abletec

rcarp13, w/all due respect, you haven’t completely disabled w3 total cache. For 1 thing, in your wp-config.php file you have:
“define(‘WP_CACHE’, true); // Added by W3 Total Cache”
You may put 2 // before it to comment out that line.

You should also delete advanced-cache.php, db.php, wp-total-cache-config.php, and delete the entire w3tc folder from the Wp-content folder. Alternatively, if you just want to disable it as a trial, deactivate the plugin, & then put a 1 on the end of the above file & folder names, ie,
advanced-cache.ph1 w3tc1, etc.

I think the first thing that needs to happen is that all caching be completely disabled to see if that solves the problem. If so, then we know where the problem lies. If not, then clearly we have to do some aditional digging. I was always taught, that if I heard hoofbeats, look for horses first. Zebras should only be suspected if I’d done a very exhaustive search for horses & found none. Since caching in this scenario is the all-too-common horse, I think it’s likely where we should start. The fact that the date was wrong on your blog when I initially looked at it is further evidence, IMO, that the problem you’re experiencing very probably is a result of caching misconfiguration.

rcarp13, is it when you’re logged into your dashboard that you get this reinstallation message?

Please clear your cache. The date should not be wrong on your blog.

Hello, Anemonex67, & welcome. Truthfully this is not a WordPress issue. I clicked your download link & looked at the email. Examining the email headers, you have no DKIM, no SPF record, & no DMARC. W/o those things, Google, Yahoo, & a bunch of other email & internet service providers will not deliver anything you send. WordPress (or, as in your case, PHPMail) is indeed sending out the email, so, unfortunately, we can’t really help you in this forum.

Google Analytics is still failing to load. Something’s not altogether quite right w/your theme, it seems, as I’m seeing:
GET
https://www.smartylife.net/wp-content/themes/flatsome/assets/css/flatsome.css
GET
https://www.smartylife.net/wp-content/themes/smartylife-theme/css/aps-styles.css

So there’s a smarty life theme (or at leats a smarty life theme stylesheet) & a flatsome theme, which appears to be throwing errors & should likely be updated.

As w/any site, if you don’t need a particular plugin, please delete it, as it may slow down the site & can also leave vulnerable code that can cause your site to become compromised.

Lastly, you’ve got a considerable number of duplicate posts.

Hello, Kevin, & welcome. W/all due respect, Sir, I think changing the .htaccess file is not going to stop the hack.

Since I don’t know if this is a shared, vps, or dedicated server, please be so kind as to let me ramble a bit in order to try to cover the contingencies.

You are clearly very knowledgeable, so some things I say may seem obvious, for which I request pardon ahead of time. However:
* Please make sure any device(s) you use to log onto your website are clean. Changing passwords, etc, as advised below, will do you absolutely no good if malware is sending them home to its command-&-control server.

* The same applies to your network–make certain it’s clean. Please don’t use insecure hotspots, etc, to log into your server. & if you transfer files, please use a secure protocol. All this you know, I’m sure, but just covering bases.

Now, concerning the site–the first thing I’d do if it were I is to lock down the server. This means changing passwords, &, if you have root access, disabling root logins by password & only using SSH keys. If that is not possible, then at least change the password to something that’s beyond tankproof & not something you’ve ever used previously. Secondly, please Change your Plesk password. 3rd, please change your database password, remembering to reflect that change in your wp-config.php file. While you’re at it, please go get some new salts (your wp-config.php file will have instructions on how to do that & replace the ones in wp-config.php w/the new ones. That will log out all users currently logged in.

Next, please log into your dashboard, go to ‘users’ & check to see if there are any users, especially ones w/elevated privileges, that you don’t recognize. Clearly delete these if this is the case.

The next things we want to do are to check if there are any admin accounts created outside of WordPress & to check whether there are executable files in your uploads & other user-generated content. The plugin Wordfence is pretty good in this regard. Here are the scan options I recommend checking, at least in this case. You can note the ones that are unchecked by default & turn them off once this is over.
“Scan core files against repository versions for changes
Scan theme files against repository versions for changes
Scan plugin files against repository versions for changes
Scan wp-admin and wp-includes for files not bundled with WordPress
Scan for signatures of known malicious files
Scan file contents for backdoors, trojans and suspicious code
Scan file contents for malicious URLs
Scan posts for known dangerous URLs and suspicious content
Scan comments for known dangerous URLs and suspicious content
Scan WordPress core, plugin, and theme options for known dangerous URLs and suspicious content
Scan for out of date, abandoned, and vulnerable plugins, themes, and WordPress versions
Scan for admin users created outside of WordPress
Scan for unauthorized DNS changes
Scan files outside your WordPress installation
Scan images, binary, and other files as if they were executable”

Lastly, you should have a look at your database to see if there is hacked content there. Some strings to look for are:

<script
<? php;
base64;
eval 

preg_replace
strrev`

This is not an exhaustive list, & finding some of these strings is not necessarily proof positive that a hack is present, although some are more suggestive than others, ie, strrev doesn’t generally have a purpose in WordPress that I know of.

I hope this proves helpful. Please let us know if you have questions or need additional assistance.

Hello, shannonsgt, & welcome. I’m sorry this is proving difficult for you. WordPress can have a bit of a learning curve sometimes.

Please go to ‘Settings > reading’ on your dashboard & choose the page you wish to be your home page. Don’t forget to save your changes, or you’ll be upset w/yourself.

If you made a menu & then changed your theme, it may well be the old menu won’t work. Here are some instructions from the Theme Foundry site.
https://thethemefoundry.com/tutorials/19-creating-managing-custom-menu/

What plugis are you running?

Hello, bbaronas, & welcome. Can we please see your Nginx config & your sites-enabled/sites-available configs? Also, was Nginx installed from a prebuilt package, or compiled from source, ie, is rewrite available (I am assuming this is the case, but you know what you do when you do that).

Lastly, how are your urls set in the general settings of your dashboard?

Hello, mflour, & welcome. From what you say, it would appear your site may be compromised. If this is indeed the case, then 2 major objectives need to be considered. The first, & obvious, one is to repair the site of any visible damage, get it off any blacklists it may be on, etc. That’s the objective most site owner view as the most important. The 2nd objective, however, is as or more important, & that is to kick the bad guys out who hacked your site & keep them out for good. In the case of nearly, if not every, site compromise, the bad actors leave a “backdoor” into your site which allows them to take control of it at any time. Repairing the damage they cause w/o slamming that backdoor shut & locking it behind you will only cause your hard work of repairing the site to be lost when they go back in & mess it up again.

So, w/that said, here are tips that will help you both repair your site as well as reclaim control of it.

A resource you can go to is:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

Here are the steps to take.

First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

Third, secure your network. Definitively use a secure file transfer protocol as opposed to unencrypted FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

All these steps are required to ensure that no one can snoop your credentials, etc.

Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database. Also, change your salt keys as per the instructions in wp-config.php to log out all users. Please make the passwords long, containing upper & lowercase letters, numbers, & punctuation. Don’t forget to reflect the password change to your database in your wp-config.php file.

Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain content that can’t be replaced.

Please also back up your database as well. The article at
http://codex.ww.wp.xz.cn/Backing_Up_Your_Database
shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

<script
<? php;
base64;
eval 

preg_replace
strrev
base64

This is not an exhaustive list, nor is the presence of any of these words conclusive proof of a site compromise, though some are more suggestive than others.

You might also wish at this point to backup your WordPress content. To do that:
* Log into your WordPress dashboard.
* Go to ‘Tools > Export’.
* Choose to export all content.

While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word (don’t forget to use a very strong password), then delete the old admin username account. Please also change your salt keys as per the instructions in wp-config.php to log out all users.

Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Let someone knowledgeable look at your .htaccess file.
6) If you have doubts about your database, please have a professional take a look.