Blog Cleanup without breaking your site
Cleanup without breaking your site
How Segurium restores tampered WordPress core, plugin, and theme files to canonical upstream content — and why most cleanups don't have to be wipe-and-pray.
The hardest part of cleaning up a hacked WordPress site is not finding the malware. It is removing the malware without breaking the site.
Most plugins handle this by deleting the offending file. That works on
a standalone dropper — a stray wp-content/uploads/2024/03/wp-config.php
that exists for no reason other than to sit on disk and wait. But it
breaks badly when the malicious code is inside a real plugin file
that the site depends on. Delete woocommerce.php and the storefront
goes down. Delete a theme’s functions.php and every page returns a
white screen. The cleanup itself becomes the outage.
Segurium handles this differently. When the file is a modified version of known WordPress core, plugin, or theme code, the canonical bytes are fetched from a verified upstream record and written back. The file’s legitimate functionality is preserved end-to-end; the malicious content is the only thing that changes.
For files that are neither core nor a known plugin / theme — the
miscellaneous PHP shells that get dropped into wp-content/uploads/
or under fake plugin slugs — the fix is delete-with-care: the file is
verified as a malicious-only artifact (no useful behaviour, no
legitimate caller) before it is removed.
For injections inside files that are legitimate but also contain hostile code — the most common pattern in 2026, and the hardest to clean — Segurium removes the injected segment without touching the rest of the file. The site keeps doing what it was doing.
That’s the principle. No risk of downtime through every cleanup, even on complex multi-file injections. The fix is precise enough that you don’t have to compare a “before” and “after” screenshot to believe it.
This post is the first in a short series on how Segurium thinks about cleanup. The next post will cover what happens when the canonical upstream copy of a file isn’t available — for niche or abandoned plugins — and why the answer is not “give up and delete.”