mixmethods

Thank you… I have gone through many of the steps on these documents, but I should not have assumed that rebuilding the site in a subfolder (with all updates and bulletproof security) would solve the problem.

Based on the FAQ, and taking my situation specifically, would the next best step likely be to delete all of the files in the root folder (the hacked WP site) and then upgrade WordPress and check that all core WP files are replaced with clean ones?

(interestingly, the two scan sites in the “additional resources” part came up with a clean report.)

Hey all, just an update: I have the rebuilt site that I am working on pretty much completely done, and then again today I realized that ALL of my PHP files have again been altered!!!

The site appears to be live and working just fine, but obviously I want to figure out and get rid of the bad code before it gets any worse, and equally importantly, close the security vulnerability.

Thanks Ian for the suggestion above to use the Anti-Malware plugin. Now this is especially weird… neither Wordfence or Anti-Malware targeted the WP core files. But, it did find several plugins and themes that had affected files. I had it repair them all (about 250) and now when I look at the code on the WP core files, it’s still there, but at least somehow much shorter: [ Malware snippet redacted, please do not share that here ]

What the heck. I had one other thought: The old site still had “MailPoet” installed (although the hack was so bad you can’t even login to wp-admin). I went and deleted the old version in the old install, just in case it was somehow causing havoc on my new site in the sub-folder.

Any settings I should change on “Anti-Malware” to get it to see the bad code on the core files? I don’t know what’s up with that! Thanks all. – Nate

I should note that the hacked site content (in the root) still exists because I was borrowing from the old content to rebuild the site. I also now have a local mirror of the old site now, so I don’t need the old hacked site, and it’s not even possible to log into wp-admin on the old site.

Is it possible that the site is being hacked via the existing hack on the root site? Would deleting all of the root WP install and then updating the new site (in the subfolder) to WordPress 4.0 remove the hacking threat?

Thanks, although that looks like it may be a bit above my skill level.

Good to know, thanks!

Well, I cleaned out all unnecessary plugins, updated them all, and used Wordfence to scan and confirm there were no more issues… then backed up again!

I’ll keep tracking my every move to see if it happens to rear it’s ugly head again… but I’m hoping that I managed to get rid of whatever was causing the havoc.

Hi Ian, did you just read about that particular attack, or did you somehow know that was specifically the culprit on your own site?

I had a recent backup of the plugins, so I just replaced all of the plug-in file folders completely so they showed up again. Then your plugins should reappear. Or, you can also install a fresh copy of each plugin. Interestingly, most of the plugins retained the information that I had previously put into them (for instance, my image sliders were still set up the same as previously). That must be stored in the database, I suppose?

As an alternate method, if you manually remove the code from each PHP file within the plugin folder, it should also reappear for you, although I don’t know if that is the ideal method or not.

Wordfence did an excellent job of detecting all of the modified WP files. I did a bulk repair and it worked great without the need for manually replacing any backed up files.

As far as the plug-ins, I would suggest re-downloading them and replacing the folders (same thing I did with the backup). This will ensure that you know the bad code is gone. Then do another scan with Wordfence.

I just wish I could figure out the culprit so I can avoid it happening again. I’m making sure to use only totally necessary plugins, updating them all, and making periodic backups. I’ll let you all know if I find out anything further.

Well, I ran Wordfence and discovered that this modification was not only done to the php files in the plugins, but EVERY php file within the WordPress folder! From the sounds of it, Ian, this has to do with one of the plug-ins. Here’s the ones I have installed:

accordion-slider (paid)
ajax-event-calendar
akismet
akkord-slider
all-in-one-favicon
bulletproof-security
contact-form-7
envato-wordpress-toolkit
get-the-image
horizontal-scrolling-announcement
ml-slider

Should I select all the WordPress PHP files for “bulk repair” in Wordfence, or manually remove the code?

I’ve worked with mailpoet before (it’s actually in another wordpress install in a different directory), but I don’t currently have it installed in this subdirectory.

Once I get this fixed, is there a way to keep it from happening again or figure out the culprit?

Does it happen to you often? I’m trying to figure out what the catalyst is that changes it. When it happened again today, I don’t think I altered anything, I simply clicked on the “plugins” tab on the dashboard.

Once I upload the backed up versions, I’m up and running again.

If it helps, the code that appears in the file comes after the first line that typically starts with “<?php” and it looks like this:

[ Redacted ]

but goes on for much longer.

Figured it out! In case anyone else runs into this: You need to make sure to change the siteurl in wp_options in the database, and also change the site address in WordPress settings: https://www.youtube.com/watch?v=PKsWwvcuHyo

Side note that might help: If I change the database password to something other than “root” in wp-config, it says when I try to load the page: “Error establishing a database connection.”

If I change it back to “root” it then simply says “this webpage not available” (doesn’t load anything) in Chrome. This was essentially my process:

1. Copy wp-content folder
2. Export database
3. Import database
4. Paste wp-content folder.
5. Configure config.php

Did I miss something, or is there something unique with MAMP that I’m not accounting for?

Ah, yes an html file will pull up correctly.

Specifically: The copied wordpress site is in the folder “wordpresstest”. Based on your suggestion, I tried localhost:8888/wordpresstest/index.htm and it worked. But, if I try localhost:8888/wordpresstest/, it just says “webpage not available”.

As I mentioned, it worked correctly when I did a fresh install, but it’s not working with the copied site and database.

Thanks! Ok, I think I almost have it working on the local host, but ran into a snag.

I got a fresh install of WordPress running on my local host with a fresh database, just to make sure it works.

The next thing I did was import the entire WordPress folder into the local MAMP folder. I also exported the original MySQL database from the server and imported it to the local phpmyadmin.

I then changed the wp-config.php file to reflect the DB name, user, and password of the imported database. (should the hostname just be ‘localhost’?)

It unfortunately will not yet load the webpage, but it feels like I’m really close. Is there a step that I’m missing?

ok! I’ll make sure everything is completely backed up and then try replacing all of the core files. Thanks again!