Permanent Re-Entry Point Elimination

You've cleaned the malware twice. It keeps coming back. Backdoors are why.

Malware is the symptom. The backdoor is the disease. Attackers install hidden re-entry mechanisms so they can return after you clean up. Until every backdoor is found and destroyed, cleaning the visible malware is temporary.

Initialize Diagnostic Read Protocol →

4hrurgent acknowledgement target

7+years WordPress reliability

Humanspecialist diagnosis

The Full Backdoor Extermination Process

- **Non-standard directory sweep:** We inspect every directory for PHP execution scripts that shouldn't exist, including the uploads folder.

Non-standard directory sweep

We inspect every directory for PHP execution scripts that shouldn't exist, including the uploads folder.

Encoded payload detection

We scan for `eval`, `base64_decode`, `gzinflate`, and other encoding functions used to obfuscate malicious code.

Cron job audit

We review the WordPress cron schedule and server-level cron jobs for attacker-added automated tasks.

Database-level user audit

We query the users table directly, bypassing wp-admin, to find hidden admin accounts.

htaccess and wp-config review

We check for redirect rules and execution hooks added by attackers.

7-day post-cleanup monitoring

We confirm no reinfection before closing the engagement.

Post-Mortem Report

Case Study: The Cron Job That Reinfected Every 48 Hours

SymptomA membership site had been cleaned by two separate services over four months. Within 48–72 hours of each cleanup, identical redirects reappeared.

ResolutionA WordPress cron job had been added to the database. Every 48 hours, it fetched a remote PHP payload and wrote it to the uploads directory. Every cleanup removed the payload file but left the cron job intact, which simply re-fetched the payload on schedule.

Business Impact

We deleted the malicious cron entry and cleaned the infection permanently. The site has remained clean for 14 months. Neither previous cleanup service had checked the WordPress cron schedule.

Common questions

Questions answered.

How do I know if my site has a backdoor?

The most reliable indicator is reinfection after cleanup. Other signs: unexplained admin accounts, PHP files in the uploads directory, unusual cron entries. A manual audit is the only way to be certain.

Can a backdoor survive a full site restore from backup?

Yes, if the backdoor was already present in the backup. We inspect backups for backdoor presence before recommending a restore.

Will updating all my plugins prevent backdoors?

Updating closes the entry points. But existing backdoor files remain regardless of plugin updates, they must be manually removed.

Submit an Incident Report.

Whether it's an active emergency or a request for managed operations, submit your URL and symptom. Reviewed by human specialists, acknowledged within 4 hours.