How a Pattaya restaurant recovered from an overnight casino-injection hack

A Pattaya seafood restaurant called us at 7:48am on a Tuesday. Their site was loading fine for them, but a regular customer had texted the owner overnight saying Google was showing a "This site may be hacked" warning next to their listing.

Within 15 minutes of getting WordPress admin credentials we could see what had happened.

• 4,827 new posts in the database, all dated to within the last 36 hours
• Each post titled with Thai online-casino keywords translated literally ("แทงบอลออนไลน์ pantip", "สมัครสล็อต 100 บาท", etc.)
• Posts published under a fake admin account named `wp-svc-utils` (cloaked to look like a system account)
• A `.htaccess` modification that redirected any user-agent containing `googlebot` to a different page than what a normal visitor saw
• A backdoor PHP file in `/wp-content/uploads/2024/` named `wp-cache-config.php` — disguised to look like a caching plugin file

This is a textbook casino spam injection attack. The economic logic: hackers get free hosting + a (briefly) trusted domain to push casino affiliate spam to Thai Google for a few days before Google catches on and deindexes everything.

The restaurant didn't know it yet but they were already losing money:

• "This site may be hacked" warning had been live in Thai Google results for at least 12 hours — every potential booking saw it
• Google Search Console showed a manual security action filed the previous evening
• Direct organic traffic had dropped 73% overnight (Search Console)
• One reservation cancellation that morning where the customer mentioned the warning

For a restaurant doing ~40% of weekend bookings through organic search, every day with the warning was costing them roughly 8-12 lost reservations.

08:00-09:30 — Isolation. Took the site offline behind a maintenance page so visitors stopped seeing the compromised pages. Used Cloudflare to block the attacker's IP ranges (we identified five Russian + Indonesian VPS networks from the log files).

09:30-11:00 — File scan. Ran ClamAV + a custom WordPress malware scan across the filesystem. Found three backdoor files, two modified `.htaccess` files, and 47 PHP files with injected base64-encoded payloads. Removed all of them, restored core WordPress files from official release ZIP.

11:00-12:30 — Database cleanup. Wrote SQL queries to delete the 4,827 spam posts (matched by date range + author ID + slug pattern). Deleted the fake admin user. Audited the `wp_options` table for tampered values — found two: site_url had been pointed at a redirector domain.

12:30-13:30 — Vulnerability close. Identified the entry point: an outdated Slider Revolution plugin (CVE-2014-9734, still hadn't been updated). Removed the plugin entirely since the restaurant didn't need it.

13:30-15:30 — Hardening. Updated WordPress core, every remaining plugin, and the theme. Installed Wordfence in active-blocking mode and server-level hardening with 2FA required on all admin accounts. Forced password reset on the two real admin users.

15:30-16:30 — Reconsideration request. Submitted the Search Console reconsideration request with a 600-word writeup of what was found and how it was fixed. Brought the site back online.

Total time: 8 hours 32 minutes.

• Day 1: "Site may be hacked" warning still visible in Google results
• Day 3: Warning gone (Google recrawled and accepted the reconsideration request)
• Day 10: Manual security action lifted in Search Console
• Day 21: Organic traffic back to 50% of pre-hack baseline
• Day 45: Organic traffic back to 80% of pre-hack baseline
• Day 60: Map Pack ranking back to position 2 (was position 2 before, dropped to position 7 during the incident, fully recovered)
• Day 90: Direct organic traffic 12% above pre-hack baseline — partly because we cleaned up old technical issues at the same time

Most cleanup gigs stop after removing the malware. We do three more things:

• Forensic logging — we save copies of the malicious files and `.htaccess` snapshots so if it recurs we recognise the same attacker
• Daily off-site backups for the first 30 days post-cleanup (in case the cleanup missed something)
• Free reaudit at 30 days — we recheck the site for new infections that might mean a backdoor was missed

We quoted ฿18,500 for the emergency cleanup + 30 days of monitoring. The restaurant accepted at 9:45am. We did not charge extra for the after-hours work since we were already on the clock — that's part of the emergency-response model.

No retainer required after the 30-day window. They're now on a basic ฿2,500/month maintenance plan that covers WordPress updates + backup verification + a quarterly security review.

1. The "This site may be hacked" Google warning is the customer signal that matters — most owners discover hacks through this, not through their own admin 2. Casino / porn / counterfeit-pharma injections are the #1 WordPress attack profile in 2026 — and they hide from logged-in admins by design 3. Cleanup is faster than people expect (8 hours typical) but recovery takes weeks — plan around the lost-traffic window 4. The plugin you forgot you installed is usually the entry point — annual plugin audits are not optional

If you're reading this because something similar just happened to you, our emergency response window is under 2 hours from getting credentials. Drop us a WhatsApp message and we'll start the clock.