The Hack Repair Guy

Hi,
If your web host has no backups then someone will need to log in and manually remove or replace all of the hacked pages and any lingering back door scripts.

Sadly, in this case, it sounds like you’ll need a professional who has a lot of experience in clearing malware and working with WordPress. There is no easy way to do this respectively.

Hi,
Sadly this indicates a back door script remains hiding within your website. Someone will need to log in via FTP and review “every” file on your website for hidden code or scripting.

I would start by installing the “Timthumb Vulnerability Scanner” plugin. This plugin may help in locating some compromised files as well.

Likewise, be sure to delete all inactive plugins and themes if you have any remaining.

Any coincidences, like the same plugin installed in each?

Same theme installed in each?

It seems unlikely it’s a WP core file issue, and more likely something you’ve similarly installed in all of your sites being compromised.

Hi,
The file is not terribly helpful. The hack you are referring too could involve the changing of many files or even entries in your database. You’ll need to have someone physically log in and review to correct the situation.

Back door scripts have likely been installed as well, so just removing the hacker code from your files and/or db may not solve the real problem (hidden script which may be used to re-hack your site in future).

Hi,
As you mentioned it’s most likely the hacker installed a back door script and you’ll need to locate and remove it to prevent re-hacking.

Likewise, some of my clients have had luck with the timthumb vulnerability scanner plugin. Try that to see if it locates anything unusual (is sort of a poor mans hack scanner). If after running the plugin it comes up clean just remove that plugin.

Hi,
You manage to get control of this one now?

Hi, yes sadly it’s very rare for hackers to not leave back door scripts in place, so you literally need to have every file reviewed.

Base64 code is just a symptom. The actual “virus” is a hidden file within your site, or some other means of entry. Have you made sure to change your FTP password, dashboard password, etc?

Hi,
It’s possible you misunderstand how these securtiy plugins work. Plugins like Better WP Security, Bulletproof Security (which I’m a bigger fan of) are helper plugins at best. If your FTP password is stolen somehow no plugin can prevent hacker from simply uploading their hacks. So putting all your trust into plugins being a firewall against hackers is like buying a steel front door for your home then believing that will stop a burglar even though you often leave your windows unlocked at night.

That said, it’s morel likely hacker hacked your website through some other means, like a stolen admin user/pass or FTP user/pass, or even another plugin.

As far as I’m aware, and I live in the WP hack repair business 24/7, this plugin is just fine and while I don’t generally promote it I’m not aware of any other person stating this plugin was used to hack their site. IMHO that’s very unlikely.

Links in a text widget though tend to indicate your dashboard admin user/pass was compromised. Recommend checking your account and verifying have just the one admin level account set up, and update your passwords respectively.

Of course, once hacker has your dashboard login, they can edit or delete any file on your website. Editing a security plugin file would be something I would do if I was a hacker (to poke fun at so called security plugins)…