Quick summary
A WordPress security note about scanning files and database records, packaging clean deployable files, and removing a malicious user from the database.
The problem
The site needed a malware cleanup pass that covered both the downloaded WordPress files and the database records where persistence could hide.
What I checked
- Downloaded WordPress file copy
- Database user and usermeta records
- Suspicious PHP and upload-folder executables
- Redirect rules and hidden persistence patterns
- Old backup, staging, cache, and dump folders
What I changed
- Scanned files for common backdoor and malware patterns
- Built clean deployable core and content packages while preserving required active assets
- Excluded stale backup, staging, cache, and runtime dump folders from the clean package
- Used a temporary cleanup tool to inspect and remove a malicious database user
- Documented cleanup findings and remaining follow-up steps
Result
The recovery path separated active production assets from risky leftovers and removed the confirmed malicious user from the database.
What I'd watch next
- Whether administrator passwords and salts are rotated after cleanup
- Whether stale backups return through future uploads
- Whether security scans stay clean after redeployment