Skip to content
Service

Virus & malware removal

If your WordPress has been hacked — or we detect it before you noticed yourself — we clean out the entire infection, harden the holes the attacker used, and make sure it doesn't recur.

Of course not what you want to need

But it happens. Hacked WordPress sites aren't rare — Sucuri reports that 96% of compromised websites they investigate are WordPress-based, usually through an outdated plugin. When it happens, it isn't "run three antivirus tools and hope". It takes methodical removal, and hardening of what the attacker exploited.

Signs your site might be infected

  • Google Safe Browsing warning — visitors see a red "This site may harm your computer" warning.
  • Search engines show strange text under your site — e.g. "buy cheap meds online" or Japanese/Chinese characters.
  • Visitors get redirected to a different domain when clicking certain links.
  • New admin users you didn't create showing up in WP-admin.
  • Unknown PHP files appearing in wp-content/uploads, wp-content/plugins, or in the WordPress root.
  • Sudden high server load — site being used as a proxy or crypto-miner.
  • Hosting has shut the site down after an abuse report.

Not sure? Reach out — we'll take a look at no cost. Better to confirm everything is fine than let an infection spread.

How the cleanup works

  1. Isolation. We immediately take a forensic snapshot of the site before we start cleaning. That lets us go back and see what actually happened.
  2. Scanning. We run multiple scanners (our own + external like Sucuri and the Wordfence database) against the entire installation. This catches both known malware signatures and suspicious anomalies.
  3. Manual review. A human reads through the results — automated tools produce false positives, and they miss smart attackers. We walk through wp-content/uploads, plugin files, theme files, the database, and WordPress core file signatures.
  4. Cleanup. Malicious code is removed. Tampered core files are replaced with clean versions. Backdoors (typically base64-encoded PHP files in uploads) are removed.
  5. Hardening. We close the hole the attacker came through — update vulnerable plugins, change all passwords, regenerate API keys and salt keys (wp-config.php), and tighten file permissions.
  6. Verification. We rescan, remove the site from blocklists (Google Safe Browsing, Yandex, etc.), and monitor for 30 days for re-infection.

How long does it take?

For a typical infection: 4–24 hours from when we begin until the site is clean. For complex cases (where the attacker has been resident for a long time, or the database is tampered with across many tables) it can take up to a week.

During that time we help you communicate with Google Search Console, the hosting provider, and any payment providers that have flagged the issue.

What's included in the hardening?

  • Every active plugin updated to latest version (or replaced if abandoned).
  • WordPress core updated to the latest minor version.
  • All user passwords regenerated and communicated securely.
  • All API keys and salts in wp-config.php regenerated.
  • file editing in WP-admin disabled (DISALLOW_FILE_EDIT).
  • PHP execution disabled in the uploads directory.
  • Rate-limiting on /wp-login.php and XML-RPC.
  • Two-factor authentication enabled for admin users.
  • Web Application Firewall (WAF) at the edge if the hosting permits.

What this isn't

  • It's not an antivirus subscription for your local machine. This applies to your WordPress installation on the server.
  • It's not a guarantee you'll never be hacked again. No system is 100% secure. But after cleanup + ongoing Oden management, the risk drops dramatically.
  • It's not recovery of data the attacker deleted. That's Backup & restore — which is why we run backups before we start cleaning.

Which plans include it?

Virus and malware removal is included in Pro and Enterprise at no extra cost — as often as needed (rarely, if you have Oden from the start). For Basic customers, an emergency cleanup is billed per engagement; but since security updates already ship in Basic, the risk of infection is low.

  • Basic: Cleanup as needed — one-time fee per quote.
  • Pro: Cleanup included, however many times needed.
  • Enterprise: Cleanup included + 30 days extended monitoring + forensic report.

See the full comparison on the pricing page →

What to do if you suspect an infection right now

  1. Don't take the site offline yourself — we need to be able to see it for diagnosis.
  2. Email security@oden.cam with the URL and as much info as you have (when you noticed, what you saw, anything you've already done).
  3. We respond within 30 minutes 24/7 and start work.

See plans and pricing

GDPR

GDPR — how we handle your data.

We built Oden C.A.M around data minimization, EU hosting, and full transparency — not as an afterthought.

01

Where your data lives

All Oden data (control panel, logs, backups) is stored in Cloud Run and Firestore in the Finland region (europe-north1). Your WordPress sites run on whichever hosting you choose — if you want to move to us, we offer WEBBELi as an add-on (Scandinavian servers in Sweden). Backups are AES-256 encrypted and stay inside the EU. We use no subprocessors in the US or other non-EU/EEA countries — which means Schrems II concerns simply don't apply.

02

What data we process

Only what's needed to run your WordPress: your sites' URLs, plugin and theme versions, update history, and cryptographic keys. We never touch your visitors' data — there's no tracking pixel and no ads module.

  • Site metadata (URL, version, status)
  • Operations logs (security events, updates)
  • Backup archives (encrypted, 30 days)
  • Operator identity (your email, for support)
03

How it's protected

The connection between your WordPress and Oden goes via the WEBBELi worker plugin we install on your site — TLS 1.3 with Ed25519 keys. Stored secrets are envelope-encrypted (Cloud KMS). Audit logs are write-only and kept for 12 months.

04

Your rights

You can request access to, correction of, or deletion of your data. Email hello@oden.cam and we'll respond within 30 days (usually within 48 hours). At termination, all customer data is permanently erased within 60 days — except what we must retain under Swedish bookkeeping law (7 years).

05

Data incidents

If we confirm an incident affecting your personal data, we'll contact you within 72 hours with an initial report, in parallel with our notification to IMY (the Swedish DPA). The report covers what happened, what was affected, and what mitigations we're applying.

06

Data Processing Agreement (DPA)

A standard DPA is automatically included — no separate paperwork. It stipulates EU hosting, sub-processors (list available on request), and Swedish law as the applicable jurisdiction. Larger procurements can sign an extended agreement: hello@oden.cam.

Controller: NNi Solutions, Sweden. Questions? hello@oden.cam
Service

Get Oden C.A.M