How We Rescued a Hacked WordPress Site in 3 Hours

A South Florida home services business hired AgentForgeAI for what was meant to be a routine SEO audit. Within thirty minutes, we noticed something off in the homepage HTML — a hidden block of casino-themed content positioned 1.4 million pixels off-screen, linking to a foreign gambling affiliate.

That single finding turned a one-hour SEO review into a three-hour forensic recovery. By the end, we had pulled five PHP backdoors out of the site, deleted six fake user accounts tied to a black-hat SEO agency, removed an actively exploited Elementor Pro CVE, and saved the client about $1,500/year in unused premium subscriptions.

The headline numbers:

• 16 critical security issues reduced to zero
• 5 PHP backdoors removed from plugins and themes
• $1,500+/year saved in unused subscriptions and abandoned plugins

What the owner saw vs what was actually there

The site looked completely normal. Standard WordPress homepage, working contact form, Google Analytics, GTM, Google Ads tracking, Cloudflare in front, schema markup configured. By every surface metric it looked like a professionally maintained business site. The owner had no idea anything was wrong.

What was actually there: a hidden <div>inside the “Who We Are” section, styled with position: absolute; left: -1423117px; so visitors never saw it. Search engine crawlers saw it perfectly. The injected content promoted online casinos and outbound-linked to smartbonus.at.

This is a textbook black-hat SEO injection. It does two things at once: it passes link equity from the host site to the attacker's affiliate network, and it puts the host domain at risk of a Google manual action. The owner was one routine spam sweep away from losing his organic search visibility entirely.

Six fake users from one domain

The next clue was in the user list. Seven WordPress users on the site — six of them with email addresses on the same domain: @mediaspearhead.com.

Mediaspearhead is a black-hat SEO link-injection operation. They mass-register Subscriber accounts on WordPress sites — typically through plugin vulnerabilities — and use the access to inject paid backlinks into client content. One of their accounts on this site (clarisa.v) had authored two of the four blog posts. Both contained payloads.

Anonymous WordPress registrations were already disabled on this site. That confirmed the attackers weren't coming through the public signup flow — they were creating Subscriber accounts through a code-level exploit. We needed to find the door before we closed it.

The door: Elementor Pro 3.28.3

Recent versions of Elementor Pro have shipped with critical CVEs — arbitrary file upload, authenticated SQL injection. The site was running Elementor Pro 3.28.3 with an expired license. The plugin couldn't auto-update because the subscription had lapsed. The CVEs sat unpatched for months.

That was the entry point. Mediaspearhead almost certainly walked in through the Elementor Pro CVE chain, escalated to user creation, and from there started planting persistence.

We took Elementor Pro off the site entirely. It turned out the site didn't actually need Pro — the header, footer, and forms all worked through ElementsKit Lite, MetForm, and the free Elementor base. Removing the plugin saved the client $59/year and removed the active CVE surface in one move. We treat lapsed premium plugin licenses as security controls, not billing questions.

The real find: five PHP backdoors

The most serious result came from a deep Wordfence scan. Five PHP files with deliberately innocent-looking names had been planted across plugins and themes:

• wp-content/themes/Divi-4/wp-embeds.php
• wp-content/themes/Divi-4/404s.php
• wp-content/plugins/material-design-icons-for-elementor/objects-cache.php
• wp-content/plugins/gravityforms/default-headers.php (Gravity Forms wasn't even installed)
• wp-content/plugins/unlimited-elements-for-elementor-premium/404s.php

These were webshells — PHP files masquerading as legitimate plugin components, providing the attacker persistent access even after the original vulnerability was patched. Naming files like objects-cache.php and default-headers.php is deliberate camouflage. At a glance they read as real plugin code.

If we'd stopped at the visible spam without running the full scan, the attackers would have been back inside a week. The visible casino spam was a symptom. The webshells were the disease.

The cleanup, step by step

Phase 1 — Triage (15 min)

Mapped the breach surface before touching anything. Pulled raw HTML through curl to confirm injections were server-side and not browser- only artifacts. Listed all WordPress users and clustered them by email domain. The mediaspearhead pattern jumped out immediately.

Phase 2 — Visible cleanup (45 min)

Removed the casino spam HTML widget from the homepage in Elementor. Cleared the WP Rocket cache, which removed the IP-prefetch reference from the rendered output. Bulk-deleted the five mediaspearhead accounts and reassigned the orphaned blog posts to the legitimate admin. Confirmed via fresh curl that all spam strings returned zero matches across the homepage and every blog post.

Phase 3 — Hardening (30 min)

Updated Wordfence, WP Rocket, and WPCode to current versions. Removed Elementor Pro entirely. Verified that the public registration flow was already disabled (confirming the attackers had been working through a code-level exploit, not the signup form).

Phase 4 — Forensic scan (60 min)

Ran a full Wordfence malware scan across 22,000+ files. First pass returned 16 critical issues. Triaged each one: bulk-deleted the five confirmed backdoors, ignored five flagged WordPress core file modifications (GoDaddy managed hosting customizes core files for performance, and the file system is read-only at the hosting layer — confirmed false positives), and removed three additional plugins flagged as abandoned or vulnerable.

Re-scanned. Eight remaining results, all confirmed false positives or low-severity informational findings. Zero actionable vulnerabilities on the site.

Phase 5 — Handoff

Delivered a written remediation report covering what was removed (with file paths and timestamps), the likely root cause, and the recommended next steps the client could handle himself: admin password rotation, 2FA via Wordfence Login Security, regular backup hygiene. Plus a separate SEO audit document covering the legitimate growth opportunities we'd noticed during the forensic work.

Three lessons

1. SEO audits and security audits are the same audit

We were hired to look at meta descriptions and Schema markup. We left having pulled five PHP webshells out of the site. The same surface attackers exploit for SEO spam injection is the surface that determines a site's organic search performance. They cannot be separated — especially on WordPress, where most breaches involve plugin vulnerabilities being weaponized for SEO purposes.

2. Looking healthy is not the same as being healthy

Casino spam injected at left: -1423117pxdoesn't render in any browser. Without a forensic scan and a pair of eyes on the raw HTML, this would have continued indefinitely. Site health cannot be assessed from the rendered page alone.

3. Expired premium plugin licenses are an active liability

Most owners decide whether to renew based on whether they're using the premium features. The actual risk is the unpatched CVE surface that sits on disk after the subscription lapses. Elementor Pro 3.28.3 cost this client $59/year in lost subscription value. It almost cost him his Google rankings, his reputation with prospective customers, and an unknown number of hours dealing with manual action recovery.

What we typically engage on next

After a recovery like this, the same site usually has 60 to 90 days of compounding SEO upside available. The post-recovery roadmap for this client included LocalBusiness schema rollout, rewriting 21 location pages with genuinely unique content (the existing pages were 56% template-duplicated), setting up a Google review collection workflow, and closing the missing service-page gaps the search demand was clearly asking for.

That's a separate engagement. The recovery had to come first.

If you think your site might be in a similar state

WordPress security recovery is a fixed-fee service we offer at AgentForgeAI. Typical recoveries take two to six hours of expert time depending on the breach surface. If you want a 30-minute scan of your own site, get in touch through agent-forge-ai.com.