Back to all projects
E-Commerce WooCommerce Development Security Remediation SEO Performance Optimisation

OZeAuto

Australian-owned online auto parts and accessories store. A compromised WordPress site with three PHP backdoors rebuilt from scratch — 485 products migrated, 35 plugins eliminated, and a hand-coded custom theme replacing the entire plugin stack.

Visit Website
OZeAuto website screenshot
485
Products Migrated
100
SEO Score
-72%
Site Reduction
35
Plugins Removed

About OZeAuto

OZeAuto is an Australian-owned online retailer specialising in automotive parts, accessories, oils, and car care products. Based on the Gold Coast, they stock brands including Lucas Oil, ABRO, 77 Lubricants, and Gtechniq — serving both retail customers and the motorsport community through owner Daniel Natoli’s racing background.

The Challenge

A routine security assessment revealed the site was in far worse shape than anyone realised:

  • 3 active PHP backdoors hidden in plugin directories — obfuscated webshells giving attackers full server access
  • 29 security vulnerabilities across four severity levels (4 critical, 7 high, 7 medium, 6 low)
  • 3,572 user accounts — only 120 were legitimate customers with orders; the rest were spam registrations
  • 25+ plugins — many outdated, abandoned, or redundant, with Slider Revolution and Unyson running without valid licences
  • 10 unused themes adding unnecessary attack surface
  • 5.4GB disk footprint — bloated with orphaned files, unused uploads, and plugin debris
  • No security headers, no rate limiting, XML-RPC wide open, and wp-config.php publicly readable

The site was restored from a Duplicator Pro backup that itself contained the compromised files — meaning the infection predated the most recent backup. Patching was not an option. The only safe path was a complete rebuild.

Our Approach

The project was delivered in three phases over one week:

  1. Security Audit & Documentation: Full vulnerability assessment with a detailed PDF report covering all 29 findings, risk ratings, and remediation steps — delivered to the client before any work began
  2. Malware Removal & Forensics: Identified and documented the three PHP backdoors (dexla.php, infogsi.php, misc.php), analysed their obfuscation patterns, and confirmed they shared a common attack vector
  3. Clean Rebuild: Fresh WordPress 6.9.1 installation with WooCommerce 10.5.2 and a purpose-built custom theme

The Custom Theme

The ozeauto-theme was hand-coded from scratch with 45+ files replacing the functionality of over 20 plugins:

  • Optimus SEO — Built-in SEO system with meta tags, Open Graph, JSON-LD schema, XML sitemap, breadcrumbs, and an admin dashboard (replacing Yoast/RankMath)
  • Performance Engine — Minified CSS, async script loading, WooCommerce block removal, and optimised asset delivery
  • WooCommerce Overrides — Custom product cards, quantity controls, cart experience, and category layouts
  • Security Hardening.htaccess rules for HTTPS redirect, security headers, XML-RPC blocking, and file access restrictions built into the theme deployment
  • Responsive Design — Mobile-first layout with trust signals, branded header, product search, and category navigation

Migration

All 485 products were migrated with their full data intact:

  • Product titles, descriptions, prices, and SKUs
  • 420+ product images transferred and verified
  • 64 product categories with hierarchy preserved
  • Variable products with all size/quantity options
  • 22 pages of site content

The user table was cleaned from 3,572 accounts down to 120 — four administrators and 116 customers with genuine order history.

Security Hardening

The new installation was locked down from the start:

  • Fresh WordPress security salts
  • DISALLOW_FILE_EDIT enabled in wp-config.php
  • wp-config.php set to chmod 600
  • Login rate limiting with CAPTCHA
  • XML-RPC completely blocked
  • Security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
  • HTTPS enforced with HSTS header

Results

The rebuild delivered measurable improvements across every metric:

  • 485 products migrated with zero data loss
  • Lighthouse SEO: 100/100 on all page types — homepage, product, category, and static pages
  • Site reduced by 72% — from 5.4GB to 1.5GB on disk
  • 35 plugins removed — down from 25+ to just WooCommerce
  • 10 themes removed — single purpose-built theme
  • 3,452 spam accounts purged — user table cleaned to verified customers only
  • 3 backdoors eliminated — confirmed clean with post-deployment scanning
  • Accessibility: 100/100 and Best Practices: 100/100 on Lighthouse

From Compromised to Clean

This project demonstrates why security cannot be bolted on after the fact. OZeAuto’s original site had accumulated years of plugin debt, unpatched vulnerabilities, and eventually active malware — none of which was visible to the site owner. The rebuild replaced the entire stack with a lean, secure, and maintainable foundation that the business can grow on with confidence.

OZeAuto is now running a clean, fast, and properly hardened WooCommerce store — with a single custom theme doing the work that 20+ plugins used to do badly.

Ready for Marketing That Actually Works?

Get a free website audit and see exactly where you are leaving leads on the table. We will review your site's performance, identify conversion opportunities, and provide actionable recommendations.

Get Your Free Audit +61 404 072 631
Response within 4 hours