Remain calm and carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures.
Thread Starter
srh124
(@srh124)
Hi James
I’m aware of those guides and steps. It’s around 4 years i’m working with wordpress and my site has already been hacked multiple times.
Removing and installing new version of wordpress does not help. because no file has been affected. It’s just about post content.
At the end of post content, there is following code:
[removed]
I only want to clear these codes.
Any help?
1. Do you see it in the post content when you edit the post?
2. Do you see it in the post content in the database under the _posts table?
3. Have you checked every theme file?
4. Do you still see it if you deactivate all of your plugins?
Thread Starter
srh124
(@srh124)
Thanks a world for your help
1. Yes. I can see them.
2. Yes.
3. Yes. by Anti-malware plugin. This plugin was very helpful for me at past. It used to recognize all malicoius files and disinfect them carefully.
4. I haven’t tried this. Is it a need when i see codes in wp_posts table?
1 and 2. Ok, then simply edit the posts to remove the undesired content. You’ll need to edit each one individually, unless you have a backup that you can restore from prior to when the code began to appear.
3. In this case, it’s not necessary, but I don’t trust anti-malware plugins to find everything. If you can identify specific code as the problem, it’s better to open an inspect every file yourself.
4. This will only be necessary if the code returns after you remove it from each post.
Thread Starter
srh124
(@srh124)
As i concluded, there is no automatic way and i should remove them by editing infected posts one by one. Am i right?
Beacuse i’m a programmer -not a php one-, i was thinking there should be a way to do this by programming and maybe a plugin or any other code exists to look for hidden links in post content.
How about SQL in PHPMyAdmin.? These codes are not exactly the same but all of them link to topding.com and have css ‘display:none’
As i concluded, there is no automatic way and i should remove them by editing infected posts one by one. Am i right?
Yes, that is mostly correct.
The only guaranteed way to remove it all automatically is to restore a database backup from prior to the incident.
These codes are not exactly the same but all of them link to topding.com and have css ‘display:none’
And that’s why it has to be manual. You can program in a search/replace routine for everything that you know is the same, but you can’t insert fuzzy logic into an MySQL query to “find this exact thing, and maybe anything else near it that subjectively looks suspicious.”
Thread Starter
srh124
(@srh124)
And that’s why it has to be manual. You can program in a search/replace routine for everything that you know is the same, but you can’t insert fuzzy logic into an MySQL query to “find this exact thing, and maybe anything else near it that subjectively looks suspicious.”
I understand. But i see a pattern in codes: they start with
<div style=”display: none;”
and ends with following </div> tag.
Maybe a reqular expression can do that. It’s just a hypothesis.
Hm, not one that I’d be comfortable writing and offering. There are some legitimate uses to <div style="display: none;"
You don’t have database backup from prior to the incident?
Thread Starter
srh124
(@srh124)
I have for at most one month ago. But maybe it is infected as well.
I have just recently discovered these code and they may have been there for more than one month.
There is one more thing in the pattern which makes it unique: at the middle, there is a string “topodin.com”.
I’m not very familiar wit RegEx. Maybe RegEx can handle that.
Yeah, working this through a bit in my head, RegEx isn’t going to help you in this case.
You’ll be able to remove the bits that are common and exact, but not the unique bits.
At your hosting provider, make a subdomain, like test.example.com if your currently site were example.com and set up a new WordPress installation using the database backup that you have, then change the siteurl and home values in that restored backup to match the new subdomain: https://codex.ww.wp.xz.cn/Changing_The_Site_URL#Changing_the_URL_directly_in_the_database
This will give you a working installation based on your backup from a month ago.
If it’s clean, restore that backup on the main site, then implement those security recommendations mentioned earlier. If it isn’t, you’ll need to edit each infected post.
