Malware, a clean reinstall, and a relicensed Elementor Pro: recovering TourReview's site
WordPress· TourReview

Malware, a clean reinstall, and a relicensed Elementor Pro: recovering TourReview's site

A B2B reputation management platform for tour operators had French-language casino spam injected across its site. Full five-phase repair: malware removal, selective update of 21 plugins, a clean WordPress reinstall, and QA under a 5-run median Lighthouse methodology.

The alert

TourReview is a B2B SaaS platform for online reputation management aimed at tour operators, a client via Workana. The site was displaying blocks of French text promoting an online casino (mystakecasinobet.com), repeated across multiple pages — a clear sign of a compromised database, not just an outdated plugin.

Project rule: never update with active malware

Updating plugins before identifying and removing the infection vector can obscure how the attacker got in, making a full cleanup harder down the line. Investigation came first: the injection was in the `wpuw_posts` and `wpuw_postmeta` tables, with no PHP files compromised. The vector was a backdoor user (`Af17lN8wTX`) created through database access or a leaked credential — permanently deleted once confirmed.

After the malware: a clean reinstall

After the removal, WordPress and 21 plugins were updated, including a nulled (pirated) Elementor Pro (version 3.8.0) that was removed and replaced with a legitimate license. The old installation was discarded, and a clean reinstall was promoted as the account's sole active WordPress instance, with uploads (325MB) restored from the pre-cleanup backup.

QA with a methodology built against the noise

Lighthouse tests on shared hosting showed a 14-to-23-point swing between identical runs of the same test — noise from the origin server, not from the optimizations applied. The solution was to measure by the median of 5 runs per page, rather than trusting a single result, to avoid making technical decisions based on a measurement that was really just statistical imprecision.

Result

23 pages and roughly 70 blog posts checked, all returning 200 OK. Full Wordfence scan with zero remaining malicious occurrences. Hardening applied: xmlrpc.php blocked, brute-force protection enabled, a dedicated Crazy Diamond admin account created for future maintenance. No technical item is blocking delivery — what remains depends solely on the client's own decisions (reconnecting the Instagram feed, the Akismet key), with no impact on the main scope already completed.