Wordpress site hacked. Help?

[tobefirst ⚽️]

The other day, my wordpress site was hacked.

Even though I have it set so no new users can be created, someone was able to create a new administrator and mess some things up. As soon as I got the email a new user was created, I went in and deleted that user. However, my user count (just above the list) shows 3 users while displaying only 2. So, I'm not sure if the other user actually got deleted, or if it is still there and just being cleverly hidden.

The second problem is that now (some of) my links now open new tabs to different sites.

Ugh.

So, I went in to my hosting and reinstalled everything to 2 days before I got that email stating there was a new user. Unfortunately, the issues above persist.

How do I go about fixing this and making sure the site gets back to secure? Would it be advisable to nuke the whole Wordpress installation and start over?

If you want to, or are able to, take a look at the code on my site, you can find the site here: soupmagazine.net.

Thanks for any and all help. Let me know what info I can provide to you to help you help me. I appreciate it.

(also, the site running slow is a known issue and something I need to address when I find the time.)

 

[TheAppleFairy]

Any chance your account has a password that someone can guess if they know you, or they have access to your email and can reset it through the "forgot Password" option?

I would think that you probably have addressed that, but in case you haven't I'd start there.

 

[tobefirst ⚽️]

@TheAppleFairy Good point. The password is something perhaps my wife could guess, but not anyone else, really. I have since changed the password to my account to make it more secure and would not be something she would guess before giving up. And, I do trust her. That's good, right?

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.

 

[TheAppleFairy]

@TheAppleFairy Good point. The password is something perhaps my wife could guess, but not anyone else, really. I have since changed the password to my account to make it more secure and would not be something she would guess before giving up. And, I do trust her. That's good, right?

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.

Yeah I just went to your site and I clicked on the contact me and I got some pop-ups saying congratulations you won.

I am not web expert, hopefully someone can help you here. I figured I'd state what I thought was obvious anyway.

Good luck.

 

[Superspeed500]

@TheAppleFairy

I went to https://sitecheck.sucuri.net/results/soupmagazine.net and it lists a bunch of javascript stuff that is harmful. So, I assume that is what is happening. Now I need to know how to fix it.

Thanks for the response. Let me know what else I can do to help you help me.

Do you have FTP(or simular) access to the web server? I have compared your index and contact page against a local wordpress installation in my home. The first three lines in both of your pages contain some JavaScript that mine doesn't. Those lines might be the infected code. I have checked the code in a VM, so I will need to transfer it to my host before I can check the code against the mallware code.

Looks like you have to open your web pages in a text editor and then remove the javascript to remove the virus. You should also check all your other pages for the virus. Also check any file ending with .js. Then reupload the fixed files. Make sure that you have backup off all sitedata you need (and databases).

The safest way to be sure that the virus is gone is to reinstall everything, but that might not be so simple.

 

[tobefirst ⚽️]

Do you have FTP(or simular) access to the web server? I have compared your index and contact page against a local wordpress installation in my home. The first three lines in both of your pages contain some JavaScript that mine doesn't. Those lines might be the infected code. I have checked the code in a VM, so I will need to transfer it to my host before I can check the code against the mallware code.

Looks like you have to open your web pages in a text editor and then remove the javascript to remove the virus. You should also check all your other pages for the virus. Also check any file ending with .js. Then reupload the fixed files. Make sure that you have backup off all sitedata you need (and databases).

The safest way to be sure that the virus is gone is to reinstall everything, but that might not be so simple.

Thanks for looking. I do have FTP access and think I can handle what you're talking about. I'll give it a shot.

It may be that I just nuke it. I've been meaning to update it anyway.

Appreciate the response and if there's anything else you or anyone else notices, or can help with (point me in the right direction), I very much appreciate it.

 

[MacDawg]

I make Duplicator (free plugin) backups of my sites on a semi-regular basis and download them locally
They allow for a good way to nuke completely and restore your site to a past good install
Has saved my ass on more than one occasion

You can also use your PHPMyAdmin on your server host to access your database
There you can do some more in depth looking at users/passwords, etc.
Especially if you get caught being unable to login to your Admin
https://www.fixrunner.com/cannot-login-wordpress-admin-area/

 

[jonnysods]

One option is to delete the bulk of your WordPress files in your FTP but keep the wp-content and wp-config files, and replace with fresh WP files from WordPress.

Also when it's fixed get yourself setup with the right file permissions, and install ithemes security. Excellent plugin.

If it doesn't work I recommend siteguarding.com to clean the site - they are awesome!