How I Helped a Client Recover From a Website Hack

By Clarence Web Design

August 29, 2025
logo
website designer in greenville nc

A few days ago, one of my clients emailed me with a strange question:

“Did you give someone access to my Google Search Console dashboard?”

The answer was an immediate NO. The email address tied to the new owner wasn’t recognized. Since my client was the only verified owner, this meant someone had slipped into their system and planted the required verification file.

That’s when the panic set in—someone had hacked the site.

What the Hacker Did

After digging in, here’s what I discovered:

  • Installed the WP File Manager plugin – This gave them full access to the site’s file structure, which they used to add the Google verification file.
  • Hidden access to the database – They used the WP Adminer plugin, cleverly disguised, to manipulate the database.
  • Created a fake admin user – A persistent admin account, root@fexpost.com, kept reappearing no matter how many times I deleted it.

In short: the attacker had full control.

How I Resolved It

This wasn’t a simple fix, because the site already had many plugins. Finding the compromised one was like searching for a needle in a haystack.

  1. Deactivated all plugins – No luck. The issue remained.
  2. Used FTP and file scanning – I downloaded all site files and used the grep command to search for the suspicious root@fexpost.com string.
  3. Identified the culprit – The malicious code was buried inside a small, hidden plugin named wp-compat.
  4. Traced the hack – Searching further revealed traces of wp-compat across two composer files, suggesting it likely came in through a compromised plugin update.

By removing these files and cleaning up the system, I was able to shut the attacker out.

How They Likely Got In

Based on my findings, the hack likely happened due to a leaked admin password. Once inside, they deployed additional backdoors (WP File Manager, WP Adminer, and wp-compat) to keep control of the site even if one method was discovered.

Prevention Steps Taken

After removing the malicious files and restoring clean functionality, I set up extra layers of protection:

  • Installed Wordfence – A security plugin that scans for vulnerabilities and blocks suspicious activity.
  • Ran a full security scan – Cleaned up other potential weak points.
  • Hardened site settings – Adjusted permissions and tightened plugin management to reduce risk going forward.

All the scans revealed that the website is in great health. And, I hope it remains that way.

Lessons Learned

The biggest takeaway is that plugins are both powerful and risky. A single compromised update can give hackers a way in. Regular monitoring, security scans, and strict plugin management are key to keeping a WordPress site safe. Prevention is always easier and cheaper than recovery.

You May Also Like

Should Spas Have a Website?

Should Spas Have a Website?

Aug 18 |

Website design for spa business It should not be a surprise at this point that everyone turns to the internet for…

To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.