What is the warning generated from WordFence, can you supply a sample?
It’s not uncommon for attackers to insert backdoors into images. Usually in the form of EXIF data which can be removed without hurting the source of the image.
I think this link should help:
http://www.howtogeek.com/203592/what-is-exif-data-and-how-to-remove-it/
Also, if you head over to http://archive.org/web/ you might be able to find old, cached versions of the images before the hack occurred.
Thread Starter
JustinF
(@justinfeldman)
Thanks for replying!
The error reads:
Post contains a suspected malware URL: Choosing the right Point of Sale (POS) system
This post contains a suspected malware URL listed on Google’s list of malware sites. The URL is: http://www.retailandrestaurant.co.za/wp-content/uploads/2013/11/IronTree.jpg
Oh I see. That WordFence flag is generating because your website is blacklisted by Google 🙁 The image itself is fine, there’s no exif data or script code in it from what I see here.
Once the infection is removed from your website and blacklist removal request submitted to Google, that will fix the WordFence warning. But it seems there are much bigger issues here, unless you’ve already removed the malware.
SiteCheck doesn’t seem to be flagging the malware itself:
https://sitecheck.sucuri.net/results/www.retailandrestaurant.co.za
So it’s hard to say what the root of the problem is. I’d suggest taking a look here and follow this guide:
https://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked
Hmm I forgot to ask, is retailandrestaurant your website, or is that image being grabbed from another domain? If the latter, you can just host that image on your server instead of loading it from external site.
Thread Starter
JustinF
(@justinfeldman)
Can you tell me what you are basing your assessment of the images on? You say “here’s no exif data or script code in it from what I see here” … How exactly did you inspect them? I’m only asking because I struggled to find a means of checking them for malware, so I would love to know for future.
I have removed the major malware from the site. There were some .php files hiding in the wp-content folders and there was one or 2 lines of unsavoury looking code in the .hta-access file. All of that is gone.
All the images are being hosted on the cloudflare server that the website is hosted on. But luckily a lot of them are stock images from the internet, so I can probably find them again.
