rxcanada-247 pharmacy hack

Start here:

https://codex.www.ads-software.com/FAQ_My_site_was_hacked

I’m sorry to hear your site was damaged. Wordfence is good at finding damaged files but it does not always find all the malware.

Do you have a back up from a date before the hacking began? Restoring is much easier than finding every piece of bad code.

I do have backups, but my host has already restored all core WordPress files and nothing has been added to the site in months so I don’t think restoring will help. I’m thinking it might be some sort of SQL injection hack or something database related so that would not help anyway. I am the only admin for the site and I use a 16 character password that has been changed. It is unlikely that the hacker has FTP or cpanel access as they could do a lot worse things, like lock me out.

I’ll check out that link martcol.

Restore all the files, directories and the database wherever possible. If you have such a complete backup, then delete all the existing files and directories first, rather than overwriting them As @wslade points out, this is by far the easiest solution. Otherwise, work your way carefully through the codex list linked to by @martcol. Also worth doing is changing all your usernames and passwords (WordPress/cPanel/database/FTP), checking in your database for any rogue users that don’t show up in the dashboard, and update your salt keys in wp-config.php to log out any currently logged in users.

Thanks. The problem with restoring from backup is that the backed up version is what got hacked in the first place. What is to stop them from exploiting the same vulnerability again?

I think I need a more elaborate solution that involves a way to check for backdoors and such. If I restore from backup, is there a program that can do a security audit to find weaknesses?

Yes you are correct. The backup must be from a time before the hack.

It’s quite possible to hunt down every piece of malware but it’s difficult to know when you have found all of the malicious code. As an example the site may seem to be functioning as it should be but if there is one backdoor or enough malware left, the site is likely to be reinfected. The malware laced file can be hiding in the WordPress core, the theme, any plugin and the database.

You said you were already using Wordfence. I suggest you try other server side scanners. There nothing wrong with loading up every plugin that will do server side scans. One of the plugins you try might find something all the others have missed. Good luck.

You’re right of course. If your backup does not pre-date your initial hack then it is a pointless exercise. Besides my advice on passwords/usernames/salt keys, I would check files such as your wp-config.php, .htaccess, index.php, header.php and footer.php files for rogue code. You can also try installing and running the Anti-Malware and Brute-Force Security plugin which seems to have good success in rooting out hacks. Another clue is to check the timestamps of sll files to see which have been recently modified, although this can’t be done if you’ve recently restored all your files. If you’re lucky, and it’s not a sophisticated hack, then you may resolve things through these steps, but if there are backdoors which keep recycling the hack then you’ve no choice but to work methodically through the codex linked to by @martcol. Then, once you’re back up and running again, tighten up your security measures by following:
https://codex.www.ads-software.com/Hardening_WordPress

Good luck!

Barnez, thanks so much for the link! I did a scan with that plugin and it found a backdoor named “/wp-admin/network/licenze.php”. I deleted it and fingers crossed that it solves the problem once and for all. Now it’s time to make a fresh backup.