WordPress Cloaking Malware Removal Case Study: How I Cleaned a Hostinger Site Infected with cloak.php and Hidden Fake Plugins
Website hacks are not always obvious. Sometimes the homepage still looks normal, the WordPress dashboard still works, and the site owner has no idea anything is wrong. But in the background, malicious files can inject spam pages, manipulate search signals, and quietly damage rankings.
That is exactly what happened in this case. I cleaned a hacked WordPress website hosted on Hostinger that had been infected with cloaking malware. The infection included a suspicious PHP file placed in the root directory, along with hidden fake plugins used to maintain persistence inside the WordPress installation. On the surface, the site looked mostly normal. Underneath, the hacked files were clearly designed to push gambling spam and abuse the domain’s SEO authority.
I’ve cleaned more than 4,500 hacked WordPress sites, and this case is a good example of how modern WordPress malware often hides behind SEO spam instead of obvious defacement or broken pages.
If your site has strange spam pages, suspicious PHP files in public_html, or unknown plugins inside wp-content, start with my WordPress malware removal service.
Quick Summary of the Incident
- The infected website was hosted on Hostinger
- A malicious file named
cloak.phpwas found in the root directory underpublic_html - The file contained Turkish gambling-related spam content
- The spam page included suspicious canonical and hreflang markup
- Hidden fake plugins were also found during deeper cleanup
- The infection was removed manually and the site was hardened afterward
This was a classic WordPress SEO spam and cloaking case. The attackers were trying to use a legitimate website’s authority to serve or publish unrelated gambling content.
How I found the malware
The first red flag appeared during a manual review of the file structure inside Hostinger’s file manager. In the site’s root directory, under public_html, I found a suspicious file named cloak.php.
The filename alone was enough to justify a closer inspection. Once I opened it, it was obvious that it did not belong to WordPress core, a legitimate plugin, or a normal theme workflow.
The file contained a full HTML spam page built around Turkish gambling terms. It included:
- a spam-heavy page title
- keyword-stuffed meta tags
- a suspicious canonical tag
- multiple hreflang references pointing to unrelated external domains
- promotional sections, FAQs, and calls to action
This was not random junk code. It was a deliberately built SEO spam landing page.
Why this infection was dangerous
Many site owners assume malware only matters when the site crashes, redirects visibly, or starts showing browser warnings. In reality, a hacked WordPress site can stay online and still lose search trust quietly in the background.
In this case, the cloaking malware could have been used to:
- create indexable spam pages on the hacked domain
- hijack search visibility for unrelated gambling keywords
- manipulate canonical and hreflang signals
- damage the website’s trust and rankings over time
- maintain persistence through hidden fake plugins
This type of hacked WordPress SEO spam is especially dangerous because the owner may not notice it until rankings drop, spam pages appear in Google, or suspicious impressions start showing in Search Console.
Related reading: How to detect WordPress malware
What the malware was doing
After reviewing the malicious file, the pattern was clear. The attackers had placed a root-level PHP file that served a polished spam page built around gambling-related keywords. Instead of using obvious gibberish or a blunt redirect, they used structured content designed to look like a real landing page.
The purpose of that approach is usually one or more of the following:
- to get spam pages indexed by search engines
- to exploit the authority of an existing domain
- to hide the infection from non-technical site owners
- to support selective spam delivery or cloaking behavior
That is why this case fits the pattern of WordPress cloaking malware removal, not just simple file deletion.
The hidden fake plugins problem
Finding cloak.php was only the first step. During deeper inspection, I also found hidden fake plugins inside the WordPress site.
This is a critical detail because fake plugins are often the persistence mechanism. In other words, even if the obvious malware file is removed, the infection can come back if the hidden plugin is still active or still contains a backdoor.
Hidden fake plugins are commonly used to:
- recreate deleted malware files
- reinject spam into the website later
- maintain unauthorized access
- hide malicious functions in plugin-like folders that owners overlook
This is one of the biggest reasons hacked WordPress sites get reinfected after partial cleanups.
Related reading: Known fake and malicious WordPress plugins
My malware removal process for this site
For this website, I followed a manual cleanup process instead of relying only on automated scans.
- Reviewed the file structure
I checked the root directory, WordPress core folders, plugin paths, and suspiciously placed PHP files. - Analyzed the root-level malware file
I inspectedcloak.phpand confirmed it was malicious, unrelated to the real site, and built for spam delivery. - Removed the malicious root file
Once confirmed, I removed the root-level spam file safely. - Searched for persistence mechanisms
I continued the audit and found hidden fake plugins that could have kept the infection alive. - Removed fake plugins and related malicious artifacts
I deleted the plugin-based persistence and checked for associated suspicious files. - Inspected the wider WordPress environment
A real cleanup means checking themes, uploads, plugin folders, unusual PHP files, and any other suspicious modifications. - Hardened the site after cleanup
Once the malware was removed, I secured the website to reduce the chance of reinfection.
Key lessons from this case
1. A normal-looking homepage does not mean the site is clean
Many infected sites appear normal on the front end while spam files work quietly in the background.
2. Malware can sit in plain sight in the root directory
Not all WordPress malware hides inside plugins or themes. Sometimes attackers place PHP files directly in public_html.
3. Fake plugins are a major persistence warning sign
If attackers use hidden plugins for persistence, deleting one visible malware file will not solve the full problem.
4. SEO spam can hurt rankings before the owner notices
Hackers do not always want to break the site. Often, they want to exploit the site’s ranking signals and trust.
5. Manual review still matters
Automated scanners are useful, but advanced infections often require human review, file inspection, and persistence hunting.
Signs your WordPress site may have similar malware
- strange PHP files in the root directory
- spam pages in Google that are unrelated to your business
- sudden impressions for casino, gambling, pharma, or adult terms
- unfamiliar or hidden plugins inside
wp-content - suspicious canonical or hreflang tags
- search results showing content that does not appear on the live site
- reinfection after deleting one obvious malware file
If you notice any of these signs, your site probably needs a full hacked WordPress cleanup, not a quick one-file deletion.
Results after the cleanup
After removing the malicious root file and hidden fake plugins, the website was in a much better position for both security and SEO recovery. The goal was not just to delete one bad file. The goal was to remove the active malware, eliminate persistence, and restore trust in the site’s WordPress environment.
The cleanup focused on:
- removing active malicious files
- eliminating hidden persistence points
- restoring a cleaner WordPress environment
- reducing the risk of reinfection
- preparing the site for SEO monitoring and recovery
Final thoughts
This case is a strong reminder that WordPress malware is not always loud or obvious. Sometimes the infection is designed to stay quiet, look polished, and exploit SEO instead of visibly breaking the site.
In this case, the root-level cloak.php file and the hidden fake plugins showed a deliberate attempt to push spam content from a legitimate WordPress domain. The site owner may not have noticed it right away, but the risk to search visibility, brand trust, and long-term security was very real.
If your WordPress site is showing strange pages in Google, unfamiliar PHP files in public_html, or unknown plugins inside the installation, do not assume it is minor. Infections like this usually go deeper than the first file you find.
Frequently Asked Questions
What is WordPress cloaking malware?
WordPress cloaking malware is malicious code that serves deceptive or spam content, often to search engines or selected visitors, while hiding the problem from the site owner.
Why would hackers add a PHP file in public_html?
Attackers often place malicious PHP files in public_html because those files can be accessed and executed directly from the web.
Can fake plugins reinfect a WordPress site?
Yes. Hidden or fake plugins are commonly used as persistence mechanisms so attackers can restore deleted malware or keep unauthorized access.
Why is my WordPress site showing gambling pages in Google?
That is often a sign of WordPress SEO spam malware. Attackers inject spam pages or manipulate indexing signals so your domain ranks for unrelated search terms.
Is deleting one malware file enough?
Usually not. If the site also contains hidden plugins, backdoors, rogue access, or other malicious artifacts, the infection can return.
Need help cleaning a hacked WordPress site?
I specialize in WordPress malware removal, SEO spam cleanup, hidden backdoor detection, fake plugin removal, and post-hack hardening. If your website has been hacked, cleaning it properly means finding the source, removing persistence, and securing the site so it does not get infected again.
Hire me or go directly to my WordPress malware removal service.
