Help! My site has been hacked.

It’s a waste of time to find out which files have been hacked. Replace all core WP files and clean your theme and database, too. See FAQ: My site was hacked ? WordPress Codex and How to completely clean your hacked wordpress installation and How to find a backdoor in a hacked WordPress and Hardening WordPress ? WordPress Codex

My condolences. You’re not really a website owner until you’ve been hacked at least once.

“Which files have been hacked?” is the wrong question to start with. Assume all files have been hacked until proven otherwise (which can be hard to do). Sometimes the best approach is:

1. Make a copy of the database and uploaded files (images, etc.),
2. Make a list of all themes & plugins you are using,
3. Wipe the site,
4. Reinstall WP with a different, strong password,
5. Reinstall themes & plugins, reload database.

This may sound extreme, but many hacks are multi-level and getting all of the crud out of your site may be far more effort than it’s worth. I have sites on dedicated servers where completely cleaning a hack out took more than a week. A huge PITA.

I am not connected with Automatic (the company that brings you both wordpress.com and .org) but they have a new service at https://vaultpress.com/ to monitor and restore sites in case of things like this. It’s in beta test, but may be worth looking at.

Thanks for the responses songdigtech and hedronist.

Firstly, I had assumed that the core files are good because the hack is restricted to one site while the wordpress install is running 4 others. I really do not want to go through the entire process of creating a new wordpress install and setting up all the sites.

Secondly, there are a few posts I read online where wp-multisite experts claim that the core files are the least likely targets of a wordpress hacker, and that re-installing wordpress is often not necessary.

In any case, I think I have to get professional help on this one. I am way in over my head here. I wish there was some way I could do some damage to the hacker. I used firebug to identify the source of the image: https://www.al-ebda3.com/xxx/1111111111111111111111111.png

Thanks a lot for the advice.

The core files are not invulnerable. We had a person last week ask the forum about some weird behavior on her site. Cause? Hacked index.php file.

I found someone to help me through freelancer. Thanks for the responses, everyone!

The core files are not invulnerable. We had a person last week ask the forum about some weird behavior on her site. Cause? Hacked index.php file.

Clarification: hackers are not coming in via vulnerabilites in WordPress itself.

hackers have been getting in via things like ftp (which is far easier to hack in to than wordpress) and outdated server software. See the last few rounds of hacks at MT and Godaddy.

make sure you update your FTP and Cpanel passwords *as well*.