Really hoping someone can help me out with a WordPress installation that has recently been hacked and classified as malware through Google.
Upon visiting the site the user is redirected to a .ru website - This redirect seems to change based on what link you click in the nav but every link on the site redirects.
I've had an extensive read over many articles and actioned many things.
1. I have checked through the theme files and removed any suspicious code
2. Used a php tool to find base64_decode and removed it from 15 pages
3. Removed redirected that were hacked into the .htaccess file
4. Reuploaded clean wordpress core files
5. Disabled all plugins and custom theme, enabled clean default theme
6. Removed all but the default user account
7. Checked the database
As this is a client site, I have temporarily pointed their domain to another page and informed google who have cleared the malware warning. I'm not working on the site at http://22.214.171.124/~easyncom/ and can't seem to shake the problem.
Is there anywhere else I should be looking?