Site hacked despite Wordfence

@empowersource Thanks for the reply, very useful info that I have presented to the hosts, wait to hear what they say…

Dear empowersource,

We restored the db and started to clear the whole system. Could you check it please? Maybe you find something https://www.puremana.hu

@empowersource Indeed, it worked ! I got the controls back ! Thanks a lot

I fixed the sites, and removed the malware code, but it comes back after days.
I think there must be a place that hacker left the backdoor?

Hi

Just to know did you changed all your passwords including the one for the database?
Also what database table prefix do you have the standard wp_ or something else ?
Other suggestions if not done is to add to your .htaccess file sole lines which protect the access to some of the critical folder.
Are you sure you’ve all your plugins/php/thème etc up to date as if some are not up to date they can be the open door for your hackers?
Be careful of plugin/theme which haven’t been updated for months or years consider to replace them as there is little chance they will be updated ever.

@steveb36 Let us know their reply. Others might have the same issue with their provider.
@vmiki96 The code seems to be clear. Have you had any unwanted forwarding or other problems connected to the issue since the reconstruction of the database?
@levelocipediste Glad to hear it!
@deardevils I cleared the database with the aforementioned command, updated all the plugins and changed the on-site passwords (I also did not save the passwords in my browser this time and updated the Antivirus software on my computers). The script did not reappear after that.

Hello, my website has been hacked as well. Now I have access to wp-admin and also I have reinstalled all plugins, update wordpress and themes but the problem persists, I have some malware https://sitecheck.sucuri.net/results/dreinetpro.ro

Could you help me please? Have a nice day

Maybe you can start with this

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/

@bkantique I have checked with wordfence but it said that my website is clean

@empowersource Contacted hosts and they explained that my infected domains are on my account and would be a ‘draw’ ie slowing up all other domains on the server due to the malware redirects. They accept the malware is no threat to other domains, but insisted that the added strain on the CPU’s is unfair to other customers. They have offered to rectify all my infected sites at one cost rather than the same cost per domain, and activate enhanced security package annually at one cost for all domains rather than separately. I do get the feeling they are acknowledging some responsibility in the infection occurring, without admitting it out right to me…I will update this thread when they have secured the domains and what/how they achieved it if possible.

@empowersource Yes I had, it seems like they try to redirect my page. Can you check it one more time please?

@andreipol
I checked the site files, not all(because there are soooo many files), I only checked important files and which got high risks to be hacked. All clean, so I think the malware are only installed in the database.

I found the malware restored in database _transient rows, so I run this and removed them all.
DELETE FROM wp_options WHERE option_name LIKE (‘%\_transient\_%’)
Hopefully they will not com back again.

You also need to check every single page, post, images etc. The malware code is installed in every single post in WP. So you need to run the query in the database and remove it completely.

• This reply was modified 6 years, 3 months ago by Deardevils.

@empowersource

I missed some more code in _transient rows. Fixed it yesterday.
I have spent 2 days but haven’t found how the hackers break the site.
There are more and more wp users’ sites got hacked, but haven’t seen any case that what caused this issue.

@vmiki96 That’s odd. sucuri says that the site is clean (https://sitecheck.sucuri.net/results/https/puremana.hu) and I can’t find the script anywhere either. Maybe if you could be a little more specific about where, when and what exactly happens on your page that makes you think that it is still infected?
@andreipol Strange enough, though sucuri says that your site is still infected, I can’t identify the script in your source code. Maybe use the script on your site as identified from sucuri (<script type=’text/javascript’ src=’https://blueeyeswebsite.com/ad.js?ldp111&#) and run it with my command from before and see what happens? Please make a backup before, because according to sucuri, the script might have mingled with some internal scripts from your site and clearing out the former might render the latter disfunctional.