MD Pabel

18/05/2026

shipped a bluesky autoposter in 1 hour with claude code 🚀

it pulls my rss feed, generates captions with gpt-4o-mini, and posts daily via /api. upstash redis dedupes. vercel cron handles the scheduling.

open source — if you write a blog and want it on bluesky on autopilot:

https://github.com/mdpabel/Bluesky-Autoposter
https://bluesky.mdpabel.com

15/05/2026

New WordPress Malware Case Study Published

A hacked WordPress site lost nearly 60% of its AdSense revenue because of a hidden malware file called:

👉 mplugin.php

The scary part?

The malware only showed spam ads to Google visitors while hiding itself from:
❌ WordPress admins
❌ Logged-in users
❌ Most security scans

The site owner couldn’t even reproduce the issue on his own device.

Inside this cleanup I found:

• A fake “Monetization Code plugin” hiding in `/wp-content/plugins/`
• Admin IP tracking via `admin_ips.txt`
• 11 malicious `wp_options` database rows
• Search-engine cloaking targeting Google/Bing/Yahoo visitors
• Self-updating malware pulling payloads from external C2 servers
• Reinfection from a nulled WooCommerce extension

This is exactly why many hacked WordPress sites keep getting reinfected even after “cleanup”.

I broke down:
✔ How the malware works
✔ How it hides from admins
✔ The exact SQL queries used during cleanup
✔ IOC domains & indicators
✔ Step-by-step removal process
✔ Why most security plugins miss it

Full case study:

https://www.mdpabel.com/case-studies/mplugin-php-monetization-code-plugin-malware-case-study/

If your WordPress traffic dropped suddenly, ads look strange only on mobile, or visitors report popups you can’t reproduce — check your site carefully.

— MD Pabel
WordPress Malware Removal Specialist
4,500+ hacked WordPress sites cleaned

15/05/2026

Cleaned your WordPress site, but the malware came back again?

That usually means the real problem was not removed.

In many cases, attackers leave a hidden persistence mechanism behind — like a cron job, backdoor file, hidden admin user, infected database entry, or compromised hosting login. So even after deleting the visible malware, the site gets reinfected.

I’ve shared a full breakdown of why this happens and how to stop WordPress malware from coming back permanently.

Read the guide here:
https://www.mdpabel.com/blog/why-wordpress-malware-keeps-coming-back-and-how-to-stop-it-forever/

If your site keeps getting hacked again and again, this guide will help you understand what your last cleanup probably missed.

Cleaned your site but the malware returned? After 4,500+ cleanups, here's why WordPress malware keeps coming back and how to permanently stop reinfection.

14/05/2026

Seeing Japanese spam pages in Google under your WordPress site?

That is usually called the Japanese Keyword Hack or Japanese SEO spam. Your website may look normal, but Google can index thousands of fake spam URLs from your domain.

I wrote a guide showing how to use .htaccess rules to return 410 Gone for confirmed spam URL patterns. This can help reduce server load and speed up cleanup while Google removes the hacked URLs.

But remember: .htaccess rules only help with containment. You still need to remove the actual malware from your WordPress files, database, users, plugins, and cron jobs.

Read the full guide:
https://www.mdpabel.com/blog/how-to-fix-japanese-keyword-hack-in-wordpress-the-hard-way/

Learn how to use .htaccess to return 410 responses for Japanese SEO spam URLs, reduce WordPress load, and clean up hacked spam pages faster without relying only on plugins.

13/05/2026

Is your WordPress dashboard showing 1 user, but your security plugin says there are 2?

That can be a serious warning sign.

Some WordPress malware creates a hidden admin user, hides it from the Users page, and brings it back even after you delete it. This is one of the common reasons malware keeps returning after a cleanup.

I wrote a detailed guide showing:

How hidden WordPress admin users work
Where the malicious code usually hides
How to check the database directly
Why you must remove the malware code before deleting the user
How to stop the hidden admin from coming back
If you manage a WordPress site, this is worth checking.

Read the full post:
https://www.mdpabel.com/blog/how-to-find-and-remove-hidden-admin-users-in-wordpress-malware-analysis/

Hidden admin user on your WordPress site? User count mismatch? Real malware code, detection methods, and removal steps from 4,500+ cleanups. Stop reinfection.

08/05/2026

A client had a WordPress malware problem that kept coming back after deletion.

The infection was disguised as a fake plugin called **system-control**.

At first, it looked like a normal bad plugin inside:

`wp-content/plugins/system-control`

But every time it was deleted, it came back again.

That usually means one thing:

The visible malware is not the real source.

After checking deeper, I found a full regeneration loop built from three parts:

✅ A fake plugin folder
✅ A Must-Use plugin loader
✅ A hidden backup folder that restored the malware

The malware also used this file:

`wp-content/mu-plugins/sc-loader.php`

This was important because MU-plugins load automatically in WordPress. They do not work like normal plugins, so disabling or deleting the plugin from the dashboard was not enough.

The real fix was not to delete one file at a time.

The real fix was to understand the full malware system first, then remove all active regeneration points together.

After removing the fake plugin, the MU-loader, and the hidden backup folder, the malware stopped regenerating.

This case is a good reminder:

Persistent WordPress malware is rarely just “one bad file.”

It can include hidden loaders, backup copies, cron jobs, fake plugins, database injections, and backdoors.

Full case study:
https://www.mdpabel.com/case-studies/regenerating-wordpress-malware-system-control-case-study/

A WordPress malware case study showing how a fake plugin, MU-plugin loader, and hidden backup vault created a reinfection loop—and how I broke it permanently.

07/05/2026

A client came to me after Google indexed more than **50,000 spam URLs** from their hacked WordPress site.

The real website only had around **142 valid pages**.

But in Google Search Console, the site was showing almost **49,800+ Japanese spam pages**.

This was not a normal SEO issue.

It was a large-scale **Japanese keyword hack**.

The site looked mostly normal to visitors, but Google had discovered thousands of junk URLs with Japanese text, gambling keywords, fake product pages, and spam paths.

How I handled the cleanup:

✅ Confirmed the Japanese SEO spam hack
✅ Mapped the spam URL patterns
✅ Used Google Search Console removals for short-term cleanup
✅ Added server-side 410 Gone rules for hacked URL patterns
✅ Created a temporary cleanup sitemap to help Google recrawl spam URLs
✅ Cleaned infected SEO metadata from the WordPress database
✅ Checked real pages that were showing Japanese titles in Google
✅ Hardened the site to stop reinfection

One important lesson from this case:

When a hacked WordPress site has thousands of spam URLs in Google, deleting malware files alone is not enough.

You also need to fix the search-side damage.

That means checking Google Search Console, finding URL patterns, returning proper server responses, cleaning the database, and stopping the hacker from coming back.

Full case study:
https://www.mdpabel.com/case-studies/how-i-removed-50000-spam-urls-from-google-after-a-japanese-keyword-hack/

A real WordPress case study showing how I cleaned a Japanese SEO spam infection, removed 50,000+ hacked URLs from Google, and used Search Console, pattern-based 410 responses, database cleanup, and hardening to stop reinfection.

07/05/2026

Google indexed 50,000+ spam URLs from a hacked WordPress site after a Japanese keyword hack.

I cleaned the malware, fixed the spam URL patterns, used 410 responses, and hardened the site to stop reinfection.

Case study:
https://mdpabel.com/case-studies/how-i-removed-50000-spam-urls-from-google-after-a-japanese-keyword-hack/

06/05/2026

A client contacted me after their Bluehost WordPress site was hit by a serious malware infection.

The website was showing **403 Forbidden errors**, and the Bluehost cPanel malware scanner found **1,162 infected files**.

After checking the site, I found the real issue.

The hacker had added malicious **.htaccess rules** across many folders. These rules blocked normal PHP files from running but allowed the attacker’s backdoor files to stay active.

This is a common hack pattern I often see on Bluehost shared hosting.

What I did:

✅ Found the infected .htaccess pattern
✅ Checked how far the malware had spread
✅ Removed the malicious lockout rules
✅ Restored clean WordPress rewrite rules
✅ Found and removed backdoor files
✅ Checked for fake plugins, hidden admin users, cron jobs, and reinfection risks
✅ Helped the site become clean again before the account suspension got worse

A malware scan showing hundreds or thousands of infected files does not always mean your site is destroyed.

Sometimes, one malware pattern has been copied into many folders.

The key is not to delete files randomly.

A proper WordPress malware cleanup needs careful checking, manual review, and post-cleanup hardening.

Full case study:
https://www.mdpabel.com/case-studies/bluehost-hacked-wordpress-site-recovery/

Bluehost WordPress site hacked with 403 errors and hundreds of infected files? Real case study showing how I diagnosed the lockout and cleaned the infection.

30/04/2026

After a WordPress malware cleanup, submitting a clean sitemap is an important part of search recovery.

In this Japanese SEO spam case, the hacked site had 50,000+ spam URLs affecting Google’s index.

After cleanup, the next step was to help Google understand the clean version of the site again.

That included:

removing hacked content
handling spam URL issues
checking Google Search Console data
submitting clean sitemap information
helping Google re-crawl the correct pages

Malware cleanup is not just about deleting infected files.
A proper recovery plan should also consider SEO, indexing, and post-hack hardening.

Full case study:
https://www.mdpabel.com/case-studies/how-i-removed-50000-spam-urls-from-google-after-a-japanese-keyword-hack/