I would like to share a recent case I recently addressed. A few days ago, I got the following notification from Wordfence:
A user with username “admin-e” who has administrator access signed in to your WordPress site.
User IP: 193.176.84.16
I quickly realised the website is infected, so I proceeded with an urgent backup and cleanup.
After malware cleanup was complete, I set up file traps to catch any further attempts to access the listed malicious files. This way, I ensured that any other IPs used in the attack would be quickly blocked.
Here are the steps I took to clean this website:
- Site backup, and move the files outside the public_html folder to prevent data loss;
- Google Search for SEO spam, GSC check, remove the unauthorized Google users, check the submitted sitemap files;
- Run a thorough WordPress cleanup, making sure plugins, themes, and core files are secure and updated;
- Configured the firewall, set up file traps, monitor for any suspicious activity; and
- Review the raw server logs and block any suspicious IPs that may’ve been used during the attack.
$user_login = ‘admin-e’;
$user_pass = ‘vvbbo2024R5$$!!@ae’;
$user_email = ‘[email protected]’;Malicious files
public_html/wp-content/mu-plugins/1.php
public_html/active.php
public_html/wp-content/activee.php
public_html/wp-content/56.php
public_html/wp-content/albe.php
public_html/wp-content/ty.phpMalicious users:
admin-eMalicious IPs
193.176.84.16
193.176.84.29Logs
193.176.84.16 – – [29/Dec/2025:00:19:29 +0000] “GET /active.php HTTP/2.0” 200 144 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36”
193.176.84.16 – – [29/Dec/2025:00:19:31 +0000] “POST /active.php HTTP/2.0” 302 1 “…com/active.php” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36”
193.176.84.16 – – [29/Dec/2025:00:20:04 +0000] “GET /wp-content/mu-plugins/1.php HTTP/2.0” 200 1 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36”
193.176.84.16 – – [29/Dec/2025:00:20:11 +0000] “GET /wp-content/ty.php HTTP/2.0” 200 3750 “-” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36”
