The Situation

The client operated a WordPress website that had been running without major updates for several years. The site was built on WordPress 4.9 with PHP 7.4 — both versions that had long passed their official end-of-life dates and no longer received security patches. The frontend was powered by WPBakery Page Builder, a legacy visual editor that had become increasingly difficult to maintain and was creating friction whenever the client needed to update content.

The situation became critical when a routine audit uncovered active malware embedded inside a third-party plugin — Popup Maker by Looking Forward Software Incorporated. The malicious code was obfuscated using Base64 encoding and injected an external script from a known malware domain (near.flyspecialling.com) into every page load, silently running in visitors’ browsers without their knowledge.

The site needed immediate attention on multiple fronts: security, performance, and long-term maintainability.

The Challenges

• Outdated core stack — WordPress 4.9 and PHP 7.4, both end-of-life, exposing the site to known vulnerabilities with no upstream fixes available
• Malware infection — obfuscated malicious JavaScript actively injecting external scripts into the site
• Legacy page builder — WPBakery Page Builder producing bloated, hard-to-edit markup that complicated both content updates and future development
• Deprecated PHP code — a critical library (lessc.inc.php used by the theme framework) contained multiple PHP 8.x incompatibilities that would cause fatal errors after the PHP upgrade
• Accumulated technical debt — unused plugins and themes still installed and active, expanding the attack surface unnecessarily

The Work

1. Malware Removal & Security Audit

The malicious plugin was identified, isolated, and removed. The obfuscated payload was fully decoded and analysed to understand its scope and confirm no other files had been compromised. Server access credentials (WordPress admin, FTP, database) were rotated as a precautionary measure.

2. PHP Upgrade — 7.4 → 8.3.29

Before upgrading the server environment, the theme’s LESS compiler library was audited for PHP 8.x compatibility. A series of breaking changes were identified and resolved:

• Removed deprecated curly-brace string offset syntax ($var{0} → $var[0])
• Fixed lowercase class instantiation (new exception, new stdclass) removed in PHP 8
• Replaced null flags in preg_match() calls with correct integer values
• Resolved multiple Undefined property warnings on stdClass objects by ensuring all properties are explicitly initialised
• Fixed TypeError crashes caused by null values being passed to array functions
• Patched cache handling in wp-less.php to guard against non-array data returned from the WordPress options table

3. WordPress Upgrade — 4.9 → 6.9.4 (current)

The core was brought fully up to date, along with all remaining active plugins and the theme itself. Compatibility was verified at each stage before proceeding.

4. Frontend Migration — WPBakery → Elementor

All existing pages were rebuilt using Elementor, replacing the legacy shortcode-heavy markup with a clean, standards-compliant structure. The visual result remained consistent with the original design while the underlying code became significantly leaner and easier to manage.

5. Environment Cleanup

Unused plugins and themes that had been left installed were fully removed, reducing the number of potential entry points for future attacks and improving overall site hygiene.

The Result

The client now operates on a fully supported, up-to-date technology stack. The malware has been eliminated and the codebase hardened against the class of vulnerabilities that allowed the infection in the first place.

From a day-to-day perspective, the client can update and manage their website content independently through Elementor’s visual interface — without requiring developer involvement for routine changes.

The site runs on PHP 8.3, WordPress 6.9, and a clean plugin set — all actively maintained and receiving security updates.

Technology Summary