Hi @matk33, sorry to see you have a redirection on your site.
When something has created unwanted or malicious files or code, you may find our detailed site cleaning instructions and free Learning Center can help you find the cause and clear it yourself:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://wordfence.com/learn/
Make sure to fully back up your site before taking any action!
If your site was compromized in order to add the code/files, we’ll always recommend the passwords for your hosting control panel, FTP, other WordPress admin users, and database have all been changed. Also make sure WordPress, themes, and all of your plugins are fully up-to-date in case a known exploit on an unpatched vulnerability was used. Wordfence and other providers do have paid site cleaning services should you not be able to rectify the problem yourself, but this is by no means a requirement and I’m only mentioning it so you’re aware of all options.
I would recommend providing any suspicious file(s) you find to samples @ wordfence . com. If the source that caused it is packaged in a way Wordfence isn’t currently picking up during a full scan, our researchers can look into it and get back to you with a suitable course of action.
Make sure any database credentials or keys/salts are removed before sending anything to us.
Many thanks,
Peter.
Thread Starter
matk33
(@matk33)
Hi,
Finally found the problem. Plugin WPCode was installed by the hacker and a PHP snippet was run each time the website was loaded. PHP snippet was stored in wp_options under wpcode_snippets option name. The snippet was doing many thing, including hiding the WPCode plugin from the admin side…
Hope this can help someone else having similar issues.
Mat
