Hi @killerog,
Unfortunately, from what you are describing, it sounds like your site access has been compromised and WPCode has been installed to add a malicious script on your site.
From all the cases we encountered before with this issue, the way the attackers get in is through compromised credentials so I recommend that you immediately take these steps to resolve this issue:
– Immediately update passwords for all administrator accounts on your website, in all the cases we encountered so far the attackers accessed the website with compromised credentials. Please make sure that you do not use the same username/password combination on other websites.
– Review the list of Administrator users and remove any users that you do not recognise – in some versions of this attack the snippet added creates a new administrator account.
– Use the WPCode Safe Mode to prevent the snippet from being executed by adding ?wpcode-safe-mode=1 to your wp-admin URL, for example: https://example.com/wp-admin?wpcode-safe-mode=1
– Once in safe mode, go to the Code Snippets menu and delete any snippets you do not recognise.
– If you did not use WPCode previously, go to wp-admin > Code Snippets > Settings > enable the option to delete all the plugin data, save and then from the Plugins page deactivate WPCode and delete the plugin. This will ensure that all the data added through WPCode is deleted.
I’m sorry you ran into this issue, unfortunately some bad actors are using WPCode once they get access to websites to add unwanted snippets and we can’t prevent that since the attack happens before WPCode is installed.
