How we broke a 7-cycle reinfection loop on a real-estate company’s WordPress site, lifted the Google “dangerous site” warning, and locked it down for good.
Results at a glance
- 🦠 Malware fully removed — verified clean (live site, full file scan, and WordPress core integrity check)
- 🔁 Broke a cycle of 7 reinfections
- 🔒 Root cause identified and closed — not just the symptom
- 💾 Full backup taken before any changes
- 🛡️ Moved to an ongoing care plan with monitoring so it can’t quietly happen again
The problem
The site was infected with malware disguised as an innocent-looking plugin. It injected hidden code that served scam content to the site’s visitors — while deliberately staying invisible to the owner and to Google’s own tools. The owner only knew something was wrong because their host flagged the site as Google-blacklisted: the red “this site may be dangerous” warning that drives away nearly every visitor.
Worse, it had been “cleaned” before — and kept coming back within days.
Why previous cleanups failed
This is the part most cleanups miss. Deleting the malware file is like mopping a floor without turning off the tap. We found the reasons it kept returning:
- An unknown administrator account left on the site — an open door to re-upload malware anytime.
- Passwords were never changed after the original break-in, so whoever broke in still had a key.
- A risky script a previous developer installed that quietly downloaded and overwrote files on a schedule.
- Old, exposed copies of the site’s files left behind from earlier cleanup attempts.
The lesson: reinfection is an access problem, not a file problem. You have to lock the doors, not just sweep the floor.
What we did
- Removed the malware and every hidden copy of it, and verified the entire site clean — files and WordPress core.
- Took a full backup before making changes.
- Closed the doors: locked down the unknown admin account, flagged credentials for reset, neutralized the risky script, and cleared out the exposed leftover files.
- Put the site on an ongoing care plan — monitoring, scanning, backups, and updates — so any future threat is caught in minutes, not discovered weeks later by an angry customer.
The outcome
A clean, secured site, a clear path to lifting the Google warning, and an owner who no longer has to wonder whether today’s the day it breaks again.
“They took over the maintenance of our site — couldn’t be happier.”
Is your WordPress site hacked, or flagged by Google?
We clean it, secure it, and keep it that way.
Related services
- Emergency cleanup — Site is hacked or flagged. Start here.
- Malware removal service — Full cleanup, access lockdown, Google warning lift.
- Google blacklist removal — Get the Safe Browsing warning lifted.
- Pharma hack removal — Viagra, cialis, casino spam injections.
- Japanese keyword hack — Japanese spam pages and affiliate fraud cleanup.
- Security FAQ — Straight answers on cleanup, care, and recovery.
- Case studies — Real incidents we have cleaned up.
- Site cleanup overview — How our cleanups work end-to-end.
- Ongoing care plan — Monitoring, scans, backups, updates.
- Managed hosting — WordPress hosting with security built-in.