WORDPRESS SECURITY · CASE STUDY · PART 2

The cleanup held. The password didn’t.

Five weeks after a clean, verified remediation, the same site was hacked again — not through new malware, but through one password that was never changed. Here’s why removing malware isn’t the same as being secure.

A few weeks ago I cleaned up a badly compromised WordPress site. Not a surface clean — a real one. We went in by hand, diffed every theme file against the original, found the backdoors that three previous cleanups had missed, removed all of it, reset the passwords we controlled, rotated the keys, and verified the site was clean. It was clean. I’d stake my name on that.

This is the story of what happened next — and the single most important thing I can tell a business owner about what “cleaned” actually means. Read Part 1 first →

A freshly-cleaned building with a green security shield while a hooded intruder opens the front door with a glowing red key

Five weeks later, it was hacked again.

Same symptom as the first time: when Google’s crawler visited, the site secretly served it a foreign online-gambling page, while real visitors saw the normal site. The tip-off wasn’t a scanner — it was an email from Google to the owner: “New owner for your site.” Someone had added themselves as an owner in Search Console. The early-warning worked, the client forwarded it, and we started digging the same day.

A clean site with a stolen password is not a secure site. A cleanup gets rid of what’s on the server — it can’t change a password that lives in someone’s head, their password manager, or their hosting account.

What the cleanup removed

Every backdoor, the hidden admin, the cloaked gambling page, the malicious files — gone, and verified gone.

On the server, the site was genuinely clean. No leftover backdoor reopened anything.

What a cleanup can’t touch

A password stolen during the first break-in and never changed. It lived outside the server, so no cleanup could reach it.

That one un-rotated password stayed a working key — and five weeks later, the intruder used it.

How they walked back in

No new malware this time. The files were uploaded by someone who simply logged in — with a password the first breach had already handed them.

A login, not a backdoor

There was no webshell, no program running. The new files were simply uploaded by an administrator who logged in with a valid password. It came through the front door, with a real key.

A password stolen weeks earlier

The first breach had quietly mailed every admin login — password in plain text — to the attacker for five weeks. Every credential from that window had to be treated as already stolen.

The one key nobody rotated

Our report said, in bold: change every password. Most got changed. One account didn’t — and that single un-rotated password was all the attacker needed to walk back in.

This is the part that’s easy to get wrong

It would be easy to read this as “the cleanup failed.” It didn’t. The site was genuinely clean. What happened is more uncomfortable and more important: a cleanup and a credential rotation are two different jobs — and only one of them can be done by the person holding the mop.

I can remove every malicious file on a server. I cannot reach into your hosting portal and change a password I don’t have — and I shouldn’t be able to. The handoff — you must now rotate these credentials — is the seam where security actually lives or dies. It’s unglamorous. It’s a checklist item. It is also the entire difference between “fixed” and “fixed for five weeks.”

In Part 1, the lesson was that a scanner can’t be accountable. This is the same lesson one layer deeper: even an expert, hands-on cleanup isn’t a force field. Security isn’t a thing you buy or a button you push — it’s a loop, and the loop only closes when the human side follows through.

THE HONEST PART

It came back through a door we’d told them to lock.

I’ll be straight about this, because it’s the whole point. The second break-in was preventable with a password change that was recommended, in writing, and didn’t happen in time. I don’t say that to point a finger — the people involved were busy, the instruction was one line in a long report, and “change all your passwords” is the easiest urgent task in the world to mean-to-do-later.

I say it because that’s exactly where the risk lived, and naming it is the only thing that helps. The malware was the dramatic part. The un-rotated password was the part that actually mattered.

A clean site with a stolen password is not a secure site. If you’ve been through a compromise, the question that matters isn’t “is the malware gone” — it’s “have we changed every key the intruder might be holding, and can we prove the old ones don’t work anymore?”

What closing the loop actually looks like

Rotate every credential

WordPress admins, hosting portal, SFTP, database, plugin API keys. If a password logger might have been running, assume every one was stolen and change them all.

Two-factor + per-person access

Turn on two-factor so a stolen password alone isn’t enough — and stop sharing one login across a team. Give each person their own access you can switch off.

Then verify it’s closed

Lock Search Console with a DNS record a web attacker can’t forge, then re-scan — after you’ve rotated everything, not before. A scan of a door you’ve left unlocked proves nothing.

A cleanup removes what’s on the site. Closing the loop is what makes it stick. The first is the work you hire out; the second is the handoff you can’t skip.

Had a site “cleaned” — but never closed the loop?

That gap is where reinfections live. We’re happy to take an honest look, tell you which keys might still be open, and walk the credential side through with you — no alarm, no hard sell.

ABOUT THE AUTHOR

Angel Menendez — Founder, AZ Technology Solutions

Former Staff Developer Advocate at n8n, with 20+ years at the intersection of cybersecurity, automation, and AI — SOAR playbooks at Palo Alto Networks, AI-agent infrastructure at n8n, and production systems for organizations that can’t afford “AI that demos.” I build the tools and stay accountable for what they protect.

See what I speak about →  ·  Grab free office hours →

Stay curious out there.