Quick summary
A malware recovery note about restoring down sites, removing injected scripts, reviewing suspicious users, replacing core files, and starting hardening.
The problem
Multiple WordPress sites were affected by active injection scripts, suspicious admin users, compromised files, and at least one visible down or error state.
What I checked
- Active injection scripts
- Suspicious WordPress administrator users
- Modified theme and core files
- Downloaded site files scanned locally
- Database malware patterns and live security scan results
What I changed
- Restored an affected site from a down or error state back to live status
- Removed unknown backup or administrator access after review
- Replaced compromised WordPress core directories with clean copies where needed
- Cleaned injected code patterns from files and database records
- Updated a supporting plugin and resolved a related chat widget display issue
Result
The urgent recovery work brought the affected sites back into a cleaner, usable state and started the post-cleanup hardening path.
What I'd watch next
- Whether all credentials and security salts are rotated
- Whether remaining plugins and themes are fully updated
- Whether scheduled scans confirm no reinfection