Title: Dealing with recurring Hack
Last modified: April 27, 2018

---

# Dealing with recurring Hack

 *  [eiwebdesign](https://wordpress.org/support/users/eiwebdesign/)
 * (@eiwebdesign)
 * [8 years, 1 month ago](https://wordpress.org/support/topic/dealing-with-recurring-hack/)
 * I am currently trying to resolve a problem for a client whose site has been hacked.
   Initially the hack redirected all links. I removed the obvious issues and it 
   went away after republishing all pages.
    A few days later the issue returned 
   and this time additional code was found, removed and all pages republished, The
   issue went away…for a few days… The next time the hack re-appeared it did not
   create link redirection by changing links, but some javascript had been inserted
   that caused popunders to typical betting and other dubious sites — between 1 
   to 3 popunders with any link on the site clicked. After removing a suspicious
   file and re-publishing…again this went away!….For a few days… The javascript 
   now returned and so too the popunders, but now it is better ‘established’ and
   does not disappear with republishing pages –it can be seen in the Source Code
   but not easy to find where or what is inserting it. The hosting company has scanned
   the site and cannot locate an issue. We currently have Sucuri and Wordfence plugins
   onboard and Sucuri states ‘site clean’ — which it obviously is not! This has 
   been frustrating and time consuming and the site, though small at present being
   only launched a month ago and not currently used for more than the businesses
   pages, naturally has all the hundreds of files/folders and so on that WP combined
   with Divi theme seems to ‘require’! Which brings me to my question, besides asking
   any general advice from anyone who has dealt with this particular type of issue
   before… Whilst browsing (using developer tool) some aspects of the page code 
   just now, I noticed reference to Dashicons… and also saw that the reference to
   the Dashicon elements included the beginning of a long string of Base 64 code…
   I know from previous experience that this can sometimes hide ‘infected material’
   and wanted to know if Dashicons files actually do contain base 64 code normally…
   or if anyone else is aware of Dashicons being used in hacking events to obfuscate
   injected code? Thanks for any constructive thoughts or ideas! 🙂
    -  This topic was modified 8 years, 1 month ago by [eiwebdesign](https://wordpress.org/support/users/eiwebdesign/).
    -  This topic was modified 8 years, 1 month ago by [eiwebdesign](https://wordpress.org/support/users/eiwebdesign/).

Viewing 2 replies - 1 through 2 (of 2 total)

 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [8 years, 1 month ago](https://wordpress.org/support/topic/dealing-with-recurring-hack/#post-10226129)
 * You need to start working your way through the resources on [this page](https://codex.wordpress.org/FAQ_My_site_was_hacked).
 * Other things you should do:
    - Change passwords for all users, especially Administrators and Editors.
    - If you upload files to your site via FTP, change your FTP password.
    - Re-install the latest version of WordPress.
    - Make sure all of your plugins and themes are up-to-date.
    - Update your [security keys](https://codex.wordpress.org/Editing_wp- config.php#Security_Keys).
 * Additional Resources:
    [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
   [Hardening WordPress](https://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/)
 * If you’re unable to clean your site(s) successfully, there are reputable organizations
   that can clean your sites for you. Off hand, couple of names that come to mind
   are Sucuri and Wordfence.
 *  [te_taipo](https://wordpress.org/support/users/te_taipo/)
 * (@te_taipo)
 * [8 years, 1 month ago](https://wordpress.org/support/topic/dealing-with-recurring-hack/#post-10227300)
 * There are two methods attackers use to inject code into webpages, first is via
   faulty code within the web application itself, i.e in the core code or in a plugin,
   the other is at a server level intrusion or incorrect server settings.
 * If you have checked your website over using the above suggestions, then please
   come back and let us know. It is important for you to fix this, but also for 
   us developers to address these issues if they can be addressed at a plugin level.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘Dealing with recurring Hack’ is closed to new replies.

## Tags

 * [dashicons](https://wordpress.org/support/topic-tag/dashicons/)
 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [hacking](https://wordpress.org/support/topic-tag/hacking/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 2 replies
 * 3 participants
 * Last reply from: [te_taipo](https://wordpress.org/support/users/te_taipo/)
 * Last activity: [8 years, 1 month ago](https://wordpress.org/support/topic/dealing-with-recurring-hack/#post-10227300)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics