Cybersecurity|2 min read

A Client’s Website Hacked: A Real-Life WordPress Security Nightmare & How We Fought Back

A Client’s Website Hacked: A Real-Life WordPress Security Nightmare & How We Fought Back
NT
Navodian ResearchPublished 2 March 2026

As a WordPress Developer, I often preach about security. However, I recently encountered a real-world scenario with a client's website that serves as a powerful reminder for everyone in the digital space. It was a classic, insidious attack, and a testament to why proactive security is non-negotiable.

The Attack: Sneaky & Sophisticated

My client, based in India, noticed something alarming: when searching for their legitimate English-language website on Google, the search results showed a title and description in Indonesian, promoting lottery content. Even more frustrating, the live site appeared perfectly normal to them on desktop—a clever tactic by the attackers.

Here's how they pulled it off:

  • Cloaking: The malicious code was designed to show spammy Indonesian content only to Google's crawlers and mobile users, while displaying the normal site to desktop visitors.
  • Google Search Console Hijack: The attackers added themselves as a verified owner in Search Console to push spammy content and monitor gains.
  • Injections: They injected code into index.php and wp-config.php, exposing critical database credentials.
  • Fake Rich Snippets: They injected schema markup to make Google believe their spam was legitimate "product" content.
  • AMP Cache Abuse: They leveraged Google's AMP cache to make mobile redirects seem authentic.

The Resolution: A Methodical Cleanup

This wasn't a quick fix. It required a deep dive into the server architecture:

  1. Immediate Containment: Site offline, passwords changed (hosting, FTP, WP admin, database—ALL of them!), and notifying the provider.
  2. Unmasking Tracks: Tracing IPs (which led to an Azure cloud server) and identifying the cloaking logic in the core files.
  3. Reclaiming Search Console: Identifying and removing the attacker's verification token and revoking ownership.
  4. Deep Code Cleanup: Manually removing code from index.php, and regenerating all WordPress security keys and salts.
  5. Google Re-indexing: Submitting new sitemaps and using the "URL Inspection" tool to request a clean crawl.

The Lesson for All

This experience was a powerful reminder of the "High Standards" required for web safety:

  • Update Everything: Most hacks stem from outdated plugins or themes.
  • 2FA is Mandatory: Use it for every critical account (hosting, WP, email).
  • Regular Backups: The ability to revert to a clean state is your ultimate insurance.
  • A WAF is Your First Line of Defense: Services like Cloudflare block malicious traffic before it reaches you.

Cybersecurity isn't just an IT department's job; it's a constant vigilance for every website owner. The longer a hack persists, the more damage it can do to your reputation and SEO.

Share Article

Share this Insight with your network.