Sucuri sells scans. We sell the engineers who actually removed the malware and wrote the breach notice.
Forensic incident response by the engineers who removed the malware, hardened the server and wrote the GDPR breach notice. Magecart skimmers, PHP backdoors, DDoS, fixed-fee emergency packages.
Vector: Magecart-style skimmer on Checkout
Detected: Day 14
Removed: Day 14
Notified CNIL: Day 16 (within 72-hour window)
Outcome: No card data confirmed exfiltrated post-removal
What you get
Six engagements covering the full incident lifecycle.
We don't sell a scanner. We sell engineers who treat the compromise like the start of a project, not the end of one.
Emergency malware removal
Magecart skimmers, SEO-spam injections, redirect malware, cryptominers, backdoor PHP shells. Identified, removed, root cause documented.
Forensic incident response
Timeline reconstruction. Breach-window estimation from page revision history. Indicator-of-compromise documentation handed to your legal and DPO.
Post-cleanup hardening
File integrity monitoring, WAF rules, geo-blocking, ASN blocking, full credential rotation (DB, API keys, hosting panel, FTP/SSH, gateways), 2FA enforcement.
Breach-notification support
GDPR Article 33, CNIL, ICO. What to write, when to write it, what counts as a notifiable breach, who has to be told within 72 hours.
Ongoing security retainer
Monitoring, alerting, patch management, scheduled scans. Quarterly review. Not a vendor relationship, a phone number that picks up at 02:00.
Legacy PHP upgrades
7.x to 8.x. The work that should have happened before the compromise, done after, with the codebase rewritten where the old packages stopped receiving security patches.
The IOC map
What a clean site doesn't have.
Twelve indicator-of-compromise patterns we look for during an incident. Each tile is the one-line check we actually run.
File mtime drift
find wp-content -mtime -30 -type f
PHP in /uploads/
find wp-content/uploads -name '*.php'
eval(base64_decode(
grep -R 'eval(base64_decode' wp-content/
option_value injection
SELECT option_value WHERE LIKE '%<script%'
Admin user drift
wp user list --role=administrator
Cron task hijack
wp cron event list
.htaccess rewrite
git diff .htaccess (or backup compare)
Skimmer JS in content
grep -R 'metrics.js\|easystation' wp_posts
Backdoor polling URLs
tail -f access.log | grep wp-load
ASN traffic spikes
Cloudflare Firewall Events · group by ASN
WSO / FilesMan shells
grep -R 'FilesMan\|WSO\|assert(\$_'
Iframe injections
grep -R '<iframe[^>]*src="http' theme/
Evidence · anonymised case files
Two incidents. Two distinct attack patterns. Both closed cleanly.
French WooCommerce site running Payplug + WPML. Duplicate card-detail fields appeared at checkout. Initial hypotheses (duplicate plugins, WCML gateway double-registration, Gutenberg block conflicts, theme overrides) all ruled out methodically.
Actual cause: malicious third-party script easystation.top/fibrebio/metrics.js injected into Checkout page content, rendering a fake payment form overlay alongside the legitimate Payplug form. Classic Magecart pattern: the overlay captures, exfiltrates, then passes through to the real form so the order completes and nobody notices.
Post-removal: file-mtime audit across wp-content/ for 30 days, grep for backdoor patterns (eval(base64_decode, eval(gzinflate, assert($_, FilesMan, WSO), PHP-in-uploads scan, SQL audit of wp_options for script injection, admin user review, MalCare deep scan with second-pass confirmation, full credential rotation, GDPR Article 33 conversation with the client.

CASE-2024-PLUSHEAT-01
Attack
DDoS + suspected backdoor on EOL PHP 7.4
Stack
Cloudflare WAF · nginx · PHP-FPM · ASN + geo allowlists
DDoS plus a suspected backdoor on end-of-life PHP.
nginx upstream timeout cascade caused by PHP-FPM worker pool exhaustion. Diagnosed: a coordinated bot attack from Hetzner Cloud IPs hitting /boiler-cover/ variants. Higher-priority finding alongside it: POST requests to wp-load.php and /v1/wp-load.php with randomised hex query parameters, a backdoor polling pattern suggesting the install was already compromised.
Remediation: ASN-level Cloudflare blocking, aggressive page caching to absorb bot traffic, reduced fastcgi_read_timeout, geo-blocking by country allowlist with cf.client.bot bypass for verified Googlebot. Deployed first under Managed Challenge before switching to Block to avoid taking down legitimate traffic.
Hardening engagements run alongside maintenance & support, custom WordPress, and WooCommerce development. Edge-layer work for WAF and geo-blocking ties into Cloudflare edge engineering.
Good fit if
A fit when there's a real incident to close
- WooCommerce stores under active attack or post-compromise
- WordPress sites with unexplained traffic spikes, blocked emails, or Google Safe Browsing warnings
- Operators who need GDPR Article 33 support and don't know what's notifiable
- Sites running EOL PHP, EOL plugins, or unpatched cores past 12 months
Probably not a fit
We'll point you to a scanner when that's all you need
- Spec-only hardening with no incident or compromise: start with a Sucuri or Wordfence scan
- Static brochure sites with no checkout, no users, no PII
- Anyone looking for a $50 'clean my site' freelancer
Tools we use
Boring, deliberate, repeatable.
Active incident
Call. We answer. Engineers, not a ticketing queue.
More in WordPress
Web & SaaS
Mobile Apps
E-commerce & Payments
WordPress
- Custom WordPress Development
- Headless WordPress & WooCommerce
- Custom WordPress Plugin Development
- WordPress Performance Optimisation
- WordPress Security & Malware Removal
CMS & Platforms
37 services across 7 practice areas.