Restoring a backup without closing the hole
The backup restores the same vulnerable plugin or password the attacker used — and often restores their backdoor with it. Reinfection follows in days, sometimes hours.
Website Malware Removal
A hacked website bleeds twice: once through the infection, and again through the reinfection that follows a surface-level cleanup. I remove the malware you can see and the backdoors you can't, identify the entry point, and close it — then get you delisted from Google's blacklist so traffic and mail flow again.
Website malware removal is the process of finding and eliminating malicious code — injected scripts, backdoors, web shells, SEO spam — from a hacked site, then closing the vulnerability it entered through. A proper cleanup has three parts: removing every trace rather than just the visible symptoms, proving the entry point from server logs, and preventing reinfection. Skipping the last two is why most "cleaned" sites are hacked again within weeks.
Written by Ranjan Chatterjee, Infrastructure Consultant · Linux Server Specialist · 15+ years in production Linux · Last reviewed
A hack rarely announces itself politely. These are the ways it usually shows up — and any one of them justifies acting today.
Five moves that limit the damage and preserve the evidence a proper cleanup depends on.
Infected files are also evidence. Their timestamps, correlated with access logs, reveal how the attacker got in — delete them first and the entry point may stay open behind a "clean" site.
Rotate hosting, panel, FTP, database, and CMS admin passwords — from a machine you trust, in case a keylogger on someone's laptop is the actual source.
It sounds backwards, but a snapshot of the compromised site preserves logs and evidence, and protects you if a cleanup step goes wrong.
Put the site in maintenance mode if customers are being redirected or data is exposed. If it shares a server with other sites, assume lateral movement until proven otherwise.
Its Security Issues report tells you what Google detected and where — free triage information, and the same channel used later to request delisting.
Every one of these comes from a real engagement — usually from before I was called.
The backup restores the same vulnerable plugin or password the attacker used — and often restores their backdoor with it. Reinfection follows in days, sometimes hours.
Scanners catch known signatures. Attackers leave innocuous-looking loaders — a one-line include in a theme file, a fake image with PHP inside — precisely to survive that cleanup.
Deactivated code is still executable code. A large share of the infections I clean entered through a plugin nobody had used in years.
If the database password, an FTP account, or a forgotten admin user survives rotation, the attacker walks back in with credentials — no exploit needed.
Requesting Google review before the site is verifiably clean burns trust with the reviewer and extends the blacklisting. Clean first, verify, then request — in that order.
An honest comparison — each option is right in some situations, including the free ones.
| Option | The right choice when… | Limits & risks |
|---|---|---|
| Security plugin / scanner | Prevention and early warning on a healthy site, or a first opinion on a suspected hack. Free to cheap, runs continuously. | Signature-based: misses custom backdoors and can't do entry-point forensics. "Auto-clean" features sometimes break sites mid-repair. |
| Hosting provider cleanup | The infection is trivial and the host offers cleanup as a service you already pay for. | Typically scanner-driven bulk work: quarantine flagged files, re-enable the account. Entry-point analysis and reinfection prevention are usually not included — which is why suspensions recur. |
| Independent specialist | The site earns money, has been reinfected before, spans multiple sites/accounts, or you need the entry point proven and closed with a written trail. | Costs more than a plugin subscription. Remote work needs hosting access from you, and badly damaged sites may still need a partial rebuild — you'll be told, not billed blindly. |
The same disciplined path on every engagement — scoped, planned, executed with checkpoints, handed off clean.
A short brief or call to understand your stack, the real problem, and what a good outcome looks like.
A clear architecture plan — steps, risks, rollback and timeline — agreed before anything touches production.
Hands-on work with checkpoints. You see progress; nothing changes on your servers silently.
Documentation, access cleanup and a clear path for what comes next. No lock-in, no mystery.
Yes. Hosts routinely restore access for an active cleanup, and I can work from a backup copy if needed. Suspension is usually the starting point of these engagements, not a blocker.
Most single-site cleanups complete within 24–48 hours of getting access, including verification scans. Multi-site accounts, heavily obfuscated infections, or servers where lateral movement occurred take longer — you'll get a realistic estimate after the initial scan, not a guess before it.
A fixed price per site for standard cleanups, quoted up front — complex multi-site infections are quoted after a quick scan so the number is grounded in reality. The quote includes entry-point analysis and blacklist delisting; those aren't upsells.
That's the point of the job. A cleanup without entry-point analysis is a countdown to reinfection — I correlate file timestamps against access logs to establish the vector, then patch it.
Once the site is verifiably clean, review requests typically clear within 1–3 days. I submit and monitor the request as part of the service rather than leaving it with you.
No — changes are made against a fresh backup, malicious code is removed surgically rather than by mass-deleting, and the site is tested after each stage. Where an infected file is also a functional file (a modified theme, a core file), it's replaced with a clean original, not simply removed.
In rough order of frequency: outdated plugins and themes with known vulnerabilities, stolen or weak credentials, abandoned software still installed, and cross-contamination from another site on the same account. Targeted attacks on small sites are rare — automated scanners exploiting known holes are the norm, which is also why prevention works.
No honest provider guarantees that — new vulnerabilities appear constantly. What I do stand behind: the current infection fully removed, the entry point it used closed, and hardening plus monitoring that catches any new attempt early. Sites cleaned this way stay clean; the reinfection cycle comes from skipping those steps.
Sometimes — and if that's cheaper or safer for your case, I'll say so in the first assessment. But a rebuild without entry-point analysis often reuses the same vulnerable plugin or password and gets reinfected. Most sites are also recoverable in less time than a faithful rebuild takes.
Both. WordPress is the volume leader, but injected code, web shells, and dependency-level compromises in Laravel and bespoke PHP apps are regular work — there the cleanup leans more on version control diffs, composer auditing, and log forensics than on plugin knowledge.
Plain-language definitions — so the report reads like information, not incantation.
Engagements that commonly pair with this one.
SSH, firewall, kernel, PHP, MySQL — locked down in layers, documented, auditable.
View service24×7 monitoring, patching, backups, and incident response on a flat monthly retainer.
View serviceBoot failures, corrupted filesystems, kernel panics — diagnosed and repaired methodically, fast.
View serviceOne paragraph is enough: your stack, the symptom, and when you need it solved. Emergencies are answered first.