Objective

Confirm whether the reported casino-spam compromise on aguiarinjurylawyers.com is real, using live read-only evidence.

Confirmed

• The sampled spam URL https://aguiarinjurylawyers.com/vegashero-overall-ratings-and-verification-process-analyzed/ returns HTTP 200 and includes robots follow, index.
• The Vegashero page has canonical self-reference, article section Personal Injury Attorneys, firm meta description, and Sam headshot OG image.
• WordPress REST confirms sampled spam slugs are published posts, not just cached HTML: IDs 72343, 72344, and 72349.
• Homepage page ID 10 is published and its raw REST content contains hidden div class so-news-block with data-batch 20260611_111416_rotation_aguiarinjur.
• Homepage page ID 10 raw content had 77 casino mentions and 2 vegashero mentions at verification time.
• REST search for casino returned X-WP-Total 60.
• A newer suspicious post, ID 73802, slug pinco-online-kazino-pinko-2026-t-hluk-sizlik-v-m-lumatlarin-muhafiz-si, is published with date and modified 2026-06-12T12:19:40 and 59 casino/kazino/Pinco markers.
• Author ID 8 resolves to Sam Aguiar / slug craig-aguiar / role administrator. This proves assignment to an admin author, but not necessarily that the human account logged in directly.

Corrections to earlier handoff

• Cloaking is not required to reproduce the homepage spam in this run. A normal browser-style user agent also received the hidden spam block.
• The issue is not only old January content; at least one suspicious post was published today, June 12, 2026.

Not yet done

• No containment or live writes were performed in this confirmation pass.
• SSH to the Flexible host timed out on port 2217, so filesystem, mu-plugin, plugin, cron, and wp-config inspection still needs a working origin access path.
• Search Console indexing/removal status was not checked in this pass.

Pickup prompt

Continue from confirmed compromise. First export a full suspicious-post inventory, then contain reversibly by drafting/noindexing spam posts and removing the injected homepage block after snapshotting evidence. Then inspect mu-plugins, wp-content plugin/theme modification times, WP-Cron, admin users, application passwords, and database options for persistence/backdoor indicators before declaring cleanup complete.