How One WordPress Plugin Wiped Out 18 of My Websites in a Single Day
By Carl Riedel — Builder of CARL, Recovering WordPress Survivor
It must've been around 2017 or early 2018. I had just moved from London to Szentkirály, Hungary. Life was good. My daughter was at university, and as part of her curriculum, she had to build a website. I, being the "internet marketer Dad," was more than proud when she asked if I could help.
I didn't think twice. I set up a cPanel account for her on my WHM server, installed WordPress, and gave her some pointers — how to install plugins, that sort of thing. Then I went back to fighting the Google algorithm and never gave it a second thought.
The Phone Call
About a month later, a client called from the UK. Her website was down.
I did a quick check, thinking it was probably some overnight update that had broken the CSS. I logged into the server and opened File Manager.
That's when I saw them. Dozens of tiny files in the root directory that I knew for certain didn't belong there.
You may be familiar with that sinking feeling in the pit of your stomach when you realize something horrible has happened. That's exactly how I felt right then. Instinctively, in that single moment, I knew this was no CSS update. I had been hacked.
The Cleanup
I purged the account immediately. Deleted everything — uninstalled WordPress, wiped the database, removed every file. Then I reinstalled WordPress and restored a backup from the week before. I was just about finished when an email arrived from my hosting provider.
A Cease and Desist order.
Turns out, I had 17 other WordPress sites on that same WHM server. Every single one of them had been hacked. And they had been silently sending spam emails at a rate so alarming that the registrar had noticed the bandwidth drain coming from my account.
Eighteen websites. Gone. In one day. From one plugin.
What I Did Next
I got so furious that I deleted every single account from WHM — I didn't even bother uninstalling WordPress first. Just gone. All of it.
Then I booked a flight to the Netherlands and took a two-week holiday.
Later, I found out what had caused it. My daughter had installed a carousel plugin for her university project. That plugin had a vulnerability. That vulnerability was the open door that took down an entire server.
One plugin. Installed by a student. On a university project. Eighteen professional websites destroyed.
Why I Built CARL
That day changed how I think about websites permanently. WordPress's entire model — install plugins, trust third-party developers, hope nothing conflicts or gets exploited — is a structural vulnerability. It isn't a question of if you get hacked. It's a question of when, and how much it costs you when it happens.
CARL generates static PHP files and writes them directly to your server. There is no WordPress runtime executing on every page load. There is no plugin ecosystem to exploit. There is no xmlrpc.php, no REST API endpoint, no login page being brute-forced at 3am.
When a visitor arrives at a CARL page, they get a file. That's it. A clean, fast, pre-built file with nothing to attack.
My daughter's carousel plugin can't touch it.
Ready to build a site that can't be taken down by a student's plugin?
