Site has been compromized

  • Dear wordpress users,

    My website has been compromized with some kind of malware. Malicious links are poping up in scripts daily. Google has notified me by email and blocked my adwords.

    The script that is been popued up is being inserted to the contact form 7 script i think. It looks like this (click link);malicious code in html – the malicious link the code is “https://www.wp6.xyz/jquery.min.js”

    My hostingprovider hasn’t got a backup from before the problems began.

    Steps i’ve taken so far (which didnt helped)

    1. Replace wordpress core files
    2. Delete and reinstall plugins (including contact form 7)
    3. Scans with Sucuri and Wordfence – nothing found
    4. Updating theme files
    6. Replaced secret keys in wordpress
    7. Deleted cache plugins and cloudflare caches
    8. Searched through the database on the malicous link finding it in the table wp_options (drifferent prefix) in the option_name wordpress-https_unsecure_external_urls

    with the code database code with malicous link dropping this line doesnt make any difference.

    Still the problems exists costing me alot of money.

    What are the next steps to take?

    Thanks for your help!
    Kind regards
    Ruben

Viewing 2 replies - 16 through 17 (of 17 total)

  • The “Potential Threats” are usually not malicious (as it says on the results screen) but it’s a good place to look if you can’t find any “Known Threats”. You are right that eval('(' + text + ')'); is probably not malicious. The eval function is common in malicious code because it can be used to execute arbitrary strings as PHP code but it is also sometimes used in safe ways by legitimate plugins.

    I would always recommend turning off caching when your site has been compromised. Caching can preserve malicious code on a site even after the threat has been removed. Cache files can also make scanning the filesystem take an extremely long time so it’s best to delete all the cache files too. Also I find caching plugins to be highly overrated and not very effective, IMHO. I have only see a noticeable performance increase on one site out of many that I have tested. My advice would be to benchmark your site’s page speed a few times with the caching enabled and then turn it off and run a few more speed tests. If it’s not noticeably slower then maybe you should just leave it off. You can use gtmetrix.com your “Page Load Time” before and after turning off your caching.

    As for Google, if your site has been blacklisted or you are getting warning or bogus results on the search results then you need to get a Google Webmaster Tools account and Request a Review. It’s also a good idea to submit a sitemap while you are in there. It can take Google a while to clear your site and refresh the pages on your site that they cached when the malicious code was on there.

    Hi Eli,

    Thanks for your reply. I am aware of the capabilities of caching plugins and in our case, we only (try to) use it for the homepage. Atleast that was what it was meant to do.

    The funny thing with Google Webmaster Tools is that it doesn’t display any warning when it comes to the ‘malware’ Google Adwords seems to find. Google acknowledges this fact and is aware of the flaw inside Webmaster Tools. Therefore the security info in Webmaster Tools isn’t to be trusted.

Viewing 2 replies - 16 through 17 (of 17 total)
  • The topic ‘Site has been compromized’ is closed to new replies.