There is about one month that my WordPress site redirect to unwanted sites. every day I check main files, and I find index.php, wp-config.php, wp-settings.php and load.php in wp-includes injected randomly, an @include an .oti file type which exists in a different place e.g. to a plugin, or to wordpress files randomly. also chmode of index, wp-config changed to 755. every day I delete @include but tomorrow again it is created.
I remove previous plugins and themes and install new plugins, I re install theme, and also I remove previous WordPress main folder with new one, I changed server, DB and admin password, but problem exist. Please help, I ran into a big problem 🙁
2
Answers
Try to run a WordFence scan or use another security plugin of your choice. Then delete the .oti file and restore your wordpress installation.
I’ve seen this on a site of a friend of mine. They reached by having an image uploaded or downloaded from google images. They used that image in one of the comments and got it that way on the server and from there it download a set of JS/PHP scripts.
In short, they had a image that was modified to execute a shell-typed script that could change some of the settings.
Close your plugins for using internet or external images.
Check your actual images if they are all real images (do this on a virtual system for example) otherwise they can start that script again.
Validate your .js files too.
Also, check your cron-jobs on your server/hosting since it comes back every day. Could be that they set it up for restoring your changes.
Personally I would set the site down for a day, download everything to a test server and inspect there what is going on.
Also the comment of WordFence above is a good starting point.
Hope this helps you a bit and I hope you can solve your problem.
Success.