{"id":38552,"date":"2026-04-22T19:30:51","date_gmt":"2026-04-22T12:30:51","guid":{"rendered":"https:\/\/dps.media\/?page_id=38552"},"modified":"2026-04-22T20:47:41","modified_gmt":"2026-04-22T13:47:41","slug":"how-to-scan-wordpress-malware-and-handle-malware-thoroughly-with-ai-agent","status":"publish","type":"page","link":"https:\/\/dps.media\/en\/how-to-scan-wordpress-malware-and-handle-malware-thoroughly-with-ai-agent\/","title":{"rendered":"How to scan WordPress malware and handle it thoroughly with AI Agent"},"content":{"rendered":"<style>\n#dps-isolated-root{\n    --bg: #F4F3F0;\n    --surface: #FFFFFF;\n    --surface2: #F9F8F6;\n    --border: #E2E0DB;\n    --border-strong: #C8C5BE;\n    --text: #1A1917;\n    --text-2: #4A4844;\n    --text-3: #8A8784;\n    --accent: #D63B1F;\n    --accent-light: #FBF0ED;\n    --accent-border: #F0C4BA;\n    --yellow: #C8860A;\n    --yellow-light: #FEF8EC;\n    --yellow-border: #F0D99A;\n    --green: #1D7D4A;\n    --green-light: #EDF7F2;\n    --green-border: #A8DFC0;\n    --blue: #1D5FA8;\n    --blue-light: #EDF3FB;\n    --blue-border: #A8C8F0;\n    --purple: #6B3FA0;\n    --purple-light: #F3EDFB;\n    --purple-border: #C8A8E8;\n    --check-color: #1D7D4A;\n    --shadow-sm: 0 1px 3px rgba(0,0,0,0.06), 0 1px 2px rgba(0,0,0,0.04);\n    --shadow: 0 4px 12px rgba(0,0,0,0.07), 0 2px 4px rgba(0,0,0,0.04);\n    --shadow-lg: 0 8px 24px rgba(0,0,0,0.09), 0 4px 8px rgba(0,0,0,0.05);\n  }\n\n  #dps-isolated-root *, #dps-isolated-root *::before, #dps-isolated-root *::after{ box-sizing: border-box; margin: 0; padding: 0; }\n  #dps-isolated-root{ font-size: 14px; scroll-behavior: smooth; }\n\n  #dps-isolated-root{\n    font-family: 'IBM Plex Sans', sans-serif;\n    background: var(--bg);\n    color: var(--text);\n    min-height: 100vh;\n    --sticky-top: 104px;\n    width: 100vw;\n    max-width: 100vw;\n    margin-left: calc(50% - 50vw);\n    display: flex;\n    flex-direction: column;\n    overflow-x: clip;\n  }\n\n  #dps-isolated-root .layout{\n    display: block;\n    flex: 1;\n    min-height: 0;\n    position: relative;\n    padding-left: 240px;\n    padding-right: 280px;\n  }\n\n  #dps-isolated-root .sidebar{\n    background: var(--surface);\n    border-right: 1px solid var(--border);\n    padding: 24px 0;\n    position: fixed;\n    left: 0;\n    top: var(--sticky-top);\n    width: 240px;\n    height: calc(100vh - var(--sticky-top));\n    overflow-y: auto;\n    align-self: start;\n    scrollbar-gutter: stable;\n  }\n\n  #dps-isolated-root .sidebar-section{ padding: 0 16px; margin-bottom: 8px; }\n\n  #dps-isolated-root .sidebar-label{\n    font-size: 10px; font-weight: 600;\n    letter-spacing: 0.12em; text-transform: uppercase;\n    color: var(--text-3);\n    padding: 0 8px;\n    margin-bottom: 4px;\n  }\n\n  #dps-isolated-root .sidebar-item{\n    display: flex; align-items: center; gap: 10px;\n    padding: 8px 8px;\n    border-radius: 6px;\n    cursor: pointer;\n    transition: background 0.12s;\n    text-decoration: none;\n    color: var(--text-2);\n    font-size: 13px;\n  }\n\n  #dps-isolated-root .sidebar-item:hover{ background: var(--bg); }\n  #dps-isolated-root .sidebar-item.active{ background: var(--accent-light); color: var(--accent); }\n\n  #dps-isolated-root .sidebar-phase{\n    width: 20px; height: 20px; border-radius: 4px;\n    display: flex; align-items: center; justify-content: center;\n    font-size: 9px; font-weight: 600;\n    flex-shrink: 0;\n    font-family: 'IBM Plex Mono', monospace;\n  }\n\n  #dps-isolated-root .phase-a .sidebar-phase{ background: var(--blue-light); color: var(--blue); }\n  #dps-isolated-root .phase-b .sidebar-phase{ background: var(--yellow-light); color: var(--yellow); }\n  #dps-isolated-root .phase-c .sidebar-phase{ background: var(--accent-light); color: var(--accent); }\n\n  #dps-isolated-root .sidebar-progress{ margin-left: auto; font-size: 10px; color: var(--text-3); font-family: 'IBM Plex Mono', monospace; }\n\n  #dps-isolated-root .sidebar-divider{ border: none; border-top: 1px solid var(--border); margin: 12px 16px; }\n\n  #dps-isolated-root .main{\n    padding: 32px 40px;\n    max-width: 760px;\n    margin: 0 auto;\n  }\n\n  #dps-isolated-root .article-wrap{\n    max-width: 920px;\n    margin: 0 auto 40px;\n    padding: 28px 40px 6px;\n    color: var(--text);\n  }\n\n  #dps-isolated-root .article-kicker{\n    font-size: 10px;\n    font-weight: 700;\n    letter-spacing: 0.14em;\n    text-transform: uppercase;\n    color: var(--accent);\n    margin-bottom: 10px;\n  }\n\n  #dps-isolated-root .article-title{\n    font-size: 34px;\n    line-height: 1.1;\n    font-weight: 700;\n    letter-spacing: -0.03em;\n    margin-bottom: 12px;\n    max-width: 760px;\n  }\n\n  #dps-isolated-root .article-lead{\n    font-size: 16px;\n    line-height: 1.7;\n    color: var(--text-2);\n    max-width: 860px;\n    margin-bottom: 24px;\n  }\n\n  #dps-isolated-root .article-section{\n    background: rgba(255,255,255,0.72);\n    border: 1px solid var(--border);\n    border-radius: 14px;\n    padding: 20px 20px 18px;\n    box-shadow: var(--shadow-sm);\n    margin-bottom: 16px;\n  }\n\n  #dps-isolated-root .article-section h3{\n    font-size: 18px;\n    line-height: 1.3;\n    margin-bottom: 10px;\n    color: var(--text);\n  }\n\n  #dps-isolated-root .article-section p{\n    font-size: 15px;\n    line-height: 1.72;\n    color: var(--text-2);\n    margin-bottom: 12px;\n  }\n\n  #dps-isolated-root .article-list{\n    display: grid;\n    gap: 8px;\n    margin: 0;\n    padding: 0;\n  }\n\n  #dps-isolated-root .article-list-item{\n    display: flex;\n    gap: 10px;\n    align-items: flex-start;\n    font-size: 15px;\n    line-height: 1.6;\n    color: var(--text-2);\n  }\n\n  #dps-isolated-root .article-bullet{\n    width: 7px;\n    height: 7px;\n    border-radius: 50%;\n    background: var(--accent);\n    margin-top: 9px;\n    flex-shrink: 0;\n  }\n\n  #dps-isolated-root .article-cta{\n    margin-top: 18px;\n    padding: 14px 16px;\n    border-radius: 12px;\n    background: linear-gradient(135deg, rgba(214,59,31,0.08), rgba(29,95,168,0.08));\n    border: 1px solid var(--accent-border);\n    color: var(--text);\n    font-size: 15px;\n    line-height: 1.7;\n  }\n\n  #dps-isolated-root .phase-header{\n    display: flex; align-items: flex-start; gap: 16px;\n    margin-bottom: 24px;\n    padding-bottom: 20px;\n    border-bottom: 1px solid var(--border);\n  }\n\n  #dps-isolated-root .phase-icon{\n    width: 40px; height: 40px; border-radius: 8px;\n    display: flex; align-items: center; justify-content: center;\n    font-family: 'IBM Plex Mono', monospace;\n    font-size: 12px; font-weight: 500;\n    flex-shrink: 0;\n    margin-top: 2px;\n  }\n\n  #dps-isolated-root .phase-icon.a{ background: var(--blue-light); color: var(--blue); border: 1px solid var(--blue-border); }\n  #dps-isolated-root .phase-icon.b{ background: var(--yellow-light); color: var(--yellow); border: 1px solid var(--yellow-border); }\n  #dps-isolated-root .phase-icon.c{ background: var(--accent-light); color: var(--accent); border: 1px solid var(--accent-border); }\n\n  #dps-isolated-root .phase-meta{ flex: 1; }\n  #dps-isolated-root .phase-tag{ font-size: 10px; font-weight: 600; letter-spacing: 0.1em; text-transform: uppercase; color: var(--text-3); margin-bottom: 4px; }\n  #dps-isolated-root .phase-title{ font-size: 18px; font-weight: 600; line-height: 1.3; color: var(--text); }\n  #dps-isolated-root .phase-desc{ font-size: 13px; color: var(--text-3); margin-top: 4px; line-height: 1.5; }\n\n  #dps-isolated-root .check-group{ margin-bottom: 32px; }\n\n  #dps-isolated-root .check-group-label{\n    font-size: 10px; font-weight: 600;\n    letter-spacing: 0.1em; text-transform: uppercase;\n    color: var(--text-3);\n    margin-bottom: 10px;\n    display: flex; align-items: center; gap: 8px;\n  }\n\n  #dps-isolated-root .check-group-label::after{ content: ''; flex: 1; height: 1px; background: var(--border); }\n\n  #dps-isolated-root .check-card{\n    background: var(--surface);\n    border: 1px solid var(--border);\n    border-radius: 8px;\n    margin-bottom: 8px;\n    overflow: hidden;\n    transition: border-color 0.15s, box-shadow 0.15s;\n    box-shadow: var(--shadow-sm);\n  }\n\n  #dps-isolated-root .check-card:hover{ border-color: var(--border-strong); box-shadow: var(--shadow); }\n  #dps-isolated-root .check-card.done{ background: var(--surface2); border-color: var(--green-border); }\n  #dps-isolated-root .check-card.done .check-title{ text-decoration: line-through; color: var(--text-3); }\n\n  #dps-isolated-root .check-main{\n    display: flex; align-items: flex-start; gap: 14px;\n    padding: 14px 16px;\n    cursor: pointer;\n    user-select: none;\n  }\n\n  #dps-isolated-root .check-box{\n    width: 18px; height: 18px;\n    border-radius: 4px;\n    border: 1.5px solid var(--border-strong);\n    background: var(--surface);\n    display: flex; align-items: center; justify-content: center;\n    flex-shrink: 0;\n    margin-top: 1px;\n    transition: all 0.15s;\n    position: relative;\n  }\n\n  #dps-isolated-root .check-card.done .check-box{ background: var(--check-color); border-color: var(--check-color); }\n\n  #dps-isolated-root .check-box svg{ opacity: 0; transform: scale(0.5); transition: all 0.15s; }\n  #dps-isolated-root .check-card.done .check-box svg{ opacity: 1; transform: scale(1); }\n\n  #dps-isolated-root .check-body{ flex: 1; min-width: 0; }\n\n  #dps-isolated-root .check-step-num{ font-family: 'IBM Plex Mono', monospace; font-size: 10px; color: var(--text-3); margin-bottom: 3px; }\n\n  #dps-isolated-root .check-title{ font-size: 13.5px; font-weight: 500; color: var(--text); line-height: 1.4; transition: color 0.15s; }\n\n  #dps-isolated-root .check-expand{\n    width: 20px; height: 20px;\n    display: flex; align-items: center; justify-content: center;\n    color: var(--text-3);\n    flex-shrink: 0; margin-top: 1px;\n    cursor: pointer; border-radius: 4px;\n    transition: background 0.12s, transform 0.2s;\n  }\n\n  #dps-isolated-root .check-expand:hover{ background: var(--bg); }\n  #dps-isolated-root .check-expand.open{ transform: rotate(180deg); }\n\n  #dps-isolated-root .check-detail{\n    border-top: 1px solid var(--border);\n    padding: 14px 16px 14px 48px;\n    background: var(--surface2);\n    display: none;\n  }\n\n  #dps-isolated-root .check-detail.open{ display: block; }\n\n  #dps-isolated-root .check-desc{ font-size: 13px; color: var(--text-2); line-height: 1.6; margin-bottom: 10px; }\n\n  #dps-isolated-root .note{\n    display: flex; align-items: flex-start; gap: 8px;\n    border-radius: 6px; padding: 10px 12px;\n    font-size: 12px; line-height: 1.5;\n    margin-top: 8px;\n  }\n\n  #dps-isolated-root .note-icon{ flex-shrink: 0; margin-top: 1px; font-size: 12px; }\n\n  #dps-isolated-root .note.info{ background: var(--blue-light); color: var(--blue); border: 1px solid var(--blue-border); }\n  #dps-isolated-root .note.warn{ background: var(--yellow-light); color: var(--yellow); border: 1px solid var(--yellow-border); }\n  #dps-isolated-root .note.danger{ background: var(--accent-light); color: var(--accent); border: 1px solid var(--accent-border); }\n  #dps-isolated-root .note.success{ background: var(--green-light); color: var(--green); border: 1px solid var(--green-border); }\n  #dps-isolated-root .note.purple{ background: var(--purple-light); color: var(--purple); border: 1px solid var(--purple-border); }\n\n  #dps-isolated-root .code{\n    font-family: 'IBM Plex Mono', monospace;\n    font-size: 11.5px;\n    background: var(--bg);\n    border: 1px solid var(--border);\n    color: var(--blue);\n    padding: 2px 6px; border-radius: 3px;\n    word-break: break-all;\n  }\n\n  #dps-isolated-root .tags{ display: flex; flex-wrap: wrap; gap: 5px; margin-top: 8px; }\n  #dps-isolated-root .tag{\n    font-size: 11px; padding: 2px 8px; border-radius: 3px;\n    background: var(--bg);\n    border: 1px solid var(--border);\n    color: var(--text-3);\n    font-weight: 500;\n  }\n\n  \/* Prompt box *\/\n  #dps-isolated-root .prompt-block{\n    margin-top: 12px;\n  }\n\n  #dps-isolated-root .prompt-label{\n    font-size: 10px; font-weight: 600;\n    letter-spacing: 0.08em; text-transform: uppercase;\n    color: var(--purple);\n    margin-bottom: 6px;\n    display: flex; align-items: center; justify-content: space-between;\n  }\n\n  #dps-isolated-root .btn-copy{\n    font-family: 'IBM Plex Sans', sans-serif;\n    font-size: 10px; font-weight: 500;\n    color: var(--purple);\n    background: var(--purple-light);\n    border: 1px solid var(--purple-border);\n    padding: 3px 10px; border-radius: 3px;\n    cursor: pointer;\n    transition: all 0.15s;\n    letter-spacing: 0;\n    text-transform: none;\n  }\n\n  #dps-isolated-root .btn-copy:hover{ background: var(--purple-border); }\n  #dps-isolated-root .btn-copy.copied{ color: var(--green); background: var(--green-light); border-color: var(--green-border); }\n\n  #dps-isolated-root .prompt-text{\n    font-family: 'IBM Plex Mono', monospace;\n    font-size: 11px;\n    line-height: 1.6;\n    background: #1A1917;\n    color: #E8E5E0;\n    border-radius: 6px;\n    padding: 12px 14px;\n    white-space: pre-wrap;\n    word-break: break-word;\n    max-height: 200px;\n    overflow-y: auto;\n  }\n\n  #dps-isolated-root .phase-sep{ margin: 40px 0; }\n\n  #dps-isolated-root .right-panel{\n    border-left: 1px solid var(--border);\n    padding: 24px 20px;\n    position: fixed;\n    right: 0;\n    top: var(--sticky-top);\n    width: 280px;\n    height: calc(100vh - var(--sticky-top));\n    overflow-y: auto;\n    background: var(--surface);\n    align-self: start;\n    scrollbar-gutter: stable;\n  }\n\n  #dps-isolated-root .panel-title{\n    font-size: 11px; font-weight: 600;\n    letter-spacing: 0.1em; text-transform: uppercase;\n    color: var(--text-3); margin-bottom: 16px;\n  }\n\n  #dps-isolated-root .overall-progress{\n    background: var(--bg);\n    border: 1px solid var(--border);\n    border-radius: 8px;\n    padding: 16px;\n    margin-bottom: 20px;\n  }\n\n  #dps-isolated-root .overall-nums{ display: flex; justify-content: space-between; align-items: baseline; margin-bottom: 10px; }\n\n  #dps-isolated-root .overall-count{ font-family: 'IBM Plex Mono', monospace; font-size: 28px; font-weight: 500; color: var(--text); line-height: 1; }\n  #dps-isolated-root .overall-total{ font-size: 12px; color: var(--text-3); }\n\n  #dps-isolated-root .progress-track{ height: 5px; background: var(--border); border-radius: 100px; overflow: hidden; }\n  #dps-isolated-root .progress-fill{ height: 100%; border-radius: 100px; background: var(--check-color); transition: width 0.4s cubic-bezier(0.4,0,0.2,1); }\n  #dps-isolated-root .progress-label{ font-size: 11px; color: var(--text-3); margin-top: 6px; }\n\n  #dps-isolated-root .phase-prog-list{ display: flex; flex-direction: column; gap: 10px; margin-bottom: 20px; }\n  #dps-isolated-root .phase-prog{ display: flex; flex-direction: column; gap: 5px; }\n  #dps-isolated-root .phase-prog-header{ display: flex; justify-content: space-between; align-items: center; }\n  #dps-isolated-root .phase-prog-name{ font-size: 12px; font-weight: 500; color: var(--text-2); display: flex; align-items: center; gap: 6px; }\n  #dps-isolated-root .phase-badge{ font-size: 9px; font-weight: 600; padding: 1px 6px; border-radius: 2px; font-family: 'IBM Plex Mono', monospace; }\n  #dps-isolated-root .badge-a{ background: var(--blue-light); color: var(--blue); }\n  #dps-isolated-root .badge-b{ background: var(--yellow-light); color: var(--yellow); }\n  #dps-isolated-root .badge-c{ background: var(--accent-light); color: var(--accent); }\n  #dps-isolated-root .phase-prog-count{ font-family: 'IBM Plex Mono', monospace; font-size: 11px; color: var(--text-3); }\n  #dps-isolated-root .phase-track{ height: 4px; background: var(--border); border-radius: 100px; overflow: hidden; }\n  #dps-isolated-root .phase-fill-a{ background: var(--blue); height: 100%; border-radius: 100px; transition: width 0.4s; }\n  #dps-isolated-root .phase-fill-b{ background: var(--yellow); height: 100%; border-radius: 100px; transition: width 0.4s; }\n  #dps-isolated-root .phase-fill-c{ background: var(--accent); height: 100%; border-radius: 100px; transition: width 0.4s; }\n\n  #dps-isolated-root hr.panel-divider{ border: none; border-top: 1px solid var(--border); margin: 16px 0; }\n\n  #dps-isolated-root .log-list{ display: flex; flex-direction: column; gap: 6px; }\n  #dps-isolated-root .log-item{ display: flex; gap: 8px; font-size: 11.5px; color: var(--text-3); align-items: flex-start; }\n  #dps-isolated-root .log-dot{ width: 6px; height: 6px; border-radius: 50%; flex-shrink: 0; margin-top: 4px; }\n  #dps-isolated-root .log-dot.done{ background: var(--check-color); }\n  #dps-isolated-root .log-dot.undo{ background: var(--text-3); }\n  #dps-isolated-root .log-time{ font-family: 'IBM Plex Mono', monospace; font-size: 10px; color: var(--text-3); flex-shrink: 0; margin-top: 1px; }\n  #dps-isolated-root .log-empty{ font-size: 12px; color: var(--text-3); font-style: italic; }\n\n  #dps-isolated-root .done-banner{\n    background: var(--green-light);\n    border: 1px solid var(--green-border);\n    border-radius: 8px;\n    padding: 14px;\n    text-align: center;\n    margin-bottom: 16px;\n    display: none;\n  }\n\n  #dps-isolated-root .done-banner.show{ display: block; }\n  #dps-isolated-root .done-banner-title{ font-size: 13px; font-weight: 600; color: var(--green); }\n  #dps-isolated-root .done-banner-sub{ font-size: 11px; color: var(--green); margin-top: 3px; opacity: 0.8; }\n\n  @media (max-width: 900px) {\n    #dps-isolated-root{\n      width: 100%;\n      max-width: 100%;\n      margin-left: 0;\n      --sticky-top: 0px;\n    }\n    #dps-isolated-root .layout{ padding-left: 0; padding-right: 0; }\n    #dps-isolated-root .sidebar, #dps-isolated-root .right-panel{ display: none; }\n    #dps-isolated-root .main{ padding: 24px 20px; max-width: 100%; }\n  }\n<\/style>\n<div id=\"dps-isolated-root\">\n<div class=\"article-wrap\">\n  <div class=\"article-kicker\">SEO \/ WordPress Security Tool<\/div>\n  <div class=\"article-title\">How to scan WordPress malware and thoroughly handle malware using an AI Agent<\/div>\n  <div class=\"article-lead\">When a WordPress website is suspected of being infected with malware, the issue is not just deleting a few strange files. Malware is often scattered across source code, database, server logs, cron jobs, suspicious users, and even hidden files in <span class=\"code\">wp-content<\/span>. This tool page was created to help the technical team follow the correct process, reduce oversights, and limit reinfection after cleanup.<\/div>\n\n  <div class=\"article-section\">\n    <h3>What is this tool used for?<\/h3>\n    <p>This is a practical checklist for teams handling a WordPress website suspected of being attacked. It guides users through 3 stages: responsibility confirmation, diagnosis using local AI scan, and incident handling in a logical order. Each step includes a brief explanation and sample prompts for the AI Agent to directly read source code, database, or access logs.<\/p>\n    <div class=\"article-list\">\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>Determine whether the site falls within the team\u2019s responsibility before starting.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>Collect source code, database, and logs to a local machine for the AI Agent to scan.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>Detect malicious files, suspicious users, cron jobs, and remaining persistence indicators.<\/span><\/div>\n    <\/div>\n  <\/div>\n\n  <div class=\"article-section\">\n    <h3>Why use an AI Agent to scan WordPress malware?<\/h3>\n    <p>Most WordPress incidents are not located in a single file. Hackers may insert backdoors into themes, hide shells in uploads, create new admin users in the database, or attach redirects in options. Manual inspection can easily miss issues due to the large amount of data. AI Agent helps quickly read the entire local workspace and summarize suspicious points in a structured format.<\/p>\n  <\/div>\n\n  <div class=\"article-section\">\n    <h3>Main process in the checklist<\/h3>\n    <div class=\"article-list\">\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span><b>Phase A:<\/b> Confirm whether the website is under the team\u2019s responsibility.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span><b>Phase B:<\/b> Scan source code, database, and access logs using an AI Agent.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span><b>Phase C:<\/b> Backup, lock the website, change credentials, reset core, scan <span class=\"code\">wp-content<\/span>, delete suspicious users, check cron jobs, and hand over.<\/span><\/div>\n    <\/div>\n  <\/div>\n\n  <div class=\"article-section\">\n    <h3>Key differences of the tool<\/h3>\n    <p>This page not only lists tasks. It also tracks processing progress, provides ready-made sample prompts, suggests priority files and database tables, and helps the team not forget important steps such as changing database passwords, checking cron jobs, or re-verifying Google Search Console after cleanup.<\/p>\n  <\/div>\n\n  <div class=\"article-section\">\n    <h3>When to use?<\/h3>\n    <div class=\"article-list\">\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>Website automatically redirects or shows security warnings.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>There are unusual PHP files in uploads or theme\/plugin files have been abnormally modified.<\/span><\/div>\n      <div class=\"article-list-item\"><span class=\"article-bullet\"><\/span><span>Search Console, access logs, or database show signs of contamination.<\/span><\/div>\n    <\/div>\n    <div class=\"article-cta\">In short, this is a complete workflow to handle WordPress malware systematically, reduce the risk of missing backdoors, and increase the likelihood of thorough cleanup from the first attempt.<\/div>\n  <\/div>\n<\/div>\n\n<div class=\"layout\">\n\n  <!-- SIDEBAR -->\n  <div class=\"sidebar\">\n    <div class=\"sidebar-section\">\n      <div class=\"sidebar-label\">Stage<\/div>\n      <div class=\"sidebar-item phase-a\" data-scroll=\"#phase-a\" role=\"button\" tabindex=\"0\">\n        <div class=\"sidebar-phase\">A<\/div>\n        Confirm responsibility\n        <span class=\"sidebar-progress\" id=\"prog-a-side\">0\/2<\/span>\n      <\/div>\n      <div class=\"sidebar-item phase-b\" data-scroll=\"#phase-b\" role=\"button\" tabindex=\"0\">\n        <div class=\"sidebar-phase\">B<\/div>\n        Diagnosis &amp; Scan\n        <span class=\"sidebar-progress\" id=\"prog-b-side\">0\/3<\/span>\n      <\/div>\n      <div class=\"sidebar-item phase-c\" data-scroll=\"#phase-c\" role=\"button\" tabindex=\"0\">\n        <div class=\"sidebar-phase\">C<\/div>\n        Vulnerability handling\n        <span class=\"sidebar-progress\" id=\"prog-c-side\">0\/24<\/span>\n      <\/div>\n    <\/div>\n    <div class=\"sidebar-divider\"><\/div>\n    <div class=\"sidebar-section\">\n      <div class=\"sidebar-label\">Processing steps<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c1\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">01<\/span>Team notification<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c2\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">02<\/span>Backup<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c3\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">03<\/span>Lock website<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c4\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">04<\/span>Restart PHP<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c5\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">05<\/span>Change DB password<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c6\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">06<\/span>Change FTP\/SSH password<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c7\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">07<\/span>Check wp-config.php<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c8\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">08<\/span>Reset WP source code<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c9\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">09<\/span>Scan wp-content<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c10\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">10<\/span>New security keys<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c11\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">11<\/span>Remove redundant themes\/plugins<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c12\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">12<\/span>Reset file permissions<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c13\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">13<\/span>Delete suspicious users<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c14\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">14<\/span>Disable open registration<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c15\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">15<\/span>Change admin password<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c16\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">16<\/span>Reopen website<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c17\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">17<\/span>Save Permalink<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c18\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">18<\/span>Install security plugin<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c19\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">19<\/span>Update themes\/plugins<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c20\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">20<\/span>Check cron jobs<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c21\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">21<\/span>Check subdirectories<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c22\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">22<\/span>Verify\/test web<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c23\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">23<\/span>Confirm GSC<\/div>\n      <div class=\"sidebar-item\" style=\"font-size:12px;color:var(--text-3);padding:5px 8px;\" data-scroll=\"#step-c24\" role=\"button\" tabindex=\"0\"><span style=\"font-family:'IBM Plex Mono',monospace;font-size:10px;color:var(--text-3);width:20px;\">24<\/span>Notify client\/stakeholders<\/div>\n    <\/div>\n  <\/div>\n\n  <!-- MAIN -->\n  <div class=\"main\">\n\n    <!-- PHASE A -->\n    <div id=\"phase-a\" class=\"phase-sep\">\n      <div class=\"phase-header\">\n        <div class=\"phase-icon a\">A<\/div>\n        <div class=\"phase-meta\">\n          <div class=\"phase-tag\">Phase A<\/div>\n          <div class=\"phase-title\">Confirm responsibility<\/div>\n          <div class=\"phase-desc\">Before doing anything, ask these 2 questions to ensure this is your task.<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Confirmation questions<\/div>\n\n        <div class=\"check-card\" id=\"check-a1\" onclick=\"toggleCheck('a1', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\">A.01<\/div>\n              <div class=\"check-title\">Is the web hosted at DPS?<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-a1', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-a1\">\n            <div class=\"check-desc\">If it's not DPS hosting, this might not be our team's task. Ask immediately before getting started.<\/div>\n            <div class=\"tags\"><span class=\"tag\">Ask Dev<\/span><span class=\"tag\">Ask Accounting<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-a2\" onclick=\"toggleCheck('a2', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\">A.02<\/div>\n              <div class=\"check-title\">Does the web belong to a project running at DPS?<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-a2', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-a2\">\n            <div class=\"check-desc\">SEO, Ads\u2026 If there is a running project, the team is responsible for handling it.<\/div>\n            <div class=\"tags\"><span class=\"tag\">Ask Account<\/span><span class=\"tag\">Ask Accounting<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n\n    <!-- PHASE B -->\n    <div id=\"phase-b\" class=\"phase-sep\">\n      <div class=\"phase-header\">\n        <div class=\"phase-icon b\">B<\/div>\n        <div class=\"phase-meta\">\n          <div class=\"phase-tag\">Phase B<\/div>\n          <div class=\"phase-title\">Diagnosis &amp; Scan<\/div>\n          <div class=\"phase-desc\">Collect artifacts before processing. Without this step, you won't know how it was hacked, and it will happen again after cleaning.<\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Collect artifacts &amp; AI scan<\/div>\n\n        <div class=\"check-card\" id=\"check-b1\" onclick=\"toggleCheck('b1', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\">B.01<\/div>\n              <div class=\"check-title\">Collect source, DB, logs, then let the AI agent scan locally<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-b1', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-b1\">\n            <div class=\"check-desc\">Do it in a single loop: download source code, database, and logs to your machine; open them in an IDE; then let the AI agent browse the local workspace directly to scan.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>If the source is too heavy, prioritize source root + <span class=\"code\">wp-content<\/span> + <span class=\"code\">wp-config.php<\/span> + <span class=\"code\">.htaccess<\/span> + <span class=\"code\">index.php<\/span>. The goal is to keep enough evidence for the agent to read the full picture.<\/span><\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>This is the diagnostic step. After finishing, you must identify: which files are suspicious, which DB rows are infected, which logs show the entry vector, and which files\/paths are likely entry points.<\/span><\/div>\n\n            <div class=\"prompt-block\">\n              <div class=\"prompt-label\">\n                Prompt \u2014 Scan source code\n                <button class=\"btn-copy\" onclick=\"copyPrompt('p-source', this)\">Copy prompt<\/button>\n              <\/div>\n              <div class=\"prompt-text\" id=\"p-source\">You are a WordPress security expert. I have downloaded the entire source code of a suspected hacked WordPress website to my machine and opened it in an IDE. Please browse directly in this local workspace.\\n\\nPlease analyze and return:\\n\\n1. DANGEROUS FILES\\n   \u2013 Files containing: eval(base64_decode), gzinflate, str_rot13, assert(), preg_replace \/e, system(), exec(), passthru()\\n   \u2013 .php files located in the uploads\/ folder (unusual)\\n   \u2013 Files with random names or fake WP core names (e.g., wp-logln.php, hello.php)\\n\\n2. RECENTLY MODIFIED FILES\\n   \u2013 List files with unusual modified timestamps compared to the rest\\n   \u2013 Priority: functions.php, wp-config.php, .htaccess, index.php\\n\\n3. SPECIFIC MALWARE\\n   \u2013 Suspected code snippets, explaining what they do\\n   \u2013 Classification: backdoor shell \/ spam injector \/ redirect \/ credential stealer \/ cryptominer\\n\\n4. VECTOR CONCLUSION\\n   \u2013 Based on the location and type of malware, what could the attack vector be?\\n   \u2013 Which plugin\/theme is likely the entry point?\\n\\nFormat: clear headings, for each dangerous file specify path + code line + severity (CRITICAL \/ HIGH \/ MEDIUM).<\/div>\n            <\/div>\n\n            <div class=\"prompt-block\">\n              <div class=\"prompt-label\">\n                Prompt \u2014 Scan database\n                <button class=\"btn-copy\" onclick=\"copyPrompt('p-db', this)\">Copy prompt<\/button>\n              <\/div>\n              <div class=\"prompt-text\" id=\"p-db\">You are a WordPress security expert. I have downloaded the SQL dump file of a suspected hacked website to my machine and opened it in an IDE. Please browse this local file directly.\\n\\nPlease analyze the following tables and return:\\n\\n1. wp_options\\n   \u2013 Have siteurl or home been changed or had redirects inserted?\\n   \u2013 Are there suspicious plugins in active_plugins (unusual paths, non-existent plugins in wp-content)?\\n   \u2013 Are there any options containing suspicious base64, eval, iframe, or ?\\n   \u2013 Has admin_email been changed?\\n\\n2. wp_posts \/ wp_postmeta\\n   \u2013 Which posts contain spam keywords (viagra, casino, pharma, \uce74\uc9c0\ub178, \u85ac)?\\n   \u2013 Which posts have hidden iframes or hidden links (display:none, font-size:0)?\\n   \u2013 Post_status = publish but no title or unusual content?\\n\\n3. wp_users \/ wp_usermeta\\n   \u2013 Which users with the administrator role were recently created?\\n   \u2013 Unusual user_registered timestamps?\\n   \u2013 Are there user_logins that look like bots (random strings, fake emails)?\\n\\n4. CONCLUSION\\n   \u2013 Hack type: Pharma hack \/ Japanese SEO hack \/ Backdoor user \/ Option inject?\\n   \u2013 Infection level: how many records are affected?\\n   \u2013 What needs to be done to clean the DB?\\n\\nFormat: table for the list of infected users\/options, clearly stating table + field + suspicious value.<\/div>\n            <\/div>\n\n            <div class=\"prompt-block\">\n              <div class=\"prompt-label\">\n                Prompt \u2014 Scan access log\n                <button class=\"btn-copy\" onclick=\"copyPrompt('p-log', this)\">Copy prompt<\/button>\n              <\/div>\n              <div class=\"prompt-text\" id=\"p-log\">You are a WordPress security expert. I have downloaded the access log (and\/or error log) file of the web server to my machine and opened it in an IDE. Please browse this local file directly.\\n\\nPlease analyze and return:\\n\\n1. INCIDENT TIMELINE\\n   \u2013 When did the first request showing signs of attack appear?\\n   \u2013 What was the sequence of events from scan \u2192 exploit \u2192 backdoor upload?\\n\\n2. EXPLOITED ENDPOINTS\\n   \u2013 xmlrpc.php: is there brute force or multicall abuse?\\n   \u2013 wp-login.php: unusual request volume?\\n   \u2013 admin-ajax.php: suspicious actions?\\n   \u2013 Upload endpoint: were any PHP files successfully uploaded?\\n   \u2013 Which URLs returned 200 but look like shell paths?\\n\\n3. ATTACKING IPS\\n   \u2013 Which IPs showed unusual behavior (scanning multiple paths, continuous POST)?\\n   \u2013 List the top 10 suspicious IPs + number of requests + behavior\\n\\n4. PERSISTENCE SIGNS\\n   \u2013 After the initial attack, were there subsequent requests to backdoor files?\\n   \u2013 How many times did the hacker return, and from which IPs?\\n\\n5. VECTOR CONCLUSION\\n   \u2013 What is the most probable attack vector based on the logs?\\n   \u2013 Which plugin\/path is the entry point?\\n\\nFormat: chronological timeline, IP list in table format, endpoints as a list with HTTP method + status code.<\/div>\n            <\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Confirm current protection<\/div>\n\n        <div class=\"check-card\" id=\"check-b2\" onclick=\"toggleCheck('b2', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\">B.02<\/div>\n              <div class=\"check-title\">Check the DPS Shield WordPress Security plugin<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-b2', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-b2\">\n            <div class=\"check-desc\">Access <span class=\"code\">websitename.com\/admindps<\/span> to check. Able to access = DPS Shield is installed. Unable to access = not installed.<\/div>\n            <div class=\"note danger\"><span class=\"note-icon\">!<\/span><span>No DPS Shield = up to 80% risk of being hacked. This is DPS's internal security plugin.<\/span><\/div>\n            <div class=\"note info\" style=\"margin-top:6px;\"><span class=\"note-icon\">i<\/span><span>Download plugin at: <div style=\"color:var(--blue);text-decoration:none;font-family:'IBM Plex Mono',monospace;font-size:11px;\" data-open=\"https:\/\/github.com\/hienhoceo-dpsmedia\/dps-wordpress-security\" role=\"button\" tabindex=\"0\">github.com\/hienhoceo-dpsmedia\/dps-wordpress-security<\/div><\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-b3\" onclick=\"toggleCheck('b3', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\">B.03<\/div>\n              <div class=\"check-title\">Check if server-side firewall\/WAF is enabled<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-b3', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-b3\">\n            <div class=\"check-desc\">Check if the application WAF or server-side traffic filtering layer is enabled and configured correctly.<\/div>\n            <div class=\"note success\"><span class=\"note-icon\">+<\/span><span>Server-side WAF = reduces bad traffic before it reaches WordPress.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n    <\/div>\n\n    <!-- PHASE C -->\n    <div id=\"phase-c\" class=\"phase-sep\">\n      <div class=\"phase-header\">\n        <div class=\"phase-icon c\">C<\/div>\n        <div class=\"phase-meta\">\n          <div class=\"phase-tag\">Phase C<\/div>\n          <div class=\"phase-title\">Processing steps<\/div>\n          <div class=\"phase-desc\">Follow the correct order. Do not skip steps. Each step has a specific reason.<\/div>\n        <\/div>\n      <\/div>\n\n      <!-- Chu\u1ea9n b\u1ecb -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Preparation<\/div>\n\n        <div class=\"check-card\" id=\"check-c1\" onclick=\"toggleCheck('c1', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c1\">C.01<\/div>\n              <div class=\"check-title\">Notify the team<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c1', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c1\">\n            <div class=\"check-desc\">Inform everyone so they know you are handling it. Avoid overlapping work or needing someone to coordinate.<\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c2\" onclick=\"toggleCheck('c2', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c2\">C.02<\/div>\n              <div class=\"check-title\">Backup source code and database<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c2', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c2\">\n            <div class=\"check-desc\">Backup everything before touching anything. If UpdraftPlus is not available, backup manually via the Hosting Panel.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Even if the web is infected, you still need to keep the original copy for comparison or content recovery. This step is different from B.01\u2013B.02 \u2014 this is storage backup, not for scanning.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c3\" onclick=\"toggleCheck('c3', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c3\">C.03<\/div>\n              <div class=\"check-title\">Lock the website (Suspend)<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c3', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c3\">\n            <div class=\"check-desc\">Go to Hosting Panel or VPS Script, suspend\/lock the domain.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>The hacker cannot continue to access while you are processing. Do this step right before continuing.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <!-- Can thi\u1ec7p m\u00e1y ch\u1ee7 -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Server intervention<\/div>\n\n        <div class=\"check-card\" id=\"check-c4\" onclick=\"toggleCheck('c4', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c4\">C.04<\/div>\n              <div class=\"check-title\">Restart PHP<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c4', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c4\">\n            <div class=\"check-desc\"><b>CyberPanel:<\/b> Switch to a different PHP version then switch back to the old version.<br><b>cPanel:<\/b> Similarly, switch back and forth.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>This command forces the server to kill all PHP processes running in RAM, cutting off background connections from hackers.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c5\" onclick=\"toggleCheck('c5', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c5\">C.05<\/div>\n              <div class=\"check-title\">Change Database password<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c5', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c5\">\n            <div class=\"check-desc\">Create a new password for the database, update it immediately in the file <span class=\"code\">wp-config.php<\/span>.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Hackers often save database info to return later. Changing the password cuts off that route.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c6\" onclick=\"toggleCheck('c6', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c6\">C.06<\/div>\n              <div class=\"check-title\">Change FTP \/ SFTP \/ SSH password<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c6', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c6\">\n            <div class=\"check-desc\">Change all file system access credentials: FTP accounts in Hosting Panel, SSH keys or passwords if using VPS directly.<\/div>\n            <div class=\"note danger\"><span class=\"note-icon\">!<\/span><span>Many WordPress hack cases come from leaked FTP credentials (malware on client machines, old credentials not changed). Changing the DB password without changing FTP allows the hacker to get back in immediately.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <!-- L\u00e0m s\u1ea1ch m\u00e3 ngu\u1ed3n -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Clean source code<\/div>\n\n        <div class=\"check-card\" id=\"check-c7\" onclick=\"toggleCheck('c7', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c7\">C.07<\/div>\n              <div class=\"check-title\">Check wp-config.php<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c7', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c7\">\n            <div class=\"check-desc\">Open <span class=\"code\">wp-config.php<\/span> Read carefully: check the beginning and end of files for strange code segments, eval, base64, or unusual includes. No need to check <span class=\"code\">.htaccess<\/span> because step C.08 (WP reset) will delete it and C.17 (Save Permalink) will recreate a clean file.<\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span><span class=\"code\">wp-config.php<\/span> is the file most susceptible to malware injection. Confirm it is clean before proceeding.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c8\" onclick=\"toggleCheck('c8', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c8\">C.08<\/div>\n              <div class=\"check-title\">Reset WordPress source code to the latest version<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c8', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c8\">\n            <div class=\"check-desc\">Delete all old WordPress files, reinstall a clean version of the latest release.<\/div>\n            <div class=\"note success\"><span class=\"note-icon\">+<\/span><span>Keep: the folder <span class=\"code\">wp-content<\/span>, file <span class=\"code\">wp-config.php<\/span>, and other website subdirectories if any.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c9\" onclick=\"toggleCheck('c9', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c9\">C.09<\/div>\n              <div class=\"check-title\">Download wp-content and have an AI agent scan everything<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c9', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c9\">\n            <div class=\"check-desc\">Download the entire directory <span class=\"code\">wp-content<\/span> to your computer and have an AI agent (Claude, Codex, Gemini) scan it. The scan scope includes:<br>\u2022 <span class=\"code\">uploads\/<\/span> \u2014 find hidden .php files in images\/media<br>\u2022 <span class=\"code\">themes\/<\/span> \u2014 both active and inactive themes<br>\u2022 <span class=\"code\">plugins\/<\/span> \u2014 all plugins, including deactivated ones<br>\u2022 <span class=\"code\">mu-plugins\/<\/span> \u2014 the most commonly overlooked location<br>\u2022 Drop-in files: <span class=\"code\">advanced-cache.php<\/span>, <span class=\"code\">object-cache.php<\/span>, <span class=\"code\">db.php<\/span><\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Ask the agent to find: <span class=\"code\">eval<\/span>, <span class=\"code\">base64_decode<\/span>, <span class=\"code\">gzinflate<\/span>, <span class=\"code\">shell_exec<\/span>, <span class=\"code\">assert<\/span>, <span class=\"code\">system<\/span>, <span class=\"code\">exec<\/span>, <span class=\"code\">passthru<\/span>, <span class=\"code\">preg_replace \/e<\/span>. Open each hit file to verify manually.<\/span><\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>The WP core reset does not touch <span class=\"code\">wp-content<\/span>. This is where shells, drop-ins, and persistence mechanisms are most likely to remain.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c10\" onclick=\"toggleCheck('c10', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c10\">C.10<\/div>\n              <div class=\"check-title\">Generate new Security Keys and Salt<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c10', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c10\">\n            <div class=\"check-desc\">Go to the link: <span class=\"code\">https:\/\/api.wordpress.org\/secret-key\/1.1\/salt\/<\/span><br>Copy everything, paste into <span class=\"code\">wp-config.php<\/span> replacing the old section.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>All currently logged-in users will be logged out immediately, including hackers.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c11\" onclick=\"toggleCheck('c11', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c11\">C.11<\/div>\n              <div class=\"check-title\">Delete unused themes and plugins<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c11', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c11\">\n            <div class=\"check-desc\">Clean up everything unnecessary in WordPress. This includes default themes (Twenty*) if not in use.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Less code = fewer vulnerabilities. Every unused plugin is a potential weak point.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c12\" onclick=\"toggleCheck('c12', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c12\">C.12<\/div>\n              <div class=\"check-title\">Reset file permissions<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c12', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c12\">\n            <div class=\"check-desc\">Run the following 3 commands via SSH or Terminal in the Hosting Panel:<br><span class=\"code\">find . -type f -exec chmod 644 {} \\;<\/span><br><span class=\"code\">find . -type d -exec chmod 755 {} \\;<\/span><br><span class=\"code\">chmod 600 wp-config.php<\/span><\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Incorrect file permissions (777) are a common reason malicious scripts can write themselves to the server. Reset to standard before reopening the site.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <!-- User & Access Control \u2014 TR\u01af\u1edaC khi unsuspend -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">User &amp; Access control<\/div>\n\n        <div class=\"check-card\" id=\"check-c13\" onclick=\"toggleCheck('c13', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c13\">C.13<\/div>\n              <div class=\"check-title\">Delete suspicious users in the database<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c13', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c13\">\n            <div class=\"check-desc\">Go to phpMyAdmin \u2192 table <span class=\"code\">wp_users<\/span>, delete any strange users not belonging to the team. Cross-check with the user list reported by the agent in B.05. Do this before reopening the site to ensure no unauthorized admins remain.<\/div>\n            <div class=\"note danger\"><span class=\"note-icon\">!<\/span><span>If done after unsuspending, a hacker could log back in immediately during the window while the site is open and the unauthorized user still exists.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c14\" onclick=\"toggleCheck('c14', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c14\">C.14<\/div>\n              <div class=\"check-title\">Disable open registration<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c14', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c14\">\n            <div class=\"check-desc\">Go to <b>Settings \u2192 General<\/b>, uncheck <b>\u201cAnyone can register\u201d<\/b>. If the site does not need a registration feature, disable it entirely.<\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>Open registration allows bots to create users automatically, which is the first step in many privilege escalation attacks.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c15\" onclick=\"toggleCheck('c15', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c15\">C.15<\/div>\n              <div class=\"check-title\">Change all admin account passwords<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c15', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c15\">\n            <div class=\"check-desc\">Change all administrator accounts to strong passwords. Use a password manager to generate random passwords of 20+ characters.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Combined with the new Security Keys in C.10, all old sessions\u2014including the hacker's\u2014will be invalidated.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <!-- Kh\u00f4i ph\u1ee5c v\u00e0 c\u1ea5u h\u00ecnh -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Restore and configure<\/div>\n\n        <div class=\"check-card\" id=\"check-c16\" onclick=\"toggleCheck('c16', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c16\">C.16<\/div>\n              <div class=\"check-title\">Reopen the website (Unsuspend)<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c16', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c16\">\n            <div class=\"check-desc\">Go to the Hosting Panel and unsuspend the domain. The website is now live. Only perform this step after deleting suspicious users (C.13) and changing admin passwords (C.15).<\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c17\" onclick=\"toggleCheck('c17', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c17\">C.17<\/div>\n              <div class=\"check-title\">Save Permalink<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c17', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c17\">\n            <div class=\"check-desc\">Go to WP Admin, go to <b>Settings &gt; Permalinks<\/b>, click <b>Save Changes<\/b>.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>Resetting WordPress causes the loss of the <span class=\"code\">.htaccess<\/span>. file. Saving permalinks recreates this file. Security plugins require <span class=\"code\">.htaccess<\/span> to function properly.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c18\" onclick=\"toggleCheck('c18', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c18\">C.18<\/div>\n              <div class=\"check-title\">Reinstall necessary security plugins<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c18', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c18\">\n            <div class=\"check-desc\">Install the latest versions and configure them fully. Prioritize installing DPS Shield first as it requires the <span class=\"code\">.htaccess<\/span> from the previous step.<\/div>\n            <div class=\"tags\"><span class=\"tag\">DPS Shield Security<\/span><span class=\"tag\">UpdraftPlus<\/span><span class=\"tag\">LiteSpeed Cache<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c19\" onclick=\"toggleCheck('c19', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c19\">C.19<\/div>\n              <div class=\"check-title\">Update remaining themes and plugins<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c19', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c19\">\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>Be careful when updating. It may cause version conflicts and break the site. Test thoroughly after updating each plugin.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c20\" onclick=\"toggleCheck('c20', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c20\">C.20<\/div>\n              <div class=\"check-title\">Check cron jobs \/ scheduled tasks<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c20', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c20\">\n            <div class=\"check-desc\">Check WP Admin &gt; Tools &gt; Scheduled Actions or run <span class=\"code\">wp cron event list<\/span> to find suspicious jobs or jobs that reactivate malware.<\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>Hackers often install WP-cron or server cron to reload shells after they have been deleted. This is the most common persistence mechanism.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c21\" onclick=\"toggleCheck('c21', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c21\">C.21<\/div>\n              <div class=\"check-title\">Check peer subdirectories<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c21', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c21\">\n            <div class=\"check-desc\">Check if there are other websites located in the same parent directory. If so, those websites are also at risk of infection.<\/div>\n            <div class=\"note danger\"><span class=\"note-icon\">!<\/span><span>Peer directories do not have <span class=\"code\">open_basedir<\/span> protection. A hack on this website can immediately spread to other websites in the same parent directory.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n      <!-- H\u1eadu ki\u1ec3m v\u00e0 b\u00e0n giao -->\n      <div class=\"check-group\">\n        <div class=\"check-group-label\">Post-inspection and handover<\/div>\n\n        <div class=\"check-card\" id=\"check-c22\" onclick=\"toggleCheck('c22', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c22\">C.22<\/div>\n              <div class=\"check-title\">Verify \/ test that the website is operating normally<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c22', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c22\">\n            <div class=\"check-desc\">Before notifying the client, perform a quick self-check:<br>\u2022 Home page loads normally, no red warnings from Chrome\/browser<br>\u2022 Access a few content pages, no strange redirects<br>\u2022 Able to log in to WP Admin<br>\u2022 Main functions (form, menu, search) work correctly<br>\u2022 Check on mobile<\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>Do not notify the client before completing self-verification. Resetting WP sometimes breaks the layout or loses permalinks if any step is missed.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c23\" onclick=\"toggleCheck('c23', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c23\">C.23<\/div>\n              <div class=\"check-title\">Confirm Google Search Console<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c23', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c23\">\n            <div class=\"check-desc\">Check Google Search Console to see if the website is still marked as dangerous, then submit a review request after processing is complete.<\/div>\n            <div class=\"note info\"><span class=\"note-icon\">i<\/span><span>If the website has been hacked for a long time, Google may still display warnings even if the site is clean. Reviewing is a mandatory step to remove warnings.<\/span><\/div>\n          <\/div>\n        <\/div>\n\n        <div class=\"check-card\" id=\"check-c24\" onclick=\"toggleCheck('c24', event)\">\n          <div class=\"check-main\">\n            <div class=\"check-box\"><svg width=\"10\" height=\"8\" viewbox=\"0 0 10 8\" fill=\"none\"><path d=\"M1 4L3.5 6.5L9 1\" stroke=\"white\" stroke-width=\"1.8\" stroke-linecap=\"round\" stroke-linejoin=\"round\"\/><\/svg><\/div>\n            <div class=\"check-body\">\n              <div class=\"check-step-num\" id=\"step-c24\">C.24<\/div>\n              <div class=\"check-title\">Notify client \/ stakeholder<\/div>\n            <\/div>\n            <div class=\"check-expand\" onclick=\"toggleDetail('detail-c24', this, event)\"><svg width=\"12\" height=\"12\" viewbox=\"0 0 12 12\" fill=\"none\"><path d=\"M3 4.5L6 7.5L9 4.5\" stroke=\"currentColor\" stroke-width=\"1.5\" stroke-linecap=\"round\"\/><\/svg><\/div>\n          <\/div>\n          <div class=\"check-detail\" id=\"detail-c24\">\n            <div class=\"check-desc\">Inform the client or stakeholder about the status of the incident, the steps taken, and the points to monitor next.<\/div>\n            <div class=\"note warn\"><span class=\"note-icon\">!<\/span><span>If this is a client's website, do not just notify the internal team. You need to update the processing results and safety status for the person in charge.<\/span><\/div>\n          <\/div>\n        <\/div>\n      <\/div>\n\n    <\/div>\n  <\/div>\n\n  <!-- RIGHT PANEL -->\n  <div class=\"right-panel\">\n    <div class=\"panel-title\">Processing progress<\/div>\n\n    <div class=\"done-banner\" id=\"done-banner\">\n      <div class=\"done-banner-title\">Completed!<\/div>\n      <div class=\"done-banner-sub\">Ask a senior to check before closing the ticket.<\/div>\n    <\/div>\n\n    <div class=\"overall-progress\">\n      <div class=\"overall-nums\">\n        <span class=\"overall-count\" id=\"done-count\">0<\/span>\n        <span class=\"overall-total\">\/ 29 items<\/span>\n      <\/div>\n      <div class=\"progress-track\">\n        <div class=\"progress-fill\" id=\"overall-fill\" style=\"width:0%\"><\/div>\n      <\/div>\n      <div class=\"progress-label\" id=\"progress-label\">Not started yet<\/div>\n    <\/div>\n\n    <div class=\"phase-prog-list\">\n      <div class=\"phase-prog\">\n        <div class=\"phase-prog-header\">\n          <span class=\"phase-prog-name\"><span class=\"phase-badge badge-a\">A<\/span> Confirm<\/span>\n          <span class=\"phase-prog-count\" id=\"count-a\">0\/2<\/span>\n        <\/div>\n        <div class=\"phase-track\"><div class=\"phase-fill-a\" id=\"fill-a\" style=\"width:0%\"><\/div><\/div>\n      <\/div>\n      <div class=\"phase-prog\">\n        <div class=\"phase-prog-header\">\n          <span class=\"phase-prog-name\"><span class=\"phase-badge badge-b\">B<\/span> Diagnosis<\/span>\n          <span class=\"phase-prog-count\" id=\"count-b\">0\/3<\/span>\n        <\/div>\n        <div class=\"phase-track\"><div class=\"phase-fill-b\" id=\"fill-b\" style=\"width:0%\"><\/div><\/div>\n      <\/div>\n      <div class=\"phase-prog\">\n        <div class=\"phase-prog-header\">\n          <span class=\"phase-prog-name\"><span class=\"phase-badge badge-c\">C<\/span> Processing<\/span>\n          <span class=\"phase-prog-count\" id=\"count-c\">0\/24<\/span>\n        <\/div>\n        <div class=\"phase-track\"><div class=\"phase-fill-c\" id=\"fill-c\" style=\"width:0%\"><\/div><\/div>\n      <\/div>\n    <\/div>\n\n    <div class=\"panel-divider\"><\/div>\n\n    <div class=\"panel-title\">Recent activity<\/div>\n    <div class=\"log-list\" id=\"log-list\">\n      <div class=\"log-empty\" id=\"log-empty\">No activity yet.<\/div>\n    <\/div>\n  <\/div>\n\n<\/div>\n<\/div>\n<script>\n  const state = {};\n  const log = [];\n\n  const labels = {\n    a1: 'Web l\u01b0u tr\u1eef t\u1ea1i DPS',\n    a2: 'Web thu\u1ed9c d\u1ef1 \u00e1n DPS',\n    b1: 'Thu th\u1eadp artifact + AI scan',\n    b2: 'Ki\u1ec3m tra DPS Shield',\n    b3: 'Ki\u1ec3m tra WAF server',\n    c1: 'Th\u00f4ng b\u00e1o team',\n    c2: 'Backup source + DB',\n    c3: 'Kho\u00e1 website',\n    c4: 'Restart PHP',\n    c5: '\u0110\u1ed5i DB password',\n    c6: '\u0110\u1ed5i FTP\/SSH password',\n    c7: 'Ki\u1ec3m tra wp-config',\n    c8: 'Reset m\u00e3 ngu\u1ed3n WP',\n    c9: 'Scan wp-content',\n    c10: 'Security key m\u1edbi',\n    c11: 'Xo\u00e1 theme\/plugin th\u1eeba',\n    c12: 'Reset file permissions',\n    c13: 'Xo\u00e1 user l\u1ea1',\n    c14: 'T\u1eaft \u0111\u0103ng k\u00fd t\u1ef1 do',\n    c15: '\u0110\u1ed5i m\u1eadt kh\u1ea9u admin',\n    c16: 'M\u1edf l\u1ea1i website',\n    c17: 'Save Permalink',\n    c18: 'C\u00e0i plugin b\u1ea3o m\u1eadt',\n    c19: 'Update theme\/plugin',\n    c20: 'Ki\u1ec3m tra cron job',\n    c21: 'Ki\u1ec3m tra subdirectory',\n    c22: 'Verify\/test web',\n    c23: 'X\u00e1c nh\u1eadn GSC',\n    c24: 'B\u00e1o client\/stakeholder'\n  };\n\n  function countPhase(p) {\n    return Object.keys(state).filter(k => k.startsWith(p) && state[k]).length;\n  }\n\n  function totalPhase(p) {\n    return Object.keys(labels).filter(k => k.startsWith(p)).length;\n  }\n\n  function updateProgress() {\n    const total = Object.keys(labels).length;\n    const done = Object.values(state).filter(Boolean).length;\n\n    document.getElementById('done-count').textContent = done;\n    document.getElementById('overall-fill').style.width = (done \/ total * 100) + '%';\n\n    const pct = Math.round(done \/ total * 100);\n    document.getElementById('progress-label').textContent =\n      done === 0 ? 'Ch\u01b0a b\u1eaft \u0111\u1ea7u' :\n      done === total ? 'Ho\u00e0n th\u00e0nh!' :\n      pct + '% ho\u00e0n th\u00e0nh';\n\n    ['a','b','c'].forEach(p => {\n      const d = countPhase(p);\n      const t = totalPhase(p);\n      document.getElementById('count-' + p).textContent = d + '\/' + t;\n      document.getElementById('fill-' + p).style.width = (d \/ t * 100) + '%';\n      document.getElementById('prog-' + p + '-side').textContent = d + '\/' + t;\n    });\n\n    const banner = document.getElementById('done-banner');\n    if (done === total) {\n      banner.classList.add('show');\n    } else {\n      banner.classList.remove('show');\n    }\n  }\n\n  function addLog(id, isDone) {\n    const now = new Date();\n    const time = now.getHours().toString().padStart(2,'0') + ':' + now.getMinutes().toString().padStart(2,'0');\n    log.unshift({ id, isDone, time });\n    if (log.length > 8) log.pop();\n\n    const container = document.getElementById('log-list');\n    const empty = document.getElementById('log-empty');\n    if (empty) empty.remove();\n\n    container.innerHTML = log.map(l => `\n      <div class=\"log-item\">\n        <div class=\"log-dot ${l.isDone ? 'done' : 'undo'}\"><\/div>\n        <span style=\"flex:1\">${l.isDone ? '' : '[Hu\u1ef7] '}${labels[l.id]}<\/span>\n        <span class=\"log-time\">${l.time}<\/span>\n      <\/div>\n    `).join('');\n  }\n\n  function toggleCheck(id, event) {\n    const expand = event.target.closest('.check-expand');\n    if (expand) return;\n    const copyBtn = event.target.closest('.btn-copy');\n    if (copyBtn) return;\n\n    const card = document.getElementById('check-' + id);\n    state[id] = !state[id];\n\n    if (state[id]) {\n      card.classList.add('done');\n    } else {\n      card.classList.remove('done');\n    }\n\n    const detail = document.getElementById('detail-' + id);\n    const detailBtn = card.querySelector('.check-expand');\n    if (detail) detail.classList.add('open');\n    if (detailBtn) detailBtn.classList.add('open');\n\n    addLog(id, state[id]);\n    updateProgress();\n  }\n\n  function toggleDetail(detailId, btn, event) {\n    event.stopPropagation();\n    const detail = document.getElementById(detailId);\n    const isOpen = detail.classList.contains('open');\n    detail.classList.toggle('open', !isOpen);\n    btn.classList.toggle('open', !isOpen);\n  }\n\n  function copyPrompt(promptId, btn) {\n    var e = window.event;\n    if (e && e.stopPropagation) e.stopPropagation();\n    const text = document.getElementById(promptId).textContent;\n    navigator.clipboard.writeText(text).then(() => {\n      btn.textContent = '\u0110\u00e3 copy \u2713';\n      btn.classList.add('copied');\n      setTimeout(() => {\n        btn.textContent = 'Copy prompt';\n        btn.classList.remove('copied');\n      }, 2000);\n    });\n  }\n\n  function resetAll() {\n    if (!confirm('Reset to\u00e0n b\u1ed9 checklist?')) return;\n    Object.keys(labels).forEach(id => {\n      state[id] = false;\n      const card = document.getElementById('check-' + id);\n      if (card) card.classList.remove('done');\n    });\n    log.length = 0;\n    document.getElementById('log-list').innerHTML = '<div class=\"log-empty\">Ch\u01b0a c\u00f3 ho\u1ea1t \u0111\u1ed9ng n\u00e0o.<\/div>';\n    document.getElementById('done-banner').classList.remove('show');\n    updateProgress();\n  }\n\n  function bindIsolatedRootInteractions() {\n    var root = document.getElementById('dps-isolated-root');\n    if (!root) return;\n\n    root.addEventListener('click', function (event) {\n      var scrollTarget = event.target.closest('[data-scroll]');\n      if (scrollTarget) {\n        event.preventDefault();\n        var target = document.querySelector(scrollTarget.getAttribute('data-scroll'));\n        if (target) {\n          target.scrollIntoView({ behavior: 'smooth', block: 'start' });\n        }\n        return;\n      }\n\n      var openTarget = event.target.closest('[data-open]');\n      if (openTarget) {\n        event.preventDefault();\n        window.open(openTarget.getAttribute('data-open'), '_blank', 'noopener');\n      }\n    });\n\n    root.addEventListener('keydown', function (event) {\n      if (event.key === 'Enter') {\n        var enterTarget = event.target.closest('[role=\"button\"]');\n        if (enterTarget) {\n          event.preventDefault();\n          enterTarget.click();\n        }\n        return;\n      }\n\n      if (event.key === ' ') {\n        var spaceTarget = event.target.closest('[role=\"button\"]');\n        if (spaceTarget) {\n          event.preventDefault();\n          spaceTarget.click();\n        }\n      }\n    });\n  }\n\n  window.toggleCheck = toggleCheck;\n  window.toggleDetail = toggleDetail;\n  window.copyPrompt = copyPrompt;\n  window.resetAll = resetAll;\n\n  bindIsolatedRootInteractions();\n  updateProgress();\n<\/script>","protected":false},"excerpt":{"rendered":"<p>SEO \/ WordPress Security Tool C\u00e1ch qu\u00e9t m\u00e3 \u0111\u1ed9c WordPress v\u00e0 x\u1eed l\u00fd malware tri\u1ec7t \u0111\u1ec3 b\u1eb1ng AI Agent Khi m\u1ed9t website WordPress b\u1ecb nghi nhi\u1ec5m m\u00e3 \u0111\u1ed9c, v\u1ea5n \u0111\u1ec1 kh\u00f4ng ch\u1ec9 l\u00e0 x\u00f3a v\u00e0i file l\u1ea1. Malware th\u01b0\u1eddng n\u1eb1m r\u1ea3i r\u00e1c \u1edf source code, database, log m\u00e1y ch\u1ee7, cron job, user l\u1ea1 v\u00e0 c\u1ea3 [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"class_list":["post-38552","page","type-page","status-publish","hentry"],"acf":[],"rankmath_keywords":{"primary":"","secondary":[""]},"yoast_keywords":{"primary":"","secondary":[]},"yoast_focuskw":"","rankmath_focuskw":"","seo_keywords":{"primary":"","secondary":[""]},"_links":{"self":[{"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/pages\/38552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/comments?post=38552"}],"version-history":[{"count":8,"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/pages\/38552\/revisions"}],"predecessor-version":[{"id":38563,"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/pages\/38552\/revisions\/38563"}],"wp:attachment":[{"href":"https:\/\/dps.media\/en\/wp-json\/wp\/v2\/media?parent=38552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}