WordPress.org

Ready to get started?Download WordPress

Forums

Fixed Hacked WP site - Links still redirecting - PLZ HELP! (11 posts)

  1. shotbyadam
    Member
    Posted 2 years ago #

    This has been the bane of my existence for several weeks now.

    My WP site got hacked and a TON of Base64 code was installed, probably through an expired plugin. The code redirected visitors to my site to other site. Google flagged the site as distributing malware and I had to spend many hours on the phone with my hosting company to get it all cleared out. I re-uploaded my theme, cleaned the system thoroughly, and had the hosting team run a deep scan of the site and they have deemed it clean. I resubmitted the site to Google and they have now removed the flags from the site and put me back in the index. All seems fine, until I started noticing that any links I post to the site still redirect to other sites.

    If you MANUALLY put in the link in your browser, you arrive at my blog just fine, but if you CLICK on the link, like in Google or Facebook, you're redirected. I've checked every php file I can think of but there are just so many of them in WP. I just can't seem to figure out how this is happening.

    How can I fix this?

  2. shotbyadam
    Member
    Posted 2 years ago #

  3. shotbyadam
    Member
    Posted 2 years ago #

    Hmmm...interesting. If you click the link here, it's no problem. It takes you right to the site. If I post the link in Facebook or the link in Google redirects. Is this a cache problem with Facebook/Google?

  4. adpawl
    Member
    Posted 2 years ago #

    page still seems not be clean

  5. MickeyRoush
    Member
    Posted 2 years ago #

  6. dremeda
    Sucuri Wizard
    Posted 2 years ago #

    This is a conditional malware targeting specific referrers.

    1. Have you removed the WordPress core files and reinstalled? If you do this manually and remove all core files and directories to can remove WordPress core as a possibly infected variable.

    2. Rename your plugins directory temporarily and rescan with SiteCheck (The link above that MickeyRoush sent). If it comes up clean, the payload is likely in a plugin. If so, remove the plugin entirely, and reinstall fresh.

    3. If that doesn't work, remove theme, replace. Check all index files in any other theme you have installed.

    4. Check wp-uploads for any odd PHP files.

    What is happening is you're probably finding and cleaning the payload (the actual malware) but missing a backdoor that is allowing reinfection. The other likely scenario is you have something that's vulnerable in the environment which is allowing re-entry and reinfection.

    Make sure that ALL installations of WordPress and any other web app are UPDATED! Also ensure that you have all themes and plugins updated ASAP.

    If you're not using something like a plugin or theme, don't store it on the server. This goes for backups and any other file you're not using.

    This should help get you back on track.

    Best of luck!

  7. shotbyadam
    Member
    Posted 2 years ago #

    I have reinstalled the theme from scratch but I'm not sure what other files I can delete and then reinstall. I guess I just know enough about WP to get me into trouble. What files/folders should I delete via ftp and then reinstall? Should I reinstall the files via Simple Scripts (as used through my HostGator Cpanel)?

  8. perezbox
    Member
    Posted 2 years ago #

    @shotbyadam

    You still having issues here bud?

  9. shotbyadam
    Member
    Posted 2 years ago #

    I hired a service to clean up the site and they did a great job. All good now. Thanks!

  10. perezbox
    Member
    Posted 2 years ago #

    @shotbyadam outstanding! Good call.

    Thanks

  11. jacMadsen
    Member
    Posted 2 years ago #

    When we ran into this problem it was related specifically to our htaccess file. If you had to open your permissions to install additional functionality you may have forgotten to clamp them back down. This is where I would look if you have this problem in the future.

Topic Closed

This topic has been closed to new replies.

About this Topic