Finally got hacked :( Oh no!!!

Hello

For Troubleshooting
You will need to use your FTP program to edit the file on your server.

1) Use your FTP program to login to your web server.
2) Navigate to your file, in the example, it’s the index.php.Open up index.php file.
3) Look for <?php at the very beginning of the file. Remove any empty space before <?php
4) The <?php which is the PHP opening tag should be at the very first line of the file within index.php
5) Look for any ?> sign at the end of the file, it there is any, you will need to remove any empty space after it.
6) If you cannot find any ?> sign at the end of the file, you will not need to do anything. Just to play safe, you can remove empty lines.
7) If your error points to functions.php, you can carry out the same procedure.

Also, I would suggest taking a complete backup of Source code & Database, and try to upgrade your WordPress & plugins to latest version.

Let me know if this helps.

Thanks.

Thanks very much @kartiks16

I’ll go in and make those changes you’ve suggested and report back.

@stephencottontail cheers mate. ??

Also, you can follow below link to harden your WordPress site.

https://codex.www.ads-software.com/Hardening_WordPress

Ok @kartiks16 I’ve checked what you suggested and index.php within the wp-content folder was clean:

<?php
// Silence is golden.
?>

But I have noticed a whole lot of .html files in there that I have never created, all looking pretty dubious, so I manually removed those.

There was no functions.php file either… Should I be looking in the root folders for index.php and functions.php and doing the check there also?

Yes, it seems that you need to check the files at root folders as well.

Later as suggested, if you feel that are many unwanted files, you need to upgrade to latest WordPress. Make sure before you upgrade, you take a complete backup of Source code and Database.

Thanks.

@kartiks16 thanks, I’ve checked the root files and they appear clean to me. I also have the latest wordpress already.

Are you able to access your Admin ?

try:
deactivating ALL (yes all) plugins temporarily to see if this resolves the problem (plugin functions can interfere). If this works, re-activate them individually (one-by-one) to find the problematic plugin(s).
– If you don’t have access to your Dashboard’s Plugins page, try manually resetting your plugins (no Dashboard access required). Here is another tutorial: https://www.wpbeginner.com/plugins/how-to-deactivate-all-plugins-when-not-able-to-access-wp-admin/

– If that resolves the issue, reactivate each one individually until you find the cause. Also remember to deactivate any plugins in the mu-plugins folder (if you have created such folder).

– switching to the unedited default Theme (Twenty Seventeen, etc.) for a moment using the WP dashboard to rule out any theme-specific issue (theme functions can interfere like plugins).

If you don’t have access to your Dashboard’s Appearance page, access your server via FTP/ SFTP , or a file manager in your hosting account’s control panel (consult your hosting provider’s documentation for specifics on these), navigate to /wp-content/themes/ and switch to the default theme by renaming your current theme’s folder by adding “-old” to the end of the folder name. Alternately, you can remove other themes except the default theme (Twenty Seventeen, etc.). That will force your site to use it.

Alternately, if you can install plugins, install Health Check. On the troubleshooting tab, you can click the button to disable all plugins and change the theme for you, while you’re still logged in, without affecting normal visitors to your site.

@bjwok

I also have the latest wordpress already.

If an attacker was able to compromise your website, they may have been able to add rogue code to your latest WordPress files. Best you back up your current fileset, remove all files from your site and upload a fresh set of WordPress files. That error will no doubt then disapear.

You then need to identify how this breach occurred. Likely sources are plugins and themes. Less likely source is a weakness in WordPress. There is also a change there is rogue code inserted into your database.

Can you list for us the plugins and themes you use. If it was because of an addon, it is important not to reuse *that* addon.

@kartiks16 this is my site with ALL plugins deactivated ?? https://www.bjwok.com

I’ll leave it this way until you see it, then I’ll try switching back to the default theme.

@te_taipo I’ll try that later (if the above ideas are not working) ??

• This reply was modified 6 years, 6 months ago by bjwok.

I’ve also noticed this code added to a lot of my posts:

<script type='text/javascript' src="https://pastebin.com/raw/xxxxxx"></script>

• This reply was modified 6 years, 6 months ago by Jan Dembowski. Reason: Redacted, don't post that again here

Hello,

If you check the Script SRC, it indicates that some malicious code has been entered to your WordPress Files.

So you can either scan your complete site and remove the code or as suggested, install the Fresh Copy of WordPress.

Let me know if this helps.

Thanks.

@kartiks16 Do you have a recommended scanning solution?

You can scan and clean out your files, or replace them with a new set, but whats most imperative is to figure out *how* an attacker was able to prepend code into your posts. Else even with a refeshed cleaned website, it could happen again.

Hello,

Wordfence does have some tool which scans the files.

https://www.wordfence.com/blog/2018/03/cleaning-a-hacked-website/

But I am not sure it is full proof scanning.

So last step of action would be fresh clean wordpress installation.

Thanks.

Thanks @te_taipo I will work on cleaning it up first then lock it all down (with your help if possible).

At this stage I re-installed 4.9.5 over the top using the “if you need to re-install” option and it has cleaned up some of the links from the header, but the footer still looks compromised