We need a senior WordPress and Linux admin to bring our site back online and harden it for reliability. The host says the server is fine. The problems are within WordPress code, core integrity, and possible reinfection. Current errors to resolve Repeated “Constant … already defined” notices in wp-config.php for DB_*, AUTH_KEY, SALT keys, WP_DEBUG, WFWAF_ENABLED Fatal error: Cannot declare class WP_Metadata_Lazyloader in wp-includes/class-wp-metadata-lazyloader.php Fatal error: Class "WP_Translation_Controller" not found in wp-includes/l10n.php Prior logs show malicious injections such as image#404.php and logo_mini.png#c.php and widespread warnings from core files at line 1, consistent with header-level injections Site has gone offline repeatedly after short-term fixes Environment HestiaCP on VPS WordPress site folder Prior malware quarantines and intermittent restores Backups available on server for October 2024 and possibly others Required scope of work Immediate recovery Put the site back online without notices and fatals Fix duplicated constants in wp-config.php by consolidating to a single, clean set of definitions and SALTs Align PHP version and WP version compatibility and clear OPCache if enabled Malware and integrity cleanup Full recursive scan for malware and backdoors in webroot, wp-content, uploads, mu-plugins, wp-includes, and theme folders Diff and restore all WordPress core files from the exact matching version to remove altered core files Remove any .php in uploads or image files with trailing #c.php patterns or similar polyglot payloads Clean theme and plugin folders. Remove abandoned plugins. Update all active ones to current safe versions Verify wp-includes and wp-admin hashes. Replace if modified Hardening Correct ownership and permissions to 755 dirs and 644 files Rotate all credentials: Hestia, SFTP, SSH, database, WordPress admins, application salts Install and configure a security plugin and set up firewall rules at the server level if available Disable direct file edit in wp-config.php, restrict XML-RPC if not required, implement rate limiting, and set upload MIME checks Set up scheduled malware scans and alerts Stability and prevention Implement a reliable backup policy with daily incrementals and 14 to 30 day retention Create a staging clone for safe updates Provide a short operator runbook for our team with the exact restore and rollback steps Deliverables and success criteria Site loads publicly without warnings or fatal errors Clean wp-config.php with a single set of constants and fresh salts Verified clean core, themes, and plugins with scan logs provided Written hardening summary and a simple 1-page handover including what changed, where, and how to maintain Access you will receive HestiaCP and SFTP SSH with a temporary user and key WordPress admin (after initial cleanup) Ideal freelancer 5+ years WordPress security and incident response Proven history fixing core file injections and reinfection loops Comfortable on Debian/Ubuntu servers, Hestia or similar panels Can start immediately and work to completion with minimal supervision