WebtrixPro — Smart Software. AI-Powered

Security Incident Report

abacolodge.com WordPress Compromise & TKG Satellite Site Scan

Active Compromise
Report Date
July 9, 2026
Prepared By
Webtrixpro Security Audit
Scope
18 Lodge & Brand Sites
Scan Method
External HTTP / Sitemap / Author Enum

Infected Sites

1

abacolodge.com

Clean Sites

17

All other satellite properties

Spam Articles

31

Tarot & numerology posts

Spam Traffic Impact

23%

Of site entries (client report)

Executive Summary

abacolodge.com is confirmed compromised. An unauthorized WordPress user (marcos, user ID 8) published at least 31 tarot/numerology spam articles since late 2024. The homepage and legitimate pages have gambling/casino links injected into navigation section titles. The site remains actively serving this content and is indexed in the sitemap.

A scan of 18 satellite lodge and brand sites found no comparable infections on other properties. However, abacolodge.com shares server IP 45.89.205.215 with bairslodge.com, piralodge.com, and thekautapengroup.com — all running the same WordPress stack (LiteSpeed, Elementor, AIOSEO, theme bairs) — so those sites should be audited and hardened proactively.

Important: Deleting spam posts alone will not resolve the issue. A backdoor likely remains on the server. Full remediation requires server access to scan files, patch the vulnerability, and rotate all credentials.

Confirmed Infection — abacolodge.com

1. Spam Blog Posts (31 URLs)

All published under /author/marcos/. The fake author profile was created October 5, 2023; spam publishing aligns with client report of activity since December 2024.

2. Homepage / Navigation Link Injection

Gambling and spam domains injected into section headings on the homepage:

Injected Link / Text
Affected Section
obrazovaniestr.ru
Why Choose Abaco Lodge
1win
Accommodations
hacksaw gaming
Rates
how to play craps
Specials
baccarat online
Fly Fishing In Bahamas
£5 deposit casino
More About Nervous Waters Lodges
лаки джет (Lucky Jet)
Gallery

3. Injected External URLs

4. Technical Footprint

CMS

WordPress 6.8.1

Server

LiteSpeed / PHP 8.2.30

Theme

bairs

Plugins

AIOSEO 4.9.7.2, Elementor 4.1.2

Unauthorized User

marcos (ID: 8)

Server IP

45.89.205.215

Shared Server — Same IP

45.89.205.215

abacolodge.combairslodge.compiralodge.comthekautapengroup.com

Spam URLs to Remove (31)

All URLs currently indexed in the sitemap. Delete these posts and request removal from Google Search Console.

Satellite Site Scan Results

Scanned July 9, 2026 — homepage keyword scan, sitemap analysis, and suspicious author enumeration.

SiteStatusNotes
abacolodge.cominfected31 spam posts, homepage gambling injections
bairslodge.comcleanmarcos author exists (legit staff); no spam in feed. Same server IP.
villamarialodge.comcleanFalse positive on "slots" (Wix JS internals)
piralodge.comcleanUser enumeration via REST API exposed — harden. Same server IP.
suindalodge.comclean
deltalodge.comclean
deltaecolodge.comclean
karandalodge.comcleanMarcos Newland is legitimate staff author
chimelodge.comclean
futalodge.comclean
mayazullodge.comclean
espiritusantobaylodge.comclean
behkaylodge.comclean
exumalodge.comclean
kautapen.comcleankautapenlodge.com unreachable
thekautapengroup.comcleanSame server IP as abacolodge
daviddenies.comclean
redstagpatagonia.comclean
nervouswaters.comclean

Risk Assessment

RiskSeverityDetail
SEO penalty / deindexinghigh23% of site entries are spam traffic per client analytics
Re-infection if backdoor not removedcriticalDeleting posts alone will not fix — attacker access likely persists
Cross-site spread via shared hostingmedium3 other sites on same IP and WordPress stack
Contact form data theftmediumBackdoor may exfiltrate form submissions
Malware / redirect escalationmediumCurrently spam — could escalate to malware distribution

Recommended Immediate Actions

  1. 1Take abacolodge.com offline or enable maintenance mode while cleaning
  2. 2Rotate all passwords — WordPress admin, SFTP, database, hosting panel
  3. 3Delete all 31 spam posts and the unauthorized marcos user (ID 8)
  4. 4Remove injected gambling links from homepage and compromised pages/widgets
  5. 5Scan for backdoors in wp-content/, theme files, mu-plugins, and uploads
  6. 6Update WordPress core, all plugins, and PHP to latest versions
  7. 7Install Wordfence or Sucuri and run a full security scan
  8. 8Disable XML-RPC if not needed; block REST API user enumeration
  9. 9Apply hardening to all 4 sites on shared server IP 45.89.205.215
  10. 10Purge LiteSpeed cache after cleanup
  11. 11Submit updated sitemap to Google Search Console; request removal of all 31 spam URLs
  12. 12Re-run satellite site scan to verify all properties remain clean