cwinkler78

Marking as resolved.

Interesting, I wonder if this fix would help then

https://www.blogtips.org/avoid-users-uploading-malware/

At the bottom of the article it explains how to add some code at the bottom of your .htaccess file that prevents malicious PHP code from being inserted using images

@cbouchard – I’m still hack free (knock on wood). Sorry the fix didn’t work for you.

I’m not sure what else to recommend.

Thank you all so much for the help. I wanted to leave an update here in case anyone else has the same problem.

I have two WordPress sites that I administer and I had made the following changes to one of the sites, but not the other. This morning, the site without the changes was hacked again. The one with the changes was not. I’m going to take that as a sign this fix works. =)

Here’s how to get your site back online fast.

Step 1 – Login to your WordPress dashboard as an administrator and go to Appearance -> Widgets. In my case, the two widgets I was using had been moved to the Inactive Widget box and replaced with a Text Widget in the sidebar.

Step 2 – Open the Text widget and click the Delete link on the bottom left. Once you’ve deleted it, reset your widgets to the way they were prior to the hack.

Step 3 – Next go to settings -> Reading. Change your character encoding back to UTF-8. This will fix any lingering issues with your RSS feed and IE.

Step 4 – Lastly, reset the Site Title & Tagline for your site. The location for this will vary based on your theme. For my site, I selected Appearance -> Themes and then clicked the Customize link for my theme.

That will fix your site immediately. Clear out your cache and confirm that everything works.

Now that your site is up and running, you will need to make it more secure so that this problem does not happen again.

Step 1 – Change your passwords for your hosting service, WordPress, etc.

Step 2 – Upgrade to the latest version of WordPress.

Step 3 – If you have a backup of your site, do a restore to a version prior to the attack just for good measure.

Step 4 – Login to your WordPress dashboard and install the plugin Better WP Security and resolve issues 1-19 on the dashboard. For item 20, you will need to enable/purchase SSL from your hosting provider. NOTE – some of the changes the plugin makes will break links or images on your website. You will need to go back and update all of them, but that is a small price to pay for having your site more secure. The easiest way to fix all of the links at once is to download an export of your blog’s content (Tools -> Export), open it in Notepad and do a find and replace.

Step 5 – Move your wp-config.php up one level. You can find instructions for doing so on ProBlogger’s Take 5 Minutes to Make WordPress 10 Times More Secure post.

Step 6 – Change your database password and make a note of it. How to do this will vary by host. For GoDaddy users, click here. For those with cPanel, click here.

Step 7 – Go to your wp-config.php and open it in your favorite code editor. Update your database password to your newly updated password. Then go to the Secret Keys section and follow the instructions to update your keys.

@houlego – The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

@houlego – The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

@govpatel – Got it. I had changed the wp-config.php file to 0444 after it was hacked this morning and reset the passwords and secret keys. I also moved wp-config.php up one level on the advice of https://www.problogger.net/archives/2011/08/11/take-5-minutes-to-make-wordpress-10-times-more-secure/

So far the problem has not come back.

@esmi – is that question directed at me? If so, I’m not sure it is. I think it could be a possibility because when I completely started over yesterday and had a clean install with the default template and no plugins installed the issue appeared again.

But that said, I’m not the most technical person in the world.

Thank you all for the help.

@rachelbaker – I contacted webhostingpad and they weren’t helpful at all and I quote “They are most likely using your plugin or theme to insert this code into your website. Please make sure all of your plugins and themes are updated.”

Thanks for the FAQ link. I had followed those steps to get the site back up and running initially. And it worked, until it happened again.

The Sucuri Site Scanner comes back clean.

@songdogtech – Thanks. Wish I had known that before I locked myself into the contract. =(

@houlejo – They insert it into the Sidebar of my theme. (Appearance -> Widgets-> Sidebar 1). They remove my existing widgets and replace it with a text one with the script in it. Screenshot of my WordPress install. https://colleenwinkler.com/cwtol-content/uploads/2012/11/hackfix2.jpg

@govpatel – Yes. I’ve run spybot and nothing comes back out of the ordinary.

One new thing I have discovered is a PHP warning showing up in my error logs around the times the site gets hacked again:

[26-Nov-2012 23:04:43 UTC] PHP Warning: Division by zero in …/themes/wp-creativix/tpl_page_nosidebar.php on line 32