My WP website have been hacked 2 times, please help!

This should get you started. Lots of reading to do.

FAQ My site was hacked

Info on backups

https://codex.www.ads-software.com/WordPress_Backups
https://codex.www.ads-software.com/Backing_Up_Your_Database
https://codex.www.ads-software.com/Restoring_Your_Database_From_Backup

Info on recovery

https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
https://ottopress.com/2009/hacked-wordpress-backdoors/

Info on prevention

https://codex.www.ads-software.com/Hardening_WordPress

Hey Clayton,
wow really thank you for your reply and sure that would be very helpful for me to read lot’s of things about wp prevention.. I have lots of coffee and I’m ready ??

But please just one more thing and I need your help.. when my website hacked for the first time I have clean the host and the database, and I install the new fresh WP files.. I change my admin log in information and I make it very hard.. but the hacker hack my index file again and I don’t know why?? is it from the host that I’m using or from the WP theme that I’m using ?????

this is the source code from the Index page that have been hacked 2 times it may help you to get the answer: “it’s in Google docs sharing files.. please click to see the file”

https://docs.google.com/document/d/1wej1apPh6Istx36OnIw3XxhLKMJAU4DvPZ_GhbceF-A/edit

Contact your webshost. They have have a problem.

“Free Premium Themes” = site files infected.

I removed the malicious code manually. Do you stay in index.php and other important files from WordPress, themes and plugins folders.

However, it may be easier to start from scratch. Back up all files and database (I find it useful to use the Export tool). Delete everything from the server. Install WordPress, keep the default theme, import posts. So do not be left any php file infected. In any event reinstall the previous theme, find a trusted source.

I will try to contact my web host..
I deleted the infected index.php and I upload it again to the WP folder and now the site is working very well.. I have deleted all my files before and I start from the scratch but still hacked again ?? that’s why I don’t understand..

I think my google docs link have problem so I will just put small things from the source code of my index file that hacked..

`<html xmlns:v=”urn:schemas-microsoft-com:vml”
xmlns:o=”urn:schemas-microsoft-com:office:office”
xmlns:w=”urn:schemas-microsoft-com:office:word”

xmlns=”https://www.w3.org/TR/REC-html40″&gt;
<head>
<meta http-equiv=Content-Type content=”text/html; charset=windows-1256″>
<meta name=Generator content=”Dev-PHP 3.00 Alpha 4″
<meta name=Originator content=”Microsoft Word 11″>
<link rel=File-List href=”index1_fichiers/filelist.xml”>
<link rel=Edit-Time-Data href=”index1_fichiers/editdata.mso”>
<!–[if !mso]>’

and this too:

`<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]–>
<title>.:: Hacked By Almaystro Almaghribi ::.</title>
<!–[if gte mso 9]><xml>
<o:DocumentProperties>
<o:LastAuthor>Younes Lma</o:LastAuthor>’

so I don’t understand how he got to my index file may you help me from this codes I have send please..

If your index file is being written to, like as not, your account is compromised still.

I change my admin log in information and I make it very hard

Did you change the login info for your sevrer ID? Not just WP, but the one you use to FTP etc?

There are many the infected files. When another infected php is executed, it infects other again. I’ve been there. Will have to do a more thorough search.

@ipstenu, you right.. I will change my server ID
@ialima7, for now my site is working very well.. I just don’t know how my index file get infected 2 times.. but for now I’m reading more Info on prevention..

any way Really thank you very much all for your help.. I learned so much from this conversation ??

Your index file is being written to not via WP but becuase they have access to your server.

1) make a backup of WP DB and files.
2) Delete all your WP files except

wp-content/uploads
wp-config.php
.htaccsss

3) Change your FTP and SQL passwords.
4) Upload a fresh copy of WP and all your themes and your plugins.

@ipstenu, Thanks so much.. in fact I’m going to transfer my domain and all my files to another host because the server that am using is not good and to get support from them is hard.. so I will change to Bluehost ??

I notes that my index file have been hacked from the server..
I will do backup..
Thank you Ipstenu ??