Which CSS? Your theme’s? Just download a fresh copy of your theme to your local computer, then upload the CSS to Server.
Same goes for SimplePie, get a fresh WP download, extract the needed files and upload to server. Be sure to download the version you are running on your server. You can wholesale delete and replace wp-includes and wp-admin folders entirely, there’s nothing special about them unique to your installation.
css files under wp-admin. Example: wp-admin/css/nav-menus.php, wp-admin/css/ms-themes.php and so on …
Now only few files left:
wp-content/themes/index.php
wp-admin/css/nav-menus.php
wp-admin/css/ms-themes.php
wp-admin/css/my-sites.php
wp-admin/css/ms-users.php
wp-config.php
wp-content/w3tc-config/master-admin.php
wp-admin/css/ms-upgrade-network.php
wp-admin/css/network.php
wp-content/plugins/index.php
wp-content/uploads/wysija/themes/mailp/index.php
wp-content/index.php
wp-admin/css/ms-sites.php
Actually after replacing wp-admin only 6 files are left:
wp-content/themes/index.php
wp-config.php
wp-content/w3tc-config/master-admin.php
wp-content/plugins/index.php
wp-content/uploads/wysija/themes/mailp/index.php
wp-content/index.php
Can any of those files be replaced directly? I guess the wp-config needs more attention.
Right, wp-config.php is unique to your installation, though the unique portions should be able to be re-created starting with wp-config-sample.php and entering your DB connection parameters. You can create new keys and salts, the only side effect is any currently logged in users will need to log in again for their next page request, as will those that checked the Remember Me box – it won’t remember.
As for files you list in wp-config, they appear to be replaceable, but I couldn’t say with certainty. Download the current files and save as backups just in case.
I should mention that hackers are very clever at hiding back door code, it can be quite difficult to find such code. The only certain way to eliminate back doors is to completely wipe the server and restore from a known clean backup. Still, many people have successfully recovered from hacks without going to that extreme. Do what you feel you need to do, but keep this in mind. Good luck!
Thanks.The problemes are solved:
1) I removed W3 Total Cache. It sorted out the problems with config.php
2) Mailchimp extension was there without beeing seen among installed plugins. I just deleted the lib and installed it as a new plugin.
3) It was samed with mailpoet. I have never installed it. I deleted the wysia lib and installed mailpoet easy forms as a new plugin.
W3 Total Cache and mailpoet seems to have security vulnabilities.
Thanks once again.
You’re welcome! That’s good news.
FWIW, I really doubt the plugins you mention have vulnerabilities as downloaded from the repository. More likely the versions on your server were altered by the hack and had vulnerabilities (aka back doors) introduced.
