Login
Book a Call

Almondia

A critical security incident response project focused on identifying, removing, and securing a WordPress website compromised by a PHP backdoor attack.

Emergency Malware Removal

Multi-stage PHP backdoor eliminated

Forensic Investigation

Attack vector and intrusion timeline identified

Server-Level Hardening

Malicious IPs blocked and attack surfaces secured

Project Details

Client

Almondia

Website

almondia.com

Industry

E-Commerce / Online Retail

Timeline

1 Day

Services

Malware Removal, Security Forensics, WordPress Hardening, Server Security

Hosting

Raidboxes

Access Method

SSH & Server Log Analysis

Technologies Used

WordPress

phpmyadmin

MySQL database

IPS blocker

Facing a similar challenge?

Let’s discuss how we can deliver the same results for your business.

Book a Call
Almondia website homepage screenshot
Security Investigation

On March 6, 2026, a security investigation revealed that almondia.com had been compromised through a PHP backdoor injected into the WordPress theme files.

The malicious code was placed inside:

wp-content/themes/oceanwp-child-theme-master/functions.php

The injected script allowed attackers to remotely execute malicious JavaScript on every page of the website.

The code communicated with a Command & Control server hosted on telegra.ph, allowing attackers to dynamically inject scripts into site pages.

This meant all site visitors between February 28 and March 6 could potentially have been exposed to attacker-controlled JavaScript.

Immediate action was required to stop the attack and secure the system.

Attack Timeline

A forensic investigation using SSH server access and log analysis revealed the full attack sequence.

February 27, 2026

Attackers began attempting authentication against WordPress login.

February 27 — 20:03 CET

Successful login achieved using stolen administrator credentials.

February 28 — 01:31 CET

Attackers injected a multi-stage PHP backdoor into the WordPress child theme.

February 28 – March 6

Malicious JavaScript was served to website visitors through an external command-and-control channel.

Compromised Access Point

The attackers gained entry using stolen credentials from the WordPress administrator account:

Account: DEVRANKUS (Admin)

Once authenticated, the attackers modified theme files directly to install the persistent backdoor.

Attacker Infrastructure Identified

Four attacker IP addresses were identified through authentication logs:

54.36.68.145 — OVH, Paris, France
45.146.54.133 — Commercial VPN, San Francisco, USA
116.202.3.129 — Hetzner, Falkenstein, Germany
85.206.166.234 — BACLOUD, Siauliai, Lithuania

These IPs were responsible for successful logins and the malicious file modification.

Our Approach

A structured malware removal approach was executed to contain and eliminate the threat.

1

Malware Removal

The injected backdoor was surgically removed from the infected theme file:

functions.php

The file was restored to its original clean state and verified to ensure no malicious code remained.

For forensic documentation, the infected version of the file was preserved as evidence:

functions.php.malicious.bak

2

Server-Level Security Hardening

To prevent further intrusion attempts, immediate defensive measures were deployed.

These included:

  • Blocking all attacker IP addresses at the server level
  • Implementing .htaccess firewall restrictions
  • Disabling xmlrpc.php to prevent abuse
  • Securing vulnerable endpoints

These changes reduced the attack surface and prevented automated login attacks.

3

Credential Security Remediation

Since the compromise occurred through stolen credentials, account security was restored by:

  • Destroying all active login sessions
  • Resetting the administrator password
  • Forcing reauthentication for the compromised account

This ensured the attackers no longer had access to the system.

What We Delivered

Emergency Malware Removal

Backdoor code removed and infected files restored.

Forensic Investigation

Detailed analysis of server logs and attacker activity timeline.

Server Hardening

IP blocks, XML-RPC protection, and improved access restrictions.

Evidence Preservation

Malicious files archived for security documentation.

Credential Recovery

Compromised administrator sessions terminated and secured.

The Results

The security incident was fully resolved within one day, restoring the integrity and safety of the website.

1

Malware Eliminated

The injected PHP backdoor and malicious scripts were completely removed.

2

Attack Infrastructure Blocked

All identified attacker IP addresses were blocked from the server.

3

Site Security Restored

WordPress and server configurations were hardened to prevent recurrence.

4

Visitor Safety Re-Established

The malicious JavaScript delivery channel was neutralized.

BEFOREAFTER

Malware Eliminated

BEFOREAFTER

Attack Infrastructure Blocked

BEFOREAFTER

Site Security Restored

BEFOREAFTER

Visitor Safety Re-Established

“BrandBees responded quickly and professionally to a serious security issue on our site. The malware was removed the same day, and the detailed investigation helped us understand exactly what happened. Thanks for securing our website.”

A

Almondia
Owner

Project Timeline

14 Hours

Malware identified & fixed

Security investigation initiated, Server logs analyzed via SSH, Malicious backdoor identified, Backdoor removed from theme files, Attacker IP addresses blocked, Compromised administrator credentials reset, Server hardening implemented

Visit Almondia Website

PREVIOUS

Hunter Kerhart

All Case Studies

NEXT

Almondia

Ready to Be Our Next Success Story?

Let’s discuss your project, timeline, and goals. No obligations — just a clear conversation about what’s possible.

Book a Call
0
Login
Get in Touch

Book a Call

Tell us about your project and we'll get back to you within 24 hours.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.