WORDPRESS SECURITY · CASE STUDY

Your WordPress site passed every scan. It was hacked for 37 days anyway.

Three cleanups — including a commercial security scanner, on premium managed hosting — called this site clean. It wasn’t. Here’s what every tool missed, and why AI can scan your WordPress site but can’t be accountable for it.

A few weeks ago we finished cleaning up a WordPress site we host for a law firm. Three separate cleanups had already declared it healthy. A well-known security plugin had scanned it and reported success. The site had been quietly hacked for 37 days, and on the day someone finally caught it, it was still serving a Turkish online-casino network to Google while showing the firm’s clients a perfectly normal homepage.

I want to show you what was actually on that server, because there’s a question I keep hearing from smart people who run good businesses: “We’ve got AI tools now. Do we even still need a security person?” This story is the clearest answer I have.

A secure building with a green shield on the locked front door while a hooded intruder is already inside using a valid key

“But we’re on managed WordPress hosting.”

So was this site. If you’re on WP Engine, Kinsta, or any of the good managed hosts, that buys you real things: fast servers, backups, a hardened platform. What it does not buy you is immunity from an attacker who is already inside your WordPress install with a valid admin login.

A green “secure hosting” badge protects the building. It says nothing about who already has a key to your apartment. That gap is exactly where this firm got hit.

What every dashboard showed

A site that wouldn’t update — click “update theme,” watch it crash a few seconds later. Annoying, but it read like an ordinary bug.

A security scanner that had run, found one piece of malware, removed it, and reported the site clean.

From every screen anyone was looking at: “one weird bug, otherwise green.”

What was actually on the server

Not one backdoor. Five, stacked on purpose so that removing any one of them left the others running.

Each cleanup removed real malware and still missed the foundation — because the foundation was built to be invisible to exactly the screens everyone was checking.

Five backdoors, hiding in plain sight

Every one of these was engineered to disappear from the WordPress admin and from signature scanners. This is what “clean” was hiding.

A self-resurrecting admin

A hidden administrator account that never appeared in the WordPress user list, and rebuilt itself every 24 hours and after every update. This is why three cleanups failed.

Passwords mailed to the attacker

A line in the theme that sent every admin login — with the password in plain text — to a Telegram channel. Every time someone logged in to “fix” the site, the attacker got the new password.

Casino spam, shown only to Google

A redirect that detected search-engine crawlers and served them a casino-affiliate page with the firm’s own web address on it. The reputation rotted from the inside while the public site looked perfect.

The ‘update bug’ was a lock

A script quietly set every file to read-only. That is why updates kept crashing the site. Not a bug. A deliberate lock the attacker put on the door.

A plugin that erased itself

A fake plugin loaded a hidden payload and then filtered itself out of the Plugins screen, so it never showed up in the one place an admin would think to look.

A new ‘owner’ on Google

The attacker verified themselves as an additional owner of the site in Google Search Console. That email to the marketing manager is what finally opened the investigation.

Why the tools missed it (and why AI would too)

A scanner — including an AI-powered one — is fundamentally a pattern-matcher. It is brilliant at finding what it has been trained or signatured to recognize. The plugin on this site did its job: it matched a known signature and cleaned it.

But the person who broke in was not producing known patterns. His entire job was to make himself invisible to them — hiding the admin from the exact list the tools read, using legitimate WordPress functions with malicious arguments so nothing tripped a signature, naming a plugin so it would never show up on the Plugins screen.

A tool answers one question: “does this match something bad I already know about?” An adversary’s whole job is to make the answer be “no.”

AI gives you leverage. It does not give you accountability. When something invisible is costing a business its reputation, “the scanner came back green” is not a thing you can stand behind. A person who has seen the inside of a breach is.

The thing that found this hack was not a better scan. It was a person looking at a clean-looking site and asking a different question: if I wanted to own this server and survive a cleanup, where would I hide? Then going under the dashboard, into the files and the database, to look. AI was genuinely useful in that work — the same way a flashlight is useful. But the flashlight does not decide to go down to the basement, and it does not stake its name on the house being safe afterward. A person does both.

What “covered” actually looks like

Someone looks below the dashboard

Files and database, not just the admin screens. The compromise lives where the dashboard can’t see.

Someone thinks like an attacker

Assume a smart intruder will hide from the obvious tools — then go looking in the places they’d hide.

Someone is accountable to you

A name, a person, who will tell you straight whether you’re safe — and own it if you’re not.

Use every tool you can get. Then put a human who has been through this on top of them. That combination is not the expensive old way — it is the only thing that caught a hack three automated cleanups walked right past.

Is “the scanner is green” your whole security model?

Then it’s worth a conversation. We’re happy to take an honest look at a WordPress site and tell you what’s underneath — no alarm, no hard sell, just a real answer from someone who has seen what hides down there.

ABOUT THE AUTHOR

Angel Menendez — Founder, AZ Technology Solutions

Former Staff Developer Advocate at n8n, with 20+ years at the intersection of cybersecurity, automation, and AI — SOAR playbooks at Palo Alto Networks, AI-agent infrastructure at n8n, and production systems for organizations that can’t afford “AI that demos.” I build the tools and stay accountable for what they protect.

See what I speak about →  ·  Grab free office hours →

Stay curious out there.