Back to all projects
E-Commerce WooCommerce Development Security Remediation SEO Performance Optimisation

Hacked WooCommerce Store Rebuild

An Australian online auto parts retailer's WordPress store was severely compromised, with three PHP backdoors hidden in its plugins. Rather than patch it, we rebuilt it from scratch — 485 products migrated, 35 plugins eliminated, and a hand-coded custom theme replacing the entire plugin stack.

Hacked WooCommerce Store Rebuild website screenshot
485
Products Migrated
100
SEO Score
-72%
Site Reduction
35
Plugins Removed

About the Project

The client is an Australian-owned online retailer specialising in automotive parts, accessories, oils, and car care products. Their WooCommerce store served retail customers across the country — but underneath a working storefront sat years of accumulated plugin debt and an active compromise the owner knew nothing about.

For security reasons, we have kept this case study anonymous. It documents the work and the outcomes, not the business.

The Challenge

A routine security assessment revealed the site was in far worse shape than anyone realised:

  • 3 active PHP backdoors hidden in plugin directories — obfuscated webshells giving attackers full server access
  • 29 security vulnerabilities across four severity levels (4 critical, 7 high, 7 medium, 6 low)
  • 3,572 user accounts — only 120 were legitimate customers with orders; the rest were spam registrations
  • 25+ plugins — many outdated, abandoned, or redundant, with two premium plugins running without valid licences
  • 10 unused themes adding unnecessary attack surface
  • 5.4GB disk footprint — bloated with orphaned files, unused uploads, and plugin debris
  • No security headers, no rate limiting, XML-RPC wide open, and wp-config.php publicly readable

The site had been restored from a backup that itself contained the compromised files — meaning the infection predated the most recent backup. Patching was not an option. The only safe path was a complete rebuild.

Our Approach

The project was delivered in three phases over one week:

  1. Security Audit & Documentation: Full vulnerability assessment with a detailed PDF report covering all 29 findings, risk ratings, and remediation steps — delivered to the client before any work began
  2. Malware Removal & Forensics: Identified and documented the three PHP backdoors, analysed their obfuscation patterns, and confirmed they shared a common attack vector
  3. Clean Rebuild: Fresh WordPress 6.9.1 installation with WooCommerce 10.5.2 and a purpose-built custom theme

The Custom Theme

The custom theme was hand-coded from scratch with 45+ files replacing the functionality of over 20 plugins:

  • Built-in SEO — Meta tags, Open Graph, JSON-LD schema, XML sitemap, breadcrumbs, and an admin dashboard (replacing Yoast/RankMath)
  • Performance Engine — Minified CSS, async script loading, WooCommerce block removal, and optimised asset delivery
  • WooCommerce Overrides — Custom product cards, quantity controls, cart experience, and category layouts
  • Security Hardening.htaccess rules for HTTPS redirect, security headers, XML-RPC blocking, and file access restrictions built into the theme deployment
  • Responsive Design — Mobile-first layout with trust signals, branded header, product search, and category navigation

Migration

All 485 products were migrated with their full data intact:

  • Product titles, descriptions, prices, and SKUs
  • 420+ product images transferred and verified
  • 64 product categories with hierarchy preserved
  • Variable products with all size/quantity options
  • 22 pages of site content

The user table was cleaned from 3,572 accounts down to 120 — four administrators and 116 customers with genuine order history.

Security Hardening

The new installation was locked down from the start:

  • Fresh WordPress security salts
  • DISALLOW_FILE_EDIT enabled in wp-config.php
  • wp-config.php set to chmod 600
  • Login rate limiting with CAPTCHA
  • XML-RPC completely blocked
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • HTTPS enforced with HSTS header

Results

The rebuild delivered measurable improvements across every metric:

  • 485 products migrated with zero data loss
  • Lighthouse SEO: 100/100 on all page types — homepage, product, category, and static pages
  • Site reduced by 72% — from 5.4GB to 1.5GB on disk
  • 35 plugins removed — down from 25+ to just WooCommerce
  • 10 themes removed — single purpose-built theme
  • 3,452 spam accounts purged — user table cleaned to verified customers only
  • 3 backdoors eliminated — confirmed clean with post-deployment scanning
  • Accessibility: 100/100 and Best Practices: 100/100 on Lighthouse

From Compromised to Clean

This project demonstrates why security cannot be bolted on after the fact. The original site had accumulated years of plugin debt, unpatched vulnerabilities, and eventually active malware — none of which was visible to the site owner. The rebuild replaced the entire stack with a lean, secure, and maintainable foundation that the business can grow on with confidence.

The store is now running clean, fast, and properly hardened — with a single custom theme doing the work that 20+ plugins used to do badly.

Ready for Marketing That Actually Works?

Get a free website audit and see exactly where you are leaving leads on the table. We will review your site's performance, identify conversion opportunities, and provide actionable recommendations.

Get Your Free Audit +61 404 072 631
Response within 4 hours