Moderator
t-p
(@t-p)
Carefully follow this guide.
When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Joy
(@joyously)
That code you highlighted is output by WordPress, so unless it has been tainted by the hack (in the file on the disk or in a filter during output), you don’t need to mess with that.
The problem with a hack is something has to be broken in order to allow it. Either a password was acquired or found by brute force login attempts, or an installed plugin or theme has code that was exploited. WordPress core code is not immune, but those security holes are patched quickly.
The procedure then is not just to remove the hack. You have to figure out what was the hole or you’ll be hacked again.
The typical scenario is to put a script in a theme file because the theme is run on every front end visit. Reinstall the theme from a known clean version. Do the same for WordPress and all plugins. Update all to latest versions. See if hack is still there. Run an external scan of the site (something like Securi).
Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.
Thread Starter
darkvd
(@darkvd)
I’m pretty sure it’s SQL injected code or a faulty plugin. When i got to the company the website was several generations behind on updates and i have a login manager and there are no other logins besides mine. I’m 95% positive the code i highlighted is malicious as it directly mirrors the language of the obfuscation. I’ve been through the usual core files and deleted any malicious code i can find, but I can’t find where the script that’s generating all this code. I’ve cleaned out the same files several time and cannot find the root problem.
Even trying to disabling the plugins one by one? It might help you to track the source of that malicious code. I thought that WordPress is secure enough for SQLi but still it can be hacked easily.
Like @joyously said, that code is not a hack.
If you think it is a SQL injection you will have a very difficult time finding it. I’m not sure why you’d think that though. Interested to learn. You will need to shell into your root directory as well as your database using grep and run searches. Very complex.
Like the @t-p said, run some software that checks for these things. I’m not sure of any of them and their outcomes. Good luck!
Thread Starter
darkvd
(@darkvd)
Well i’ve run multiple different types of scanners (which have all turned up nothing :/) and used a search function to go through all of my core files. I disabled each of my plugins one at a time to see if that would help and replaced directories /wp-admin and /wp-includes. I’m working on getting the files to replace my theme. Am i missing anything?
Your website is blacklisted as unsafe… If it was me…
I’d install the iThemesSecurity plugin https://ww.wp.xz.cn/plugins/better-wp-security/. Run that and pay attention to any recommendations it offers.
Next install WordFence https://ww.wp.xz.cn/plugins/wordfence/. Run that with the iThemesSecurity together. Run a scan and follow WordFence’s recommendations.
Now update your themes, plugins, and WordPress core then install the https://ww.wp.xz.cn/plugins/sucuri-scanner/. Run Sucuri, follow any recommendations it makes then disable it in the plugins list. Leave the first two running.
You’re on Bluehost (or one of the EIG hosts with a Nginx proxy) so Flush your cache.
Deal with any other issues that needs to be dealt with then head over to CloudFlare and add that site to CloudFlare. CloudFlare’s DNS is one of the best and their proxy service will boost your site’s capabilities and capacity by up to 20% while hiding your origin server from many future attacks.
Some issues might need your host’s assistance so call them as needed. They can be very helpful.
The above should get you through all of this and get the site working very well.
Check your blacklist status this weekend after you get all this done and see if things don’t right themselves. You might need to follow up with McAfee to remove the blacklist.
Also, the links the others here have given you are all good ideas. ‘Harden’ that website up as you see fit.
