A Deep Dive into Cleaning Persistent WordPress Malware and Hardening the REST API
The Hook: The 48-Hour Re-Infection Nightmare It’s a scenario that keeps e-commerce founders and agency directors awake at night: You wake up to a critical alert that your flagship WordPress site is redirecting users to a spam domain. You immediately deploy a premium security plugin, run a deep scan, quarantine three suspicious files, and breathe a sigh of relief. The scanner gives you a green checkmark. You're safe. Then, exactly 48 hours later, the redirects return. What went wrong? The automated scanner checked the surface, but the attacker had already established a foothold deeper in the architecture. They didn't rely on a loose PHP file in your uploads directory; instead, they weaponized an overlooked, unauthenticated WordPress REST API endpoint to re-inject the payload the moment your scanner turned its back. When high-value enterprise sites are compromised, treating the symptoms with standard security plugins is like putting a band-aid on a structural fracture. To truly remediate a persistent infection, you must think like a forensic analyst, hunt down hidden persistence mechanisms, and harden the application perimeter. The Anatomy of Persistence: Where Malware Hides Modern WordPress malware is sophisticated. Attackers know that standard security tools look for modified core files or rogue scripts in the /wp-content/plugins/ directory. To survive cleanups, they embed themselves into the core infrastructure of your site using three primary vectors: 1. wp-config.php Pre-Loading Attackers frequently inject obfuscated code directly into the top of wp-config.php . Because this file executes before the rest of the WordPress core loads, malware can hook into the initialization process, silently recreating deleted malicious files every time a page is requested. 2. Malicious Must-Use (MU) Plugins Files placed in /wp-content/mu-plugins/ are executed automatically by WordPress and cannot be disabled from the admin dashboard . Attackers love this directory. They will ofte