I recommend using the wordfence plugin and setting very restrictive rules for it.
Take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.
There still clean. I think it is kind of SQL injection.
Andrew Nevins
(@anevins)
WCLDN 2018 Contributor | Volunteer support
Clean doesn’t just mean removing the symptom of the hack such as a new user or advert, it means removing the backdoor the hacker left in and preventing your site from being compromised again.
Keep all plugins up to date and follow the article linked by Steve. Alternatively here’s our template answer for hacked installations:
You need to start working your way through these resources:
Additional Resources:
rening1964, I’m having the same issue. I manage many WP sites and it seems to only be affecting a particular theme. Do you mind telling me what theme you are using?
Hi folks, I did a bit of research on this and it appears there are a lot of hacked sites online that have this username on them. The sites seem to be using either “Newsmag” or “Newspaper” theme from Themeforest. You can do this research yourself by just searching for that username and then looking up which themes the sites are using. IMPORTANT NOTE: The sites you find will be infected, so do not do this on a computer you care about.
That’s what my research showed as well. I’m using Newsmag on a number of sites and those are the only sites that are getting hacked.
I find out that they use /wp-admin/admin-ajax.php to place the malware on my websites. This is the problem. The theme is newspaper.