Pages Containing Porn Added to Site, Discovered Via Google Analytics

You need to start working your way through these resources:

• https://codex.www.ads-software.com/FAQ_My_site_was_hacked
• https://www.ads-software.com/support/topic/268083#post-1065779
• https://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
• https://ottopress.com/2009/hacked-wordpress-backdoors/

Additional Resources:

• https://sitecheck.sucuri.net/scanner/
• https://www.unmaskparasites.com/
• https://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html

I’m sorry to hear that your site was damaged. You will want to work through the info from @tara. It is important to make sure the site is free of malware before you start deleting the spam posts.

Likely the posts were directly added to your database using a damaged file. The posts are probably in wp_posts, assuming your database is using the standard prefix. Depending on the number of posts, you can manually delete the spam or write a query to delete them.

Obviously, you will need access to your Database. If your broken cPanel issue will not be a quick fix, you could look at Adminer. It is a one page MySQL administrator that you add to the root directory.

Thank you both so much for the tips. CPanel was only down for a short time, and I started cleaning up malicious pages identified in Wordfence. It really takes a lot of time but I’m plugging away at it.

What’s causing it to take a while is that in some cases, it’s obvious that a malicious PHP file was added; it just has the base64() code at the top and that’s it. But before I did a bulk delete of these files from Wordfence, I started noticing that some necessary files had the base64() code added above code that is needed. So, I’m having to go through them individually and delete them.

I was also able to use PHPAdmin to fully delete the pages I mentioned; some of them still had their original post page in the DB, and I may have only deleted revisions before. I’ve also added blocking in .htaccess to prevent access from referring sites with the porn links.

Tara – thanks so much for the info. I look forward to going through those links this evening.

It may be faster (and I know it is better) to delete and reload new files. Unless you have modified the theme, plugins or WordPress core, deleting and loading new is the best solution.

The average WordPress site has about 4,000 files and folders, including plugins and themes. The average file contains 1,000 lines of code. That means the average WordPress installation may contain 4 million lines of code or more. It only takes one line of code to make a backdoor. And if you miss removing a backdoor your site can be easily hacked again.

When you delete the proper files in the WordPress core, you are eliminating the possibility of a non core file added by the hack. When you add new, obviously the files are malware free. Do not delete the wp-content directory or wp-config.php. I always make a backup of everything first.

This process should be used for themes and plugins too. This may seem like a lot of work but you can kill a tremendous amount of time looking for added files and added lines of code. And if you miss some malware, you will be doing all over again.

Thanks wslade!

It might give me a reason to convert this site to a child-theme. I had already gotten deep into customizing it before I started using child themes on other sites. In fact, I’m considering a new design/theme for it, so it could be good timing.