ProjectArmy

It’s hard to say how they were able to gain access to upload the file. Maybe WP core wasn’t up-to-date, maybe theme or plugin had a vulnerability that was exploited. Maybe the server wasn’t configured properly to allow someone to upload files. It’s hard to say.

You can try going through your access logs and see when was the first time this file was accessed. And then see what was accessed before that, maybe you’ll spot something.

But, I would scan entire server with Clamav to see if it catches anything. Especially, using some additional custom signatures found here:
https://github.com/extremeshok/clamav-unofficial-sigs

Very rarely will you have one infected file. I don’t think I’ve even seen an incident where only one file was infected. The hacker must’ve left some backdoors sprinkled around throughout all files. If you downloaded WP files to your computer, you can try scanning them with your antivirus. Some might catch something. But, even better, using Clamwin (Clamav for Win) to scan those files and see how many infected files you really had.

In majority of cases it’s WordPress that let’s them in, not the hosting/server. So it’s important to secure WordPress as much as possible:
https://codex.wordpress.org/Hardening_WordPress

And also have regular scans of all files on your server with Clamav. It’ll find those nasty buggers quickly if you do scans often, daily for example.

If you can share contents of the file in a pastebin, I can see if there are any existing signatures available that would detect it. Thanks.

^V

Hi Desiree,

For a quick fix, you can try this CSS snippet. You can either put it in your stylesheet or in the advance css box that’s part of the Customizer:

.rc-nav-standard .uk-navbar-nav>li.logo{
   background-size: contain;
}

This should make your logo visible in full.

If it still doesn’t work. Don’t remove that code. Come back and reply. I would like to see it in action, to help you fix it. If you need help figuring out how/where to add that CSS code, do let me know and I’ll try to walk you through this.

^V

When you click Publish on your drafted page, It will automatically go live on your website. When editing that page, it is normal to see Update instead of Publish. You cannot publish twice the page but you can update it multiple times. Do not worry, when you click update, all your changes will be saved on your page will be updated.

If you do not want to Publish you page, you have an option to save it as Draft first. All you have to do is Add New page, and within the upper right corner of Publish Box is a Save Draft button together with Preview button. Click that Save Draft button and your page will not be published yet you can see still the preview.

^P

It is true that loading multiple JavaScript files can slow down loading time of your page/pages. You can manually embed the Instagram posts on WordPress pages since embedding Instagram posts are now supported.

On your browser, locate the Instagram post that you want to include on your page. Copy the link on the browser’s address bar and paste it directly on the WordPress post. It will automatically generate a preview for you. Repeat this for the rest of the posts.

^P

Both Sucuri and Wordfence are good. So it depends on what your budget allows.

Wordfence will clean it up for $149 plus it gives you 1 year premium subscription to their plugin.

Sucuri will clean it up for $300/year, you’re paying for their platform not just clean up. Since it’s an annual subscription, they will monitor it and clean it up if it gets infected again.

^V

If you simply want to update your password, you can go to your profile page by clicking on “Howdy, Admin” in the top right corner. “Admin” is your username, so it might be different for you.

After you click on it, it will take you to
http://example.comwp-admin/profile.php

Scroll down until you see a button “Generate Password”. Click it, it will create a new password (save new password) and then click blue button at the bottom of the page “Update Profile”.

This will update your password. Make sure you save new password before hitting blue button to update it, you won’t see new password after that.

Also, keep in mind, clicking “Generate Password” button simply creates a new password but doesn’t change password in the database. You have to click “Update Profile” button to change password permanently.

^V

OK, it looks like you have a lot of infected files. You also have files that don’t belong in WordPress installation.

Make a backup of your entire site before doing anything. Keep in mind that we are not responsible for any issues that may come up as a result of following our advice.

My advice is based on assumption that you have a standard WordPress website, without any custom PHP files or anything like that. This helps me identify what files need to be deleted. I would recommend working through an FTP client, it’ll be the easiest way for you to complete my instructions. Follow them carefully. Read through everything first.

Let’s deal with deletions first. Here’s a list of files I would delete. They do not belong with a standard WordPress setup:

[HEX]pharma_redirector [29/03/17] /home/payrolle/public_html/roosters.php
[HEX]PHP_Backdoor [13/07/15] /home/payrolle/public_html/food.php
[HEX]php_post_spammer_2 [31/03/17] /home/payrolle/public_html/post.php
[HEX]pharma_redirector [29/03/17] /home/payrolle/public_html/spots.php
[HEX]pharma_redirector [29/03/17] /home/payrolle/public_html/sheltered.php
[STR]php_code_includer_1 [27/03/17] /home/payrolle/public_html/816d5d/htpvl/alopr/votys.txt
[STR]php_code_includer_1 [20/03/17] /home/payrolle/public_html/816d5d/htpvl/votys3.php
[STR]php_code_includer_1 [27/03/17] /home/payrolle/public_html/816d5d/htpvl/votys.php
[STR]php_code_includer_1 [27/03/17] /home/payrolle/public_html/816d5d/hmofr/alopr/votys.txt
[STR]php_code_includer_1 [20/03/17] /home/payrolle/public_html/816d5d/hmofr/votys3.php
[STR]php_code_includer_1 [27/03/17] /home/payrolle/public_html/816d5d/hmofr/votys.php
[HEX]pharma_redirector [29/03/17] /home/payrolle/public_html/subsidies.php
[HEX]pharma_redirector [29/03/17] /home/payrolle/public_html/undresses.php

Now, we need to make sure your WordPress core files are clean. So we will delete all your core files and replace them with a fresh set.

First, download the latest version of WordPress and unzip the file. So you have a folder with all the core files on your desktop.

Now, we need to delete all core files and folders, but make sure you DO NOT delete “wp-content” folder and “wp-config.php” file. We need them to stay. DO NOT DELETE THEM.

So the list of files and folders to delete:

/wp-includes/
/wp-admin/
index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
wp-comments-post.php
wp-config-sample.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

After you delete these folders and files, you need to upload the same folders and files from your desktop folder. The ones that came inside zip file I’ve told you to download and unzip before. Do not upload “wp-content” folder. It’s already there, we did not delete it.

After you upload everything, you now have clean core files.

Next step is to delete all inactive theme folders. It appears that you have multiple themes inside “themes” folder. I don’t know what theme is active. Identify your theme that’s currently being used by your website, do not delete it. Delete all other themes. Do not save any of them for later use. Delete all inactive themes.

The last step is to clean up infected plugins. Go inside “plugins” folder, and delete the following plugin folders:

/who-hit-the-page-hit-counter/
/jetpack/
/wordpress-seo/

You can re-add them later through wp-admin, or you can manually download zip files, unzip them, and upload them inside your plugins folder. All your settings in database should be preserved.

After you finish everything, ask SiteGround to scan your website again. If your active theme was infected, it will most likely popup again as infected in the scan. If it happens, provide the new list of infected files here. And if possible, use https://pastebin.com/ to share contents of each infected file. Hopefully we can remove malicious code from infected files.

Very important to remember, SiteGround’s scan is not 100% accurate. No antivirus scan is. It is possible for other files to be infected that scan did not pick up. Without going through each file, there’s no way of identifying them. So if re-infection happens, most likely there will be files that avoided detection by the scan.

Good luck.

^V