Hi, thegraphicscompany, & welcome. Firstly, I’m really sorry this is happening. Won’t you please provide us w/your site url so we can have a look? Also, please let us know if the below did or did not prove helpful.
A resource you can go to is:
http://codex.wordpress.org/FAQ_My_site_was_hacked
I’ll give some personal guidance as well.
When dealing w/a site compromise, the objectives are twofold:
1) Fix the site; &
2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.
Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.
Here are the steps to take.
First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.
Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.
Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.
Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.
All these steps are required to ensure that no one can snoop your credentials, etc.
Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.
Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database.
Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /.
Please also back up your database as well. The article at
http://codex.wordpress.org/Backing_Up_Your_Database
shows you how to do that, in case you need it.
The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:
[ Moderator note: code fixed. Please wrap code in the backtick character or use the code button. ]
<script>;
<? php;
base64;
Also be advised that sometimes supposed image filess can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.
If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then complete reinstall WordPress, as well as any plugins or themes you were using.
Please also post your .htaccess file here for examination so we can make certain no backdoor code exists there.
In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Post your .htaccess file here so we can look at it as well.
6) Please do not attempt to post the entire database here, but if you find content w/the words I suggested above, then post that so we can look at it as well. WARNING!!! PLEASE make certain not to post any identifying data, such as usernames, passwords, etc. to this or any public forum!!!!
Please keep in touch, & let us know how this goes.
