I guess the malicious code in the header starts with a php declaration
<?php
The you probably will see something like this: #336698 followed by a javascript call and a lot of encoded characters. Delete everything.
THEN you will probably find malicious code in the top of your htaccess, starting and ending with something like this: #336698. Delete everything.
Further action:
Change password to your control panel, database user (make them STRONG) and of course your admin account. Generate a new salt code and change in wp-config.
Then you will probably find a lot of php.ini files in almost every folder. Delete them. Your will also find php_errorlog(s) scatterede around. Delete them.
Then you must re-download wordpress and your theme and your plugins. Start with your theme. Delete every file and upload fresh files. Do the same with wordpress, but be sure that your don’t delete your wp-config. Then do the same with plugins. Deactivate and delete and re-upload and activate.
Open your wp-config and compare it with the sample wp-config. Any BIG differences? Be sure that no malicious code is left.
Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).
THEN you should add some serious htaccess-rules. Read more here:
http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
OR you could install some security plugins like bulletproof security or wordfence. Go for the pro verisons, it will not cost you antyhing compared to the time and hassle spent on cleaning your site.
With all these tasks accomplished, everything might be fine. For the future: Be SURE that you ALWAYS have the latest WP running and that you ALWAYS have the latest versions of plugins. When an update is ready, you should install it immediately.
Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with detailed information about the versions of your wordpress and plugins, so they can use known vulnerabilities in order to destroy your site).
That can’t hurt but it won’t help. Weaknesses are probed regardless of the existence of those readme.txt or html files so if the exploitable code is there then performing those actions will be meaningless.
It’s like when people attempt to remove the version numbers on their WordPress installation. That’s the same as covering your eyes and saying the bad guys can’t see you. 😉
If you want to harden your WordPress installation then give this a good read.
http://codex.wordpress.org/Hardening_WordPress
For delousing your installation when you’ve been hacked give the usual reading material a look.
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Additional Resources:
http://sitecheck.sucuri.net/scanner/
http://www.unmaskparasites.com/
http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html
http://www.studiopress.com/tips/wordpress-site-security.htm
Sure, I only told it an easier way. I did as I mentioned, and I got rid of the infections.
And I will never again hesitate to upgrade.
