Backdoor removal
WordPress backdoor removal for persistent or hidden infections
If the site keeps behaving strangely after the obvious plugin or theme is gone, you are probably dealing with persistence. I help track down the backdoor, remove the footholds it created, and verify that the site is not quietly rebuilding the infection behind the scenes.
Starting at €2,000
Especially relevant after supply-chain incidents, plugin update compromises, hidden admin creation, and infections that survive “cleanup” attempts.
Signs a backdoor may still be present
A persistent infection usually leaves traces outside the original plugin or theme.
- Unknown administrator users or users hidden from the normal admin list
- Suspicious files in mu-plugins, uploads, wp-includes, or the web root
- Modified theme functions.php or wp-config.php after a plugin incident
- Database options or cron jobs that look unfamiliar
- A site that re-infects itself after you remove the original plugin or theme
- Suspicion that a compromised update installed persistence outside WordPress plugins
What I look for
Backdoors are often designed to survive normal cleanup steps. That is why they need targeted inspection.
File-system review
I check the usual persistence locations used by modern WordPress malware, including fake core filenames, mu-plugins, web-root droppers, and suspicious uploads.
Account and option cleanup
Backdoors often leave hidden administrator users, secret auth keys, or low-visibility options in the database. Those need to be removed deliberately.
Theme and config inspection
Recent malware chains injected code into functions.php, wp-config.php, and related config files where a routine plugin update will never clean them up.
Persistence validation
The goal is not just to delete suspicious files once. It is to make sure the site is not recreating them from another foothold.
Common persistence patterns behind reinfection
This is usually the category you are in when the site keeps going bad again after somebody already removed the obvious culprit.
Reinfection after “cleanup”
If the malware or redirect comes back after a plugin reinstall, there is usually another execution path still active somewhere on the site or hosting stack.
Hidden admin creation
Unexpected privileged users are a classic sign that the attacker wanted ongoing access beyond the original exploit or malicious update.
wp-config.php compromise
Config-level persistence matters because it survives many of the obvious cleanup steps teams try first and executes very early in the WordPress bootstrap path.
Related reading
WordPress Malware Cleanup Service
The broader cleanup service if you need full incident response rather than just persistence removal.
Hidden admin users in WordPress
Why unknown administrator accounts usually point to persistence rather than a one-off oddity.
How to know if wp-config.php is infected
What config compromise means and why it often survives normal plugin-focused cleanup.
Smart Slider 3 Pro compromise
A recent example of malware installing multiple persistence layers outside the original plugin.
WordPress SEO Spam Cleanup
Useful if the persistent infection is also poisoning search visibility.
Still not convinced the site is actually clean?
That is usually a good reason to investigate. Send the site details and what keeps coming back. I will help you determine whether you are dealing with persistence, a bad cleanup, or a wider compromise that needs full incident response.