Case study: how we saved a hacked e-commerce site

Introduction

Every intervention is unique, but some stay with us particularly. This is the case of an intervention on a WooCommerce e-commerce site whose owner called WpDefender in a panic, on a Saturday morning. Here's the full story: the context, the attack, our intervention, the results, and above all, the lessons every site owner can learn from it.

Note: for confidentiality reasons, names and certain details have been modified, but the story and techniques are representative of real situations we handle regularly.

Context: A Growing E-Commerce Site

The client: Marc, owner of an online artisanal products store based in Lyon. His WooCommerce site generates approximately €15,000 in monthly revenue, with 200 to 300 orders per month.

• Platform: WordPress + WooCommerce
• Host: OVH (shared hosting)
• Theme: ThemeForest (not updated for 8 months)
• Plugins: 23 installed, including 4 deactivated but not removed
• Backups: No automatic backup configured
• Security: No security plugin installed

Marc had received several update notifications for WordPress and its plugins, which he kept postponing, telling himself he'd do it "when he had a moment."

Discovering the Attack

Saturday, March 15, 2026, 8:30 AM. Marc opens his computer to check his weekend orders. He immediately notices something unusual:

1. 8:35 AM — The homepage displays a red banner with a "maintenance" message
2. 8:40 AM — Order confirmation emails are no longer sending
3. 8:45 AM — Logging into the admin panel, he discovers 3 new administrator accounts he didn't create
4. 8:50 AM — A customer contacts him via WhatsApp to say his site displays "Hacked by [hacker group]"

Panic. Marc Googled "WordPress site hacked emergency" and found WpDefender. He contacted us at 8:55 AM via WhatsApp.

"I thought it was over. Three years of work, hundreds of loyal customers... Everything was going to disappear."

Attack Analysis

Our team launched an immediate diagnosis. Here's what we found:

Entry vector identified

The hacker had entered through a contact form plugin (Contact Form 7) whose installed version had a known security vulnerability that had been patched 3 months earlier. Marc hadn't updated the plugin.

Attack path

1. Vulnerability exploitation: the hacker used a "file upload" vulnerability in the plugin to upload a PHP file disguised as an image
2. Privilege escalation: through this file, they obtained administrator rights
3. Backdoor installation: 7 backdoors were installed in various directories
4. Code injection: malicious code was injected into the theme's functions.php file and into the database
5. Homepage defacement: a deface page replaced the homepage
6. Potential data theft: logs indicate the hacker had access to the database for 47 hours

Estimated impact

• Site offline since Friday evening (approximately 18 hours of downtime at the time of our intervention)
• Lost orders: approximately 45 unprocessed orders (weekend)
• Potentially compromised customer data: names, emails, shipping addresses
• SEO: Google had started displaying a security warning

Our Intervention: Minute by Minute

Phase 1: Containment (9:00 AM — 9:15 AM)

From the first contact, we asked Marc to touch nothing and to provide us with admin and FTP access. We immediately:

• Took control of the admin session
• Disabled hacker accounts
• Put the site in controlled "maintenance" mode
• Exported a copy of the database for analysis

Phase 2: Forensic analysis (9:15 AM — 11:00 AM)

We launched a complete site analysis:

• Integrity check: comparing every file with the official WordPress, theme, and plugin versions
• Malware scan: using our professional tools to identify all malicious files
• Database analysis: searching for injected code in wp_posts, wp_options, and wp_users tables
• Log analysis: reconstructing the intrusion path and identifying all hacker actions

Phase 3: Cleanup (11:00 AM — 2:30 PM)

Deep cleanup of the entire system:

1. Removal of all 7 backdoors identified during analysis
2. Database cleanup: removal of all injected code
3. File restoration: replacing all modified files with clean versions
4. Theme cleanup: removing malicious code injected into functions.php
5. Account verification: removing hacker accounts, verifying all existing accounts
6. Final scan: complete verification to ensure no threats remain

Phase 4: Hardening (2:30 PM — 4:00 PM)

With cleanup complete, we secured the site to prevent recurrence:

• WordPress update and all plugins updated
• Removal of unused plugins and deactivated ones
• Security plugin installation with web application firewall
• Password strengthening: all admin passwords changed
• Two-factor authentication enabled
• Automated backup configuration: daily backups with external storage
• WordPress hardening: protection of sensitive files, disabled file editing from admin

Phase 5: Relaunch and follow-up (4:00 PM — 5:00 PM)

• Site relaunched
• Verification of all functionality
• Google security warning removal request submitted
• Detailed report transmitted to Marc
• Security best practices training for Marc

Total intervention time: 8 hours of work, from 9:00 AM to 5:00 PM.

The Results

Key metrics

Client feedback

Three weeks after the intervention, here's what Marc told us:

"The day after the intervention, I got my orders back. Within a week, my traffic was back to 90% of its pre-hack level. Today, three weeks later, everything is back to normal. And this time, I sleep soundly."

• SEO traffic: full recovery in 3 weeks
• Orders: normal resumption the following Monday
• Customer trust: no customer expressed mistrust
• Google Safe Browsing: warning lifted in 48 hours

Lessons Learned

1. Updates are not optional

The vulnerability used by the hacker was known and patched 3 months earlier. If Marc had updated his plugin once a month, the attack would have been impossible. Update your plugins regularly, ideally by enabling automatic update notifications.

2. Backups are non-negotiable

In Marc's case, we were able to clean the site without restoring a backup because the hacker hadn't deleted data. But in other cases, without a backup, data loss can be irreversible.

3. Security isn't a cost, it's an investment

The cost of WpDefender's intervention for Marc: €390 (Complete package). The potential cost of the hack without rapid intervention: several thousand euros in lost revenue, SEO, and reputation damage. Security is the best insurance you can get.

4. Reaction time is crucial

Marc contacted us less than 30 minutes after discovering the attack. This rapidity allowed us to significantly limit the damage. Every hour lost is an hour during which the hacker can cause more damage.

5. A security audit would have prevented everything

A simple WordPress security audit before the attack would have identified the outdated plugins, missing firewall, and lack of backups. An audit costs between €100 and €300 — a fraction of the cost of a hack.

6. Professional monitoring is worth the investment

Marc's site had no security monitoring. With a service like WpDefender's 24/7 monitoring, the intrusion could have been detected and blocked in real time, before any damage was done. The monthly cost of monitoring is negligible compared to the cost of a full hack recovery.

Conclusion

Marc's story is unfortunately common. Thousands of e-commerce sites are hacked every year for similar reasons: neglected updates, no backups, no security measures.

The good news? Most hacks can be prevented with simple measures and regular monitoring. And if the worst happens, rapid intervention by a WordPress security specialist can save your site and your business.

Is your e-commerce site secure? Don't wait for the next panic to find out.

Related articles:

• Cost of a WordPress Hack: What It Really Costs
• Self-cleaning vs expert: the risks of DIY
• How much does WordPress hack repair cost in 2026?