Greetings,
**I have quite a strange issue.**
I’ve cleaned up a hacked site that had a Gibberish / Link Injection problem. Attacks would come to the site targeting a random URL which would then create an accessible page on the site with random filled up data.
​
>WordFence and Sucuri show no issues with it anymore. While doing manual research of files, I don’t see any issue either myself. However, there are still incoming attacks on the site, primarily from Singapore, where person X is attending to visit gibberish site Y.
​
**The gibberish page itself consists of a random number and then random combination of words**, such as /123456/what-is-going-on! However, the folder it is targeting doesn’t exist anywhere on the server.
​
I’ve secured the site behind Cloudflare and enabled it to block any incoming requests which look like this. However, this isn’t really a solution to the entire situation.
​
* What am I missing?
* What else can be done?
* What could still be causing this problem even after Wordfence and Sucuri say everything is ok?
​
The site is behind a shared hosting, if that could potentially help as an info!
**Any help is greatly appreciated :)!**
[ad_2]
You need to clean the site properly e.g. delete /wp-admin and /wp-includes folder, and the root folder files (except wp-config.php, but make sure it is clean) – then reinstall WordPress. Hopefully your DB isn’t affected, but you may need to clean some posts manually.
You should also delete all your plugins and themes and reinstall from the sources.
[Wordfence’s site cleaning guide is very thorough.])
Whilst WF + Sucuri are good, sometimes they won’t clean a site completely – but definitely leave Wordfence installed after you’ve cleaned the site.
Also, to better secure your site, I highly recommend setting up these WAF rules: [https://gridpane.com/blog/cloudflare-firewall-rules-for-securing-wordpress-websites/])
And setup block (or challenge) rules to block any countries you don’t need traffic from. You can figure out which countries are being troublesome via the WF traffic log in the “Tools” menu.