Support

Get a fresh cup of coffee, take a deep breath and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.

If you’re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.

I have done the wordfence scan and sucuri scan and cleared some waste codes but even though site is as it is that redirects to tunaif.com. I even didn’t get the code from where it gets redirects.Please suggest me some other thing

Scanning is not sufficient. Please follow the steps above to replace all PHP files on your site.

Hello,

I faced the same problem 4 days ago, and this is how I fixed the issue about WordPress site always redirected to tuniaf[dot]com.

If my explanation isn’t clear enough or you have something to ask, don’t hestitate.

How to Clean your WordPress site:

before you attempt to do number 2 and so on, I encourage you to install and use Visual Studio Code or Atom to help you find malicious code easier by searching on all folders and files inside your WordPress (and of course, download your sites folder by zipping it as one archive file and check it offline, and remember you will need it later)

1. Delete permanent the ultimate-member plugin directory inside your wp-content/plugins/
2. Follow the instruction inside the link above!
– Delete all PHP Files inside wp-content/uploads/ultimatemember/temp/, and exclude this directory wp-content/uploads/ultimatemember/ and it subdirectories from PHP execution or if your web server / cpanel has AntiVirus, you can quarantine it.

3. Inside your themes directory, search for _common.php (in my case, I found it under wp-content/themes/publisher/header/_common.php. (screenshot: https://ibb.co/nLg4yU)
If you found the same code, it is safe to delete them all or delete the file

4. Open your VS Code, -> Open Folder (choose your site folder), click on the ‘search’ icon at the left corner of your VS Code Tab. Type “var po”, You will find maybe hundreds of your jQuery or JavaScript files are infected. (screenshot: https://ibb.co/bE2Yxz) and search for “var need_t”. (var need_t is under var po), they are 2 lines on the top of your jQuery files.

Codes var po = and var need_t = are placed on the top of your jQuery or JS Codes, remove them all, you can use VS Code to remove them in all jQuery files by using the Search built-in function by VS Code, or you can of course remove it one by one.

5. Check your database as it might infected as well, export your database and have it open with VS Code, type for “db.allyouwant.online”, if you found them, it means your database got infected as well. (screenshot: https://ibb.co/jUCGHz)

You can deleted them all by one or two click with VS Code Search built-in function, but before you do that, backup or duplicate your infected database.

6. Be sure to clean your server too, if you are using managed or shared hosting, contact your hosting provider, if you are not, clean it yourself.

Once all clean, archive your clean WordPress files and reupload it to your server using FTP Client or cPanel File Manager. Deleted your database and reupload the clean one.

Thanks to Sucuri’s staff, who provides us helpful insights.