• A friend hasn’t updated their wordpress site, it was hacked and every post points to a malware site.
    I got in to the admin area. updated everything I could and removed plugins that can’t be updated.
    Installed wordfence.
    Wordfence ‘says’: Post contains a suspected malware URL: [post name]
    Bad url: https://MalwareSite.life/scripts.js

    And there are hundreds of these infected posts.

    How do I fix them for him?

    Thanks in advance.
    Steve

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator t-p

    (@t-p)

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

    Hey there,

    If you have database access please download .sql file locally and edit, perform find and replace method. once you finished with that, please again download a fresh copy of database and save some where as backup. After that create new database and import .sql file. once done in wp-config setting change database name. Once done please follow the recommended security measures. hope this helps

    @webtrackstudio

    Doing find and replace on an SQL file is very dangerous. It doesn’t take in account serialized data, which WordPress heavily uses. More on it here.

    You need to use a search/replace script or plugin that will re-serialize replaced data. Otherwise your database will be scrambled and you will lose data.

    I recommend using this script:
    https://interconnectit.com/products/search-and-replace-for-wordpress-databases/

    @popeye1

    Now, about cleaning stuff up. If posts are redirecting to malware site, then most likely it’s a file(s) that’s infected. Here are some steps to try to narrow down the source of infection.

    Side note: If you haven’t replaced all core files yet, please do so. Delete “wp-includes” and “wp-admin” directories, and upload a fresh set. You should also delete all “wp-…php” files in the root directory, making sure wp-config.php is not deleted.

    Make sure to backup your site and database before proceeding.

    1. First we check your theme files. Simply install a theme from www.ads-software.com repository, any theme will do. And activate it. This will be temporary. After you activate, clear any caches you might have and check your posts. If you’re being redirected to malware site, your theme most likely is clean. Re-activate your original theme.

    If the theme is the source of infection, I would recommend downloading a fresh copy of the theme, deleting infected theme files completely, and uploading a fresh copy.

    2. Now check plugins. Deactivate all plugins, either inside WP admin or by renaming plugins directory to something else. Once they’re all deactivated, check posts again. If redirection is gone, then one of the plugins might be infected.

    Now, begin activating plugins one by one, checking posts for redirection. Once malware redirection is back you’ll know exactly what plugin is infected. Delete the files, and re-install that plugin from www.ads-software.com repository or download it from author’s website (if it’s a premium plugin).

    If it’s still doesn’t help solve the issue, try the same approach for “uploads” folder. It’s unlikely the code is there, but as last resort do check it.

    If in the end it still there, come back and let me know. We’ll see what else we can do to find it and remove it.

    Andrew Nevins

    (@anevins)

    WCLDN 2018 Contributor | Volunteer support

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Posts have malware links’ is closed to new replies.