Scan didn’t find what is redirecting my site to malicious pages

I deleted the foreign admin user. Refreshed the page a few times, and it didn’t appear again. Then I opened a post, and redirect still happened. And the foreign admin user was created again.

Hey @wandernity,

I’m really sorry to hear that you’ve run into this, I know how frustrating it can be.

I’d like to suggest a few steps you can take yourself to clean and secure your website after a compromise:

1. Scan with Wordfence and use Wordfence to delete/replace any infected files. Scan with the “High sensitivity” scan type for best results.

NOTE: Before you delete any files, back them up just in case, and take note of when they were last modified. Write their filenames and timestamps down in a text file. This information can be used for tracing how they gained entry; for example, via access logs.

2. Make sure there are no administrator accounts on your site that you have not added yourself. If there are, access your database via phpMyAdmin and check the wp_users table. There, you can take note of exactly when the accounts were created. Add that information to your text file mentioned above. Then, delete the rogue admin accounts, or demote them to “subscriber” while you investigate so that they can’t do any further harm.

3. Change the passwords to your web hosting account, your database, and any remaining legitimate WordPress admin accounts immediately, if you haven’t already done so.

4. Have a look at the WordPress configuration file wp-config.php and your theme’s functions.php file. Inspect these manually to make sure that they look okay. If you are not sure what they should look like, try to find an old backup of the files or a fresh version from WordPress/your theme author to compare them to. Also inspect the .htaccess file in the root of your site to make sure it does not contain any malicious redirects.

5. Look over all your themes and plugins. Delete any themes and plugins that you are not using. Make sure all your plugins are up to date. Remove or replace any themes and plugins that are no longer being updated by their authors.

6. Check the WordPress upload directory to make sure there are no files there that look out of place.

7. Inspect your server’s access logs, which you can usually find in your cPanel or get from your web host. The access logs show every single request made on your site. If you look at the timestamp of infected files to detect when they were created, you may be able to match that up with particular requests in the access logs. If you can identify the first request in a cluster that appears to be involved when files on your site are edited, you may be able to figure out which request is the original culprit. Please note that there can be more than one access point once your site has been infected.

8. Keep an eye on your error logs. When infected files are removed, this can sometimes cause server errors. The error log can give you additional clues as to where infected pieces of code may be residing in your system.

9. You may want to talk to your web host and ask them if they can explain how your site was hacked. They have access to all server information and are thus able to see things that you can’t see yourself. For example, it does happen occasionally on shared hosting that a site on one account will infect a site on another account.

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

If you’re unable to resolve the issue by taking these steps, or the issue returns I’d suggest getting with a professional hack repair service to clean the site and patch the point of entry.

Good luck.

Thanks,

Gerroald

• This reply was modified 5 years, 6 months ago by WFGerroald.