I have a problem with my website, I get information from wordfence about my WordPress website getting hacked
enter image description here add found a code eval($_SERVER['HTTP_81DB2B3']
so i removed it but in a few second the code going back. someone, please help me
2
Answers
If your website got hacked then I guess more than 1 file was affected by it,
case-1: If you are able to access the WordPress Backend In this case, if you are able to access the WordPress backend then I suggest you
Step-1: Add one plugin called (Wordfence Security – Firewall & Malware Scan
) and scan your website with it.
Step-2: After scanning the site remove all suspicious code from the site.
Case 2: If you are not able to access the WordPress backend then you have to update your WordPress manually with the hosting file manager or FTP.
Please Note: Please take a backup of your website before do any changes.
I had something very similar to this. Go to your cPanel and search for "Cron Jobs" and scroll down to see if there’s any malicious cronjobs setup. You might have some that look like
eval(gzinflate(base64_decode(....
that are essentially causing this to reoccur. Not a complete fix to this issue, but you’ll have to delete those cronjobs to ensure that that line of code doesn’t keep reappearing. In addition to that, you’ll also need to make sure those cronjobs don’t show up again. Use a plugin like Wordfence (suggested above as well) to look for malicious files and if it helps replace your home directory (except for wp-content and wp-config) with fresh files.