Title: UseShots's Replies | WordPress.org

---

# UseShots

  [  ](https://wordpress.org/support/users/useshots/)

 *   [Profile](https://wordpress.org/support/users/useshots/)
 *   [Topics Started](https://wordpress.org/support/users/useshots/topics/)
 *   [Replies Created](https://wordpress.org/support/users/useshots/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/useshots/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/useshots/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/useshots/engagements/)
 *   [Favorites](https://wordpress.org/support/users/useshots/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 172 total)

1 [2](https://wordpress.org/support/users/useshots/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/useshots/replies/page/3/?output_format=md)…
[10](https://wordpress.org/support/users/useshots/replies/page/10/?output_format=md)
[11](https://wordpress.org/support/users/useshots/replies/page/11/?output_format=md)
[12](https://wordpress.org/support/users/useshots/replies/page/12/?output_format=md)
[→](https://wordpress.org/support/users/useshots/replies/page/2/?output_format=md)

 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [How to remove this code](https://wordpress.org/support/topic/how-to-remove-this-code/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [7 years, 6 months ago](https://wordpress.org/support/topic/how-to-remove-this-code/#post-10879542)
 * Hello,
 * You still have a spammy link in the footer section of web pages:
 * `</footer><a href="hxxp://www.authenticflyersite[.]com/radko-gudas-jersey_c-503.
   html">Radko Gudas Womens Jersey</a>&nbsp;`
 * Most likely it’s in the footer.php of the theme.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [WordPress messed up](https://wordpress.org/support/topic/wordpress-messed-up/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [7 years, 6 months ago](https://wordpress.org/support/topic/wordpress-messed-up/#post-10879447)
 * Hello,
 * That’s indeed because of the security hole in the older versions of WP-GDPR-COMPLIANCE.
   Hackers used it to change the siteurl setting of WordPress.
 * Here you can find the details
    [https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html](https://blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-with-wp-gdpr-compliance-plugin-vulnerability.html)
   [https://blog.sucuri.net/2018/11/hackers-change-wordpress-siteurl-to-pastebin.html](https://blog.sucuri.net/2018/11/hackers-change-wordpress-siteurl-to-pastebin.html)
 * The first link has instructions on how to change the siteurl and what else you
   should check (e.g. fake admin users and changed default user role)
 * This article can also be helpful
    [https://codex.wordpress.org/Changing_The_Site_URL](https://codex.wordpress.org/Changing_The_Site_URL)
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Wordfence Security - Firewall, Malware Scan, and Login Security] Wordfence Fail – Didn’t find malicious plugin](https://wordpress.org/support/topic/wordfence-fail-didnt-find-malicious-plugin/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [8 years, 3 months ago](https://wordpress.org/support/topic/wordfence-fail-didnt-find-malicious-plugin/#post-9958217)
 * Hello,
 * Logs show that hackers log into WordPress and install those two plugins. So changing
   WordPress passwords and checking for rogue users is a must.
 * Note, the plugins have code that makes them visible in the dashboard only when
   you provide a special parameter. So don’t rely on what you see in the dashboard–
   check wp-content/plugins directly on server.
    -  This reply was modified 8 years, 3 months ago by [UseShots](https://wordpress.org/support/users/useshots/).
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Need help removing wp-about-4.2.php Malware file](https://wordpress.org/support/topic/need-help-removing-wp-about-42php-malware-file/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [10 years, 9 months ago](https://wordpress.org/support/topic/need-help-removing-wp-about-42php-malware-file/#post-6407285)
 * I saw this created by a fake plugin wordpress-admin-security
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [wp-admin page is white and blank](https://wordpress.org/support/topic/wp-admin-page-is-white-and-blank/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 1 month ago](https://wordpress.org/support/topic/wp-admin-page-is-white-and-blank/#post-5911865)
 * But it may also be in files. Scan them for
    `preg_replace("/.*/e"`
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Sucuri Security - Auditing, Malware Scanner and Security Hardening] Failed logins with no wp-login.php page](https://wordpress.org/support/topic/failed-logins-with-no-wp-loginphp-page/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 3 months ago](https://wordpress.org/support/topic/failed-logins-with-no-wp-loginphp-page/#post-5754832)
 * [@fretless](https://wordpress.org/support/users/fretless/) I work with Yorman
   and just received your email.
 * A quick looks at the logs proved the initial Yorman’s guess – XML-RPC.
 * Here’s the log entry corresponding to the email alert that you posted here:
 * 182.189.34.25 – – [05/Feb/2015:06:36:01 -0600] “POST /xmlrpc.php HTTP/1.1” 200
   403 “-” “-“
 * Note the same IP address and the time (1 hour difference is probably the difference
   between the server time and your own time)
 * I can also see many XML-RPC requests from other IPs.
 * Such brute-force attacks are not new. We have an article about them
    [http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html](http://blog.sucuri.net/2014/07/new-brute-force-attacks-exploiting-xmlrpc-in-wordpress.html)
 * I hope it explains what’s going on.
 * Thanks
 * P.S. I forwarded your email to Yorman.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Parse error? And general trouble with plugins and the FTP](https://wordpress.org/support/topic/parse-error-and-general-trouble-with-plugins-and-the-ftp/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/parse-error-and-general-trouble-with-plugins-and-the-ftp/#post-5121437)
 * If you reinstall everything then nothing will be corrupted (at least until reinfection).
   
   You need to replace all WordPress core file (reinstalling WordPress will help
   here) Then reinstall themes and plugins. Now they are clean too.
 * What left is
    * Files in the wp-content/uploads (there are usually no PHP files
   there, unless plugins install them there – again addressed by plugin reinstallation)*
   Some other directories in wp-content created by plugins (it depends :-/) * wp-
   config.php – you need to clean this file manually. Or recreate it again.
 * Of course, if you had many custom PHP files and no backup for them, then restoring
   the site will be difficult.
 * P.S. By the way, there is an update [http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html](http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html)
   
   On some sites, the MailPoet plugin was the point of penetration. And it seems
   like it’s not the only vulnerable plugin.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Have I been hacked? Yes, no or maybe](https://wordpress.org/support/topic/have-i-been-hacked-yes-no-or-maybe/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/have-i-been-hacked-yes-no-or-maybe/page/2/#post-5108974)
 * The best way to remove malicious code when hundreds of files are infected is 
   replace then with clean files. Moreover, removing malware from a corrupted file(
   malware removes some legitimate code – hence errors) won’t make your site load.
 * That’s why we advise restoring the whole site from a backup – much faster and
   more accurate. And if you don’t have a backup then you can reinstall everything–
   WordPress sites rarely have really custom files that you can’t find anywhere 
   else. So just reinstall WordPress, and then reinstall all themes and plugins.
 * Don’t forget to delete the rogue “no name” admin user.
 * P.S.And by the way, there is an update about that infection:
    [http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html](http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html)
 * At least one of the penetration vectors was a vulnerable MailPoet plugin
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Hack? Please help me, don't know what to do](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/#post-5117301)
 * Sucuri has an update about the MailPoet [http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html](http://blog.sucuri.net/2014/07/mailpoet-vulnerability-exploited-in-the-wild-breaking-thousands-of-wordpress-sites.html)
 * but I agree that it’s not the only penetration vector. I also saw infected sites
   that didn’t have MailPoet. Still investigating…
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Malign Code Injected Into ALL .php Files](https://wordpress.org/support/topic/malign-code-injected-into-all-php-files/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/malign-code-injected-into-all-php-files/#post-5117844)
 * Do you mean this [http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html](http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html)?
 * This buggy malware corrupts lots of PHP files. The only good way to recover a
   site is to restore it from a clean backup or reinstall WordPress and all themes
   and plugins. And by the way, it installs a rogue admin user that has no name –
   it should be deleted.
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [Virus PHP](https://wordpress.org/support/topic/virus-php/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/virus-php/#post-5123309)
 * Valentina, do you mean this issue [http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html](http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html)?
 *   Forum: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
   
   In reply to: [log in fatal error](https://wordpress.org/support/topic/log-in-fatal-error-1/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/log-in-fatal-error-1/#post-5121381)
 * Download files using FTP and inspect them, or user FileManager in the Control
   Panel, or contact your host, or hire someone to help you (for example, that Sucuri
   article has a link to their malware removal service)
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Hack? Please help me, don't know what to do](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/#post-5117264)
 * Yes it’s wide spread and on many sites we saw that hackers checked for vulnerable
   plugins (e.g. MailPoet or WPTouch) before trying to access their backdoors or
   logging into web sites.
 * By the way,are all those sites share the same server account? If yes, one vulnerable
   site is enough to compromise all the sites.
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Hack? Please help me, don't know what to do](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/hack-please-help-me-dont-know-what-to-do/#post-5117248)
 * Many sites have been similarly hacked [http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html](http://blog.sucuri.net/2014/07/malware-infection-breaking-wordpress-sites.html)
 * I guess hackers use a vulnerability in some plugin to create that admin user.
 * By the way, do any of your blogs have open user registration?
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[BackWPup – WordPress Backup & Restore Plugin] URGENT – Parse error: syntax error, unexpected ')'](https://wordpress.org/support/topic/wordpress-parse-error-syntax-error-unexpected/)
 *  [UseShots](https://wordpress.org/support/users/useshots/)
 * (@useshots)
 * [11 years, 9 months ago](https://wordpress.org/support/topic/wordpress-parse-error-syntax-error-unexpected/#post-5121835)
 * Just reinstall WordPress to restore core files. Then disable all plugins by renaming
   the wp-content/plugins directory. FTP is enough for that.
    At this point you 
   should be able to login into WordPress.
 * Check for the malicious admin user (it has no name) and delete it.

Viewing 15 replies - 1 through 15 (of 172 total)

1 [2](https://wordpress.org/support/users/useshots/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/useshots/replies/page/3/?output_format=md)…
[10](https://wordpress.org/support/users/useshots/replies/page/10/?output_format=md)
[11](https://wordpress.org/support/users/useshots/replies/page/11/?output_format=md)
[12](https://wordpress.org/support/users/useshots/replies/page/12/?output_format=md)
[→](https://wordpress.org/support/users/useshots/replies/page/2/?output_format=md)