Unhacked WordPress incident response
[email protected]
WordPress incident response

Your WordPress site is compromised. We handle the cleanup and the report.

Fixed-fee WordPress incident response handled directly by an experienced specialist.

You receive:

30-day re-clean warranty included
5 business day turnaround on standard incidents
No outsourced cleanup teams
Direct communication throughout the engagement

The reality Most compromised sites do not need to be rebuilt.

Most WordPress compromises are not solved by rebuilding the site from scratch.

They are solved by:

That is the focus of Unhacked.

The goal is not to turn a security issue into a large redevelopment project. The goal is to return the site to a trusted state quickly and professionally.


The engagement What happens during an engagement.

01

Initial review

We review the symptoms, hosting warnings, suspicious behavior, access concerns, and environmental details related to the compromise.

02

Investigation

WordPress core files, plugins, uploads, scheduled tasks, database activity, user accounts, and access paths are reviewed for indicators of compromise or persistence.

03

Cleanup & remediation

Malicious code is removed from WordPress core, plugins, themes, mu-plugins, and the uploads directory. Rogue admin accounts, injected payloads, and hidden persistence are cleaned out and verified.

04

Validation

The site is reviewed again to confirm the compromise is gone, host warnings and Google Safe Browsing flags can be lifted, and WordPress is functioning normally.

05

Final documentation

You receive a written remediation report documenting:

  • what was found
  • what was removed
  • what was changed
  • and recommended follow-up actions

Reference engagement Three backdoors. Five business days. Cleaned and documented.

Case study · 2026

WordPress compromise at a Canadian property management firm

The site was the client's primary lead-generation channel. Search results were being injected with spam, admin sessions were appearing that nobody could account for, and Google Search Console had flagged the domain. They were running on a four-year-old WordPress core with an outdated LayerSlider plugin still installed.

What we found

Three distinct backdoors, each engineered to survive removal of the others:

  • A fake "SEO" plugin acting as the attacker's toolkit. It injected JavaScript on every page via a WordPress filter hook, ran a hidden auto-admin-login endpoint, exposed a remote-code-execution shell, hijacked the sitemap, and beaconed back to a command-and-control address pointing at a public blockchain.
  • A must-use plugin disguised as a benign devops file. It blocked legitimate admin logins unless the attacker's secret URL parameter was present, ensuring continued access even if the site owner regained their password.
  • An AES-encrypted PHP shell loader embedded inside the theme directory. It was designed to fetch its payload from an external file so the loader itself looked innocuous in a code review.

Entry vector traced to a known CVE in the outdated LayerSlider plugin. We also found five leaked archive files staged in public directories and a broken second WordPress installation in a subdirectory still serving attacker-controlled PHP.

What we did

  • Took a full snapshot of the site before any changes, kept copies of every malicious file, and saved the deep-scan output for the client's records.
  • Removed all three backdoors. Clean deletion plus .htaccess deny-blocks returning HTTP 410 (Gone) for any URL the attacker had been advertising on third-party sites.
  • Hardened the install: rotated all WordPress salts, rotated the database password, set DISALLOW_FILE_EDIT, audited admin users (no rogue accounts), quarantined the leaked archives, and removed the broken second installation.
  • Delivered a written report covering what was found, what was done, and what the client still needed to rotate on their own side (their admin password, cPanel password, and one temporary FTP account we had used).

What was out of scope

Updating WordPress core to current versions, replacing conflicting security plugins, modernizing the theme, and migrating hosts. Those belong to a separate rebuild engagement, scoped and quoted independently. Most clients in incident mode need the bleeding stopped first, then can decide on the larger investment with a calm head.

Total elapsed time: under five business days. The client retained control of their stack throughout and held the credentials.

Compromise vectors found3 distinct backdoors
Engagement length5 business days
FeeRapid Clean (flat)
OutcomeClean, hardened, documented

Why it matters A small operation by design.

Unhacked is intentionally structured differently from large agencies and outsourced remediation services.

You work directly with the person handling the cleanup. The specialist who answers your first email is the same one who runs the investigation, does the remediation, validates the result, and writes the report.

There are:

You can pick up the conversation any time. The person on the other end already knows your site.

That matters when trust and accountability are involved.


Background Built and operated by Eaymon Latif.

Unhacked is built and operated by Eaymon Latif, who has spent more than two decades working with production systems, infrastructure, SaaS platforms, and security-sensitive environments.

That experience includes:

The focus of Unhacked is practical remediation: contain the issue, clean the compromise properly, document what happened, and restore confidence in the environment.


Warning signs Common reasons people reach out.

Hosting provider malware warnings
Google Safe Browsing flags
Redirects or injected spam pages
Unknown administrator accounts appearing
Reinfections after previous cleanup attempts
SEO spam appearing in search engines
Suspicious outbound traffic
Unexpected plugins, files, or scheduled tasks
Login activity that no longer feels trustworthy

Service tiers Two engagement sizes. Both fixed fee.

Rapid Clean

For isolated WordPress compromises requiring focused remediation.

Single WordPress site. Single compromise event.
$1,997USD · fixed fee
Paid in full at checkout.
Target turnaround: 5 business days
  • Single-site remediation
  • Malware and backdoor removal
  • Integrity verification
  • Written remediation report
  • 30-day re-clean warranty: if the same compromise resurfaces, we clean it again at no cost
Request Rapid Clean

FAQ Common questions before we start.

How quickly can you start?

Most engagements begin within 1 to 2 business days depending on queue and incident severity.

Do you rebuild websites?

No. Unhacked focuses specifically on WordPress incident response and remediation.

What if you do not find evidence of compromise?

If no indicators of compromise are found within the agreed scope of investigation, the engagement qualifies for a full refund.

What if the compromise comes back?

Every engagement includes a 30-day re-clean warranty. If the same compromise resurfaces inside that window, we clean it again at no additional cost.

Do you provide ongoing monitoring?

No. Unhacked is focused on remediation engagements only.

Will you update WordPress and plugins?

Critical security updates required to close the compromise are included. Full modernization or version upgrades are scoped as a separate engagement.

If your WordPress site is compromised, start the conversation.

You talk directly to the specialist handling the work. Fixed fee. Written report.

Send us your site URL