding the entry point—the attack vector. In this client’s case, it was a plugin for generating PDFs that hadn’t been updated since 2018. It had a known vulnerability that let anyone upload files. The attacker used it to install a tiny script that gave them permanent access. As I was digging through the logs, I was reminded of a great overview on this I saw a while back over at carlalexander.ca.
You have to think methodically. Don’t just delete the infected files. Figure out how they got there. Check your file modification dates. Look at the server logs. More often than not, it’s an outdated plugin or theme. Or worse, a “nulled” premium theme someone downloaded for free. There is no such thing as a free lunch.
One of the first things I do on any site I manage is lock down the most common vectors. For instance, the built-in theme and plugin editor is a huge security risk. If an attacker gets an admin password, they have a direct tool to execute any code they want. You should never be editing files on a live site anyway. It’s an easy one-liner to add to your wp-config.php file to disable it for good.
// Disallow file edits from the WordPress dashboard
define( 'DISALLOW_FILE_EDIT', true );So, What’s the Real Takeaway?
It’s that security isn’t a plugin you install and forget. It’s a process. It’s about layers and reducing your attack surface.
- Don’t use defaults. If your username is “admin,” you’re making an attacker’s job 50% easier. Same goes for the default “wp_” database prefix on a new install.
- Delete what you don’t use. Every inactive plugin and theme is a potential, unmonitored security hole. Get rid of them.
- Use strong, unique passwords. For everything. WordPress admin, FTP, hosting control panel. Use a password manager. Period.
Look, this stuff gets complicated fast. If you’re tired of debugging someone else’s mess and just want your site to work, drop my team a line. We’ve probably seen it before.
Leave a Reply