From Compromise to Containment, A Forensic Lesson

What I discovered in the logs, hidden text files with emails that were being spammed, and why prevention is always better than cure.

The Call That Changed My Holiday

It was the Carnival holiday here in Panama and most persons were out celebrating or relaxing with family and friends out of town. I was resting in my apartment when I got a phone call.

The boss called about two websites under the companys hosting account that were sending out spam emails. They were hacked but we did not know at the time. The hosting company detected hundreds of spam emails being sent out to random email addresses after receiving multiple complaints from persons. They were very serious about the consequencies, if this problem was not resolved within hours as according to their zero tolerance for spam abuse, the entire companys hosting account would have been cancelled.

That would have taken the websites offline and hurt the business’s online presence.

The Crisis

When I got to the office, the whole building was empty. Everyone else was enjoying the holiday. That was probably a good thing, because I needed focus.

I got on with the hosting company and confirmed what they were seeing. The mail server queue was overflowing with outgoing spam.

I purged the queue. It filled right back up. That’s when I knew the hack went deeper than just the files but the database which meant that the hack process was still running through the websites.

Tracing the Hack

I narrowed it down to two websites and started digging into the logs and files. That’s where things got interesting.

• I found a text file full of random email addresses being pulled over and over by the websites. This was the “fuel” for the spam.
• I traced the connections to an external server that was sending those addresses and triggering the process.
• Inside the WordPress theme files, I came across blocks of obfuscated code, Long strings of what looked like gibberish, designed to hide what it was really doing.
• The infection wasn’t just in web files but also in the database, which meant even if you cleaned the files, the malicious entries could bring it all back.
• The logs also revealed that a compromised FTP account had been used to upload other files that were critical in the hacks persistence. The uploads happened outside of work hours.

The real cause? Outdated WordPress themes with missed security updates and a compromised FTP account. Those gaps gave attacker(s) exactly what they needed to slip in their code.

🔎 What Kind of Hack Was This?

This was a classic WordPress spamming backdoor, very common around 2014–2015. Attackers would:

• Inject hidden PHP code into theme files.
• Drop payloads into the database to make reinfection easier.
• Use external servers to supply email addresses to target and keep the process going.

This resulted in a hacked website that was persistent at sending spam.

Containing the Damage

Once I cleaned the injected code and purged the mail queue again, the spam finally stopped.

But I wasn’t confident that would hold, so I took a different approach. I generated static versions of the websites and temporarily replaced the vulnerable WordPress installs with them.

This wasn’t a permanent solution, but it gave the business continuity. More importantly, it avoided downtime and protected their SEO traffic, because losing traffic would have hurt them almost as much as losing the hosting account.

Later on, the web team reinstalled fresh WordPress instances with patched themes.

The Bigger Lesson

This incident taught me something I’ve seen again and again, while recovery is possible, prevention is always better than cure and we avoid wasting the businesss time.

Here are some fundamentals that we should never forget:

• Apply updates - Always ensure that your themes, plugins, and core WordPress files are updated.
• Review Logs - This ensures that you are able to identify maliscious acts that slipped through.
• Control user access and avoid giving users privileges that they do not need to do their work.
• Replacing FTP with SFTP - Plain FTP transmits credentials in clear text, making it an easy target. Moving to SFTP, and later requiring VPN access for SFTP, improved the security.
• Have a playbook for different scenarios to speed your response and resolution to problems when they happen.

From Recovery To Building Your Defenses

I recently started a bootcamp on restoring and securing hacked WordPress websites as I am developing a way to dynamically evaluate the security posture of websites before they are hacked, a way to be more proactive instead of only being reactive to website vulnerabilities, I call it WordPress Assessment of Risk Methodology (WARM)

Because here’s the reality. Even with the best security measures, zero-day vulnerabilities can still slip through, and if we are able to quickly gauge or have an idea of a websites security posture, this would greatly help to reduce risks.

That’s why I built my hardening plugin that uses Linux file immutability to lock down critical files. Its like your websites own security vault, If cybercriminals find a new vulnerability we can reduce the potential damage they can cause.

Have you ever had to deal with a website that was hacked and how did you fix it?

What concerns or challenges have you had when it came to securing websites?