Malware, a clean reinstall, and a relicensed Elementor Pro: recovering TourReview's site
A B2B reputation management platform for tour operators had French-language casino spam injected across its site. Full five-phase repair: malware removal, selective update of 21 plugins, a clean WordPress reinstall, and QA under a 5-run median Lighthouse methodology.
The alert
TourReview is a B2B SaaS platform for online reputation management aimed at tour operators, a client via Workana. The site was displaying blocks of French text promoting an online casino (mystakecasinobet.com), repeated across multiple pages — a clear sign of a compromised database, not just an outdated plugin.
Project rule: never update with active malware
Updating plugins before identifying and removing the infection vector can obscure how the attacker got in, making a full cleanup harder down the line. Investigation came first: the injection was in the `wpuw_posts` and `wpuw_postmeta` tables, with no PHP files compromised. The vector was a backdoor user (`Af17lN8wTX`) created through database access or a leaked credential — permanently deleted once confirmed.
After the malware: a clean reinstall
After the removal, WordPress and 21 plugins were updated, including a nulled (pirated) Elementor Pro (version 3.8.0) that was removed and replaced with a legitimate license. The old installation was discarded, and a clean reinstall was promoted as the account's sole active WordPress instance, with uploads (325MB) restored from the pre-cleanup backup.
QA with a methodology built against the noise
Lighthouse tests on shared hosting showed a 14-to-23-point swing between identical runs of the same test — noise from the origin server, not from the optimizations applied. The solution was to measure by the median of 5 runs per page, rather than trusting a single result, to avoid making technical decisions based on a measurement that was really just statistical imprecision.
Result
23 pages and roughly 70 blog posts checked, all returning 200 OK. Full Wordfence scan with zero remaining malicious occurrences. Hardening applied: xmlrpc.php blocked, brute-force protection enabled, a dedicated Crazy Diamond admin account created for future maintenance. No technical item is blocking delivery — what remains depends solely on the client's own decisions (reconnecting the Instagram feed, the Akismet key), with no impact on the main scope already completed.