Help needed with hacked site

  • With regards my wordpress website, I’ve had warning messages, over the last few days from my sucuri and wordfence plugins and it appears that my website have been hacked.

    Many files have appeared in places where they should not be.
    My robots.txt file has been amended and my sitemap.xml file (created by All in One SEO) has been replaced by a html file.
    My site has dropped off the google rankings due to this issue.

    some examples of the rogue files below.

    Where do you suggest I start?
    This is a big website so don’t really want to be re-creating from scratch.
    I’ve got backups but not sure exactly when the issue occurred, may have been a while ago.

    Critical Problems:
    * File appears to be malicious: wp-config.php
    * File appears to be malicious: wp-admin/css/colors/blue/upload/temp/400.lt.tmp.html
    High Severity Problems:
    * Unknown file in WordPress core: wp-admin/css/colors/blue/upload/temp/.ep.txt
    * Unknown file in WordPress core: wp-admin/css/colors/blue/upload/temp/.es.txt
    * Unknown file in WordPress core: wp-admin/css/colors/blue/upload/temp/0.x.txt
    * Unknown file in WordPress core: wp-admin/css/colors/blue/upload/temp/1.x.txt

    * Unknown file in WordPress core: wp-admin/images/e6uqu.png

    * Unknown file in WordPress core: wp-admin/css/colors/blue/upload/temp/temp/sitemap.xml

    If I delete the files via ftp, they get regenerated within a few seconds / minutes.

    any ideas appreciated,.

    thanks,

    colin

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi, @colinchapman & @queenielow this is a very useful resource, I also used this one & got positive results. You need to create the sitemap from scratch and index that with Google to resolve this issue completely.

    But before proceeding further I would request you to keep Website & Database backup.

    Hi @colinchapman , @elizabethparker,

    I also noticed that there’s a script creating /temp/sitemap.xml in robots.txt. Also, look out for wp-admin/css/color folder, that’s where the xml files reside. The best option is to change your folders permission to 555 but only change wisely and test as you go.

    One more tip, I notice it will create below code into the header.php. If you have multiple themes, do check all of them.

    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-TB66G36');</script>

    Hope this helps anyone who encountered the same issue.

    Cheers,
    Queenie

    Thanks @queenielow for this valuable information. I appreciate your efforts. I will share this post on my social so that those people who are facing the same issue, can get the solution easily.

    Thanks again for this helpful information

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Help needed with hacked site’ is closed to new replies.