WordPress malware removal at scale · Agency network
A UK agency network of 30+ WordPress sites was reinfecting itself faster than each site could be cleaned, because they all sat in the same shared hosting account. We treated the whole account as one cleanup, used WP-CLI in bulk, and stopped the reinfection cycle. Full recorded evidence is available on request during a discovery call.
Each one off cleanup was undone within 48 hours because backdoors in untouched sites kept rewriting the cleaned ones. The hosting account was a single filesystem, so PHP from one site could write into every other site. The previous provider had been billing per site cleanup for months without ever stopping the source.
Snapshotted every site and database before touching anything for forensic evidence.
Took every site into maintenance mode at the same time during a low traffic window.
Used WP-CLI and bash to wipe all plugins, themes, and core across every site in parallel.
Pulled fresh plugin, theme, and core copies from official sources so nothing tampered survived.
Audited wp-content for non standard PHP files, removed every backdoor planted in uploads and mu-plugins.
Rotated every database password, FTP credential, and WordPress salt across the account.
Brought the fleet back together and monitored for reinfection for 14 days.
The whole fleet came back clean in a single overnight window. Zero reinfections in the 14 day monitoring period, which had been the consistent failure point with the previous provider. The agency stopped paying for monthly emergency cleanups and moved onto a flat fleet care plan.
Every other provider treated us as 30 separate cleanups and charged us every month when it came back. WebCare cleaned the whole thing in one night and it stayed clean. Client identity withheld under NDA. Full Loom recording and dated evidence are available on request during a 15 minute discovery call.
Shared hosting puts every site in the account under one filesystem. A backdoor in one site rewrites every other site. Until every site in the account is cleaned in the same window, the surviving infection reinfects the cleaned ones.
No. A correct fleet level cleanup plus hardened file permissions was enough. Migration was offered as an option but the agency chose to stay on their current host once the cycle was broken.
Client identity is withheld under NDA. The recorded session showing the cleanup and the dated post cleanup monitoring is available on request during a discovery call.
Jump straight to the service or the city page most relevant to this story.
We have 500 plus recorded engineer sessions covering migrations, malware cleanups, speed wins, and emergency recoveries. Most clients are under NDA, so we cannot publish them publicly. On a 20 minute discovery call we will show you the recordings, dashboards, and before and after numbers most relevant to your situation.
On your discovery call you will see
500+
Recorded fixes
150+
Sites managed
100%
Confidential
No pitch. We will show evidence relevant to your site.