Removing a user won’t clear up a hacked site, sorry.
You need to find the source.
Could you please post a list of the plugins you are using here?
(Or better, you could share a screenshot, using any photo-sharing service you feel comfortable with – for example, imgur.com).
Also indicate which version of WordPress core you are using.
-
This reply was modified 5 years, 12 months ago by
Carike.
Thanks for your response. The site returns clean when scanned with traditional malware can like word fence. Did an online scan at Sucuri as well. I know there’s trickier ways for these sorts of things to conceal themselves. I’m willing to dig if someone can point me in the right direction
Thank you Kindly
Wordpress 5.3.2
These are the plugins I’m Running
https://ibb.co/KwfWYQ8
https://ibb.co/bL5nkBs
https://ibb.co/QPtDwtM
https://ibb.co/q7v5yGM
Samples of the bogus posts
https://ibb.co/MZ6TwXQ
So… 🙂
Under your /wp-admin/ -> Settings -> General, please check whether “Anyone can register” is ticked under membership.
Please also check the “New user default role”. What is it set as?
You have quite a lot of plugins there.
Are all of them critical to your site?
If they aren’t, you may want to consider disabling them.
Then you may want to check your server logs for the times these posts were posted, in order to try to identify which method was used to add them (so, if they were added by a user, or if they were added via the REST API and if there is any indication as to whether a specific plugin was used to add them).
carike…thanks for the thoughtful reply. The box is not checked and the role is set to subscriber.
We’ll be working on decreasing the number of plugins shortly. Im trying to get a handle on what they need and don’t need.
As for the log files….I see items like this. This is just one example but they all look similar. In sample 3 I see something clearly related to the GTranslate Plugin.
Honestly the error log is littered with this type of stuff. What is this and how is it getting through into my site.
Thank you for your help this is a bit in over my head
40.77.167.180 [04/Apr/2020:14:22:22 +0000] GET “/why-is-italys-coronavirus-fatality-rate-so-high/” HTTP/1.0 404 “-” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)” “-
207.46.13.8 [04/Apr/2020:14:49:28 +0000] GET “/new-york-stock-exchange-to-temporarily-close-its-trading-floor-over-the-coronavirus/” HTTP/1.0 404 “-” “Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)
51.178.161.74 [04/Apr/2020:18:54:11 +0000] GET “/indias-poor-testing-rate-may-have-masked-coronavirus-cases/” HTTP/1.0 404 “-” “GTranslate-Translation-Proxy” “-
66.249.73.193 [04/Apr/2020:22:44:59 +0000] GET “/afghanistan-peace-deal-hits-snag-over-taliban-prisoner-release/” HTTP/1.0 404 “-” “Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)” “-
Contact your web host immediately. They should be able to help you track this down. You should really re-install WordPress from scratch. Try to double check anything you have to keep (image folders, theme folders, functions.php in your theme…) I’d recommend re-installing plugins from scratch. This can be difficult to deal with.
