abletec

Hello, overlordganryu, & welcome. First, I’m really sorry this has happened. The problem is, of course, that hackers are seldom ever harmless, ie, once they have control of your site, they can do whatever they wish. Sometimes it’s “harmless”, sometimes it’s so not harmless, & what they do can change at any time & on their whim. 1 minute they can deface a page w/messages of peace & love, the next they can be sending spam or infecting your visitors w/malware. So it’s important to regain control of your site. I’m going to post instructions. They’re long. I’m sorry for that. Please read & follow them closely, & if there’s anything you don’t understand, please get back & let us know so we can help further.

A resource you can go to is:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

When dealing w/a site compromise, the objectives are twofold:
1) Fix the site; &
2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.

Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.

Here are the steps to take.

First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

All these steps are required to ensure that no one can snoop your credentials, etc.

Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database. Also, change your salt keys as per the instructions in wp-config.php to log out all users. Please make the passwords long, containing upper & lowercase letters, numbers, & punctuation. See
http://www.brighter-vision.com/protect-yourself-with-passwords-or-pay
for examples of how to do this.

Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain content that can’t be replaced.

Please also back up your database as well. The article at
http://codex.ww.wp.xz.cn/Backing_Up_Your_Database
shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

<script
<? php;
base64;
eval 

preg_replace
strrev

This is not an exhaustive list, nor is the presence of any of these words conclusive proof of a site compromise, though some are more suggestive than others.

You might also wish at this point to backup your WordPress content. To do that:
* Log into your WordPress dashboard.
* Go to ‘Tools > Export’.
* Choose to export all content.

While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word (don’t forget to use a very strong password), then delete the old admin username account.

Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there.

In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Let someone knowledgeable look at your .htaccess file.
6) If you have doubts about your database, please have a professional take a look.

Lori, you’ve provided a lot of good information–thanks. Htdocs is your root folder, generally speaking.

When I go to galico.international, I do get the WordPress configuration screen. Please install that quickly now, as there is a hack about that scans for an incomplete installation & takes over the site.

While I normally use SSH to change ownership, an FTP client called WinSCP can also do this task. It’s available from winscp.net .

Once downloaded & installed, create a new site & enter your FTP info there. Next, right-click a folder & select ‘Properties’. Once that’s done, you can edit the user/group owner, then check the box to change ownership recursively, & wait–& wait…

Lori, I’m saying you can change ownership via an FTP client.

Good job! But is that the only 1? & how did it/they get there in the first place?

It looks like it’s actually embedded in a stylesheet & positioned so that it’s off screen. Having said that, please understand that unless you not only fix the corrupted files but also secure your site, the hack will simply recur. It may take another form, but it will at some point rear its ugly head again.

Hello, BaldEmotions, & welcome. I’m really sorry this is happening to you. This is long. Please read it, & please let us know if there’s anything you don’t understand/if you have questions.

A resource you can go to is:
http://codex.ww.wp.xz.cn/FAQ_My_site_was_hacked

When dealing w/a site compromise, the objectives are twofold:
1) Fix the site; &
2) Fix backdoors that the hacker used to gain entrance into your site, so this hopefully will not happen again.

Most people place great emphasis on objective #1, but, in truth, the 2nd one is actually the most important, as, without it, your site will continue to be reinfected.

Here are the steps to take.

First, notify your host, as this might be a serverside hack as opposed to simply a site compromise. Also, if you’re on shared hosting, the hack has the potential to compromise the entire server. Additionally, you may wish to take the site offline, & your host can help you do this. They might not help you–then again, they might. You won’t know unless you notify them. If they say it’s not their responsibility, (& it really may not be), then please continue reading.

Second, scan any devices you will use to log onto your website for malware. It does no good to change credentials, etc., which you will need to do, if malware phones them home to their command & control center. It’s actually better to do more than 1 scan, each using a different program, as no single malware scanner can detect everything.

Third, secure your network. Definitively use secure FTP as opposed to regular FTP. The port used for secure FTP varies from host to host. Many use port 22, some 2222, while others use different ports altogether. Check their knowledge base or call their support. You can ask this question when you notify them of the compromise in the first step.

Never log onto your site using a public hotspot, such as those in hotels, cafes, etc. Make sure you’ve changed the default password, Ssid, (&, if applicable) the username on your router/modem. If you don’t use wireless, turn it off in your router’s options.

All these steps are required to ensure that no one can snoop your credentials, etc.

Now that the device you’ll use to fix your site, as well as your network, is secure, it’s time to direct your attention to actually fixing your site.

Next, please log into your website control panel from a secure connection and change all passwords, including those to any databases you may have set up. This includes your control panel/FTP credentials & your WordPress database. Also, please open your wp-config.php file & change your salt keys as per the instructions there in order to log out all users. Please make the passwords long, containing upper & lowercase letters, numbers, & punctuation. See
http://www.brighter-vision.com/protect-yourself-with-passwords-or-pay
for examples of how to do this, some of which are from folks who are decidedly nontechnical. You’ll need to edit your wp-config.php & change the database password there as well.

Next, take a backup of your website’s files. Be certain to label it such that the label contains both the date you backed it up on, as well as the word “hacked”–we certainly don’t want you accidentally restoring this backup! This can be helpful, though, in terms of perhaps being able to determine how this occurred, though my feeling is that it likely did so because of an outdated site. Probably you should just back up your web root. Depending on your host, it might be called public_html, htdocs, www, or /. If you don’t wish to back up the entire root, then at least back up your uploads folder, as well as others that might contain user-generated content that can’t be replaced.

Please also back up your database as well. The article at
http://codex.ww.wp.xz.cn/Backing_Up_Your_Database
shows you how to do that, in case you need it. The section regarding phpMyadmin is likely the most relevant to your case. I also have a shorter, somewhat less technical article, at https://brighter-vision.com/2016/07/24/backing-up-your-database-with-phpmyadmin/ , which you may find easier. It’s going to be necessary to search that database file to see if any evidence of the hack exists there. That can be done by opening the file in a text editor. To start off with, consider searching for the words:

<script
<? php;
base64;
eval 

preg_replace
strrev

Please note that this is not an exhaustive list, nor is the presence of any of these words conclusive proof of a site compromise, though some are more suggestive than others.

You might also wish at this point to backup your WordPress content. To do that:
* Log into your WordPress dashboard.
* Go to ‘Tools > Export’.
* Choose to export all content.

While in your dashboard, go to ‘Users > All Users’ and delete any users there that you don’t recognize, especially administrators. A WordPress account should never contain the username ‘admin’. If yours does, make an administrative account that does not contain the word admin (don’t forget to use a very strong password), then delete the old admin username account.

Also be advised that sometimes supposed image files can contain code, so open all your image files, particularly in your uploads folders, to ensure they really are images & don’t contain code. Better yet, if you have the images on your machine, replace files in the uploads folders with them.

If you find nothing, either in your database or in your /uploads folders, then the next step is to delete, then completely reinstall WordPress, as well as any plugins or themes you were using. I also advise creating an entirely new database w/a new user & password. You can then import your content into the newly reinstalled site.

Please also let someone knowledgeable look at your .htaccess file so they can make certain no backdoor code exists there. Feel free to paste it here, enclosing it in , ie:

line 1
line 2

Or you can simply delete your .htaccess file & use the one WordPress generates when saving permalinks, but if your .htaccess file has other options besides those in the WordPress section, then that may not be the best course of action to take.

In summary, here are the steps:
1) Back up your WordPress files, including core, themes, & plugins;
2) Back up your database using PhpMyadmin;
3) Look through the database to insure there is no evidence of the hack;
4) Search the uploads folders for image files that contain code;
5) Reinstall WordPress, including plugins & themes you were using, from known good copies.
6) Let someone knowledgeable look at your .htaccess file.
7) If you have doubts about your database, please have a professional take a look.

You should also join Google Search Console if you haven’t already to find out if they’re flagging anything. Once you’re certain the site is cleaned up, you can request a review/reconsideration from Google if indeed they found bad content. Others may flag your site as well, causing browser warnings. In order to get these cleared, you may need to go to stopbadware.org & request a review.

It’s a pretty involved process, unfortunately, but following the steps methodically & carefully should result in the desired outcome.

From the discussion, it looks as though the plugin has been updated w/the changes. So I’d recommend seeing if the plugin has an update via your dashboard, & if so, running said update & see if it helps.