I found the solution to these hacks. They have been totally raping my sites for the past 3 weeks and my search traffic dropped like a rock. I’ve probably lost over $1,000+ from these hacks, so in case this has happend to anyone else I have figured out a fix. I am hoping these fixes eliminates everything and they won’t come back.
Go to PhPmyadmin and navigate to your wp_options table. Within this table go to active_plugins and scroll to the center. From here you will find it pointing to a copy of a plugin but with a weird ending file name. I found fake files ending in .bak and .old. Delete the little piece of code that looks something like this: a:9:{i:0;s:21:”fakefile.old” Deleting this piece of code will deactivate all your plugins, so go reactivate them. Sometimes I also found this “../../../../../../../../../../../../../../../../../../../../../../tmp/tmpYwbXT2/sess_779ceef92a4fdcc17bb5ee3f13348bfd” pointing to a fake plugin in the root.
Also go to your FTP client and go to where the fake file is pointing and be sure to delete this file.
Use the tool found at this page: https://www.akamarketing.com/blog/111-use-wordpress-check-the-source-of-your-google-cache-for-hidden-spa-links.html
To pretend like you’re the google bot and find out if all of your spam links are still showing up or not.
I also took the advice of this post: https://linux.byexamples.com/archives/397/wordpress-exploit-we-been-hit-by-hidden-spam-link-injection/
and deleted anywhere in wp_options that I found wordpress_options or internal_links_cache tables. I found internal_links_cache tables in my wp_options on every site.
Also delete the “WordPress” user from the wp_users table.
To prevent further hacking attempts I…
…installed the AMAZING AskApache Password Protect plugin. This will lockdown your wp-admin and wp-logins with .htaccess. I highly recommend it.
…Placed a blank index.html file in my plugins directory as suggested by Matt Cutts. This prevents hackers from exploiting my plugins.
