Remove ALL Theme Codes and Files

  • I have some infected php files in my WordPress theme. I changed my theme and then deleted the one I had been using. Then I downloaded a fresh copy of the theme and installed it on my WP site. I figured I would have to start from scratch with that theme, creating menus, arranging information to be where I wanted it to be, placing widgets where I wanted them, and so on. However, when I installed the fresh copy of the theme and went to customize the theme, it was all back to exactly what it had been: same menus in same places, same articles featured on the home page, even the text widgets had the exact same text in them.

    That tells me that something is left on the site even after a theme is deleted. Maybe that always happens with a theme someone has used, deleted, and then reinstalled. If that’s the case, then I sure would like to know just where those files are stored because I’d like to delete them as well. If it’s not files that belong to the theme itself that stored all that information, it must have something to do with the infection being somewhere else on the site, not just this theme’s files.

    One other aspect of this issue is that the theme was in two different places on my site: the main folder and a subfolder. I deleted the theme from both places. One in the main folder, I could delete from the WP admin area. The other one I deleted through the cPanel. When I reinstalled the theme, I did the same thing: installed it to the main folder from the WP Admin area and to the subfolder through the cPanel.

    I’m resigned to the idea that I might have to get some professional help with this infection. And if that’s true, does anyone have any recommendations? I’m old and have a pretty limited income, so hundreds of dollars is out of the question. It’s not like I make a fortune from my website. (I wish!)

Viewing 7 replies - 1 through 7 (of 7 total)
  • Moderator James Huff

    (@macmanx)

    it was all back to exactly what it had been: same menus in same places, same articles featured on the home page, even the text widgets had the exact same text in them.

    These are all stored in your MySQL database, not the files, so nothing to worry about there necessarily.

    Carefully follow this guide. When you’re done, you may want to implement some (if not all) of the recommended security measures and start backing up your site.

    Thread Starter kaityf

    (@kaityf)

    Wait….I’m confused. What is stored in the database? The “instructions”for what you want the theme to do? I thought that how you customize the theme is stored in the themes files. No? I thought it was the content that was in the database. Ugh. I’m confused.

    I had a couple backups but could use them because I couldn’t get access to my Admin area. My host company helped get it back by changing the theme. That’s when I deleted the theme. I installed a plugin that checks for malicious code and it did find some. But next thing I know my site was down again. This time it was because the entire database got wiped out. My host company is going to install the backup they have, but I don’t think it goes back far enough to miss the infection.

    The problem before had been with the eval base64 malicious code. My site was accessible, but connected to some Canadian casino gamboling site. And if you searched for my site on Google, you’d get lots of results for that gamboling site.

    Anyway, thanks for the guide. I’ll take a look at it and see what I can do.

    Thread Starter kaityf

    (@kaityf)

    Heh. I did see that guide before. I used Wordfence – which is how I discovered the eval base64 code. It was in some php theme files. I was actually running another scan with that plugin when the site went poof and I learned that the database was gone. I’m not saying one caused the other. Just noting that I know about Wordfence. I had also used a cleaner that had been recommended. You install it on your site and then run a scan from the browser. Maybe that’s what I was doing when the site went poof. I know I did more than one scan with Wordfence and one with the cleaner. It might even have been when I tried to start a scan with Malcare, but I didn’t try to fix anything with that.

    I also do have Google Console and do my best to correct issues it finds.

    I’m not sure I can do too much else right now until my site has been restored with the backup.

    Moderator James Huff

    (@macmanx)

    Wait….I’m confused. What is stored in the database?

    All of your content and settings is stored in the MySQL database.

    You can think of the WordPress and theme files as just instructions to what is in the database and render it for the viewer.

    There’s much more to the guide I linked to than Wordfence, it will walk you through cleaning the hack and its vector.

    Thread Starter kaityf

    (@kaityf)

    Sorry to be pesty, but I just reread your message, and see I misread part of it. You were saying that the info for how the theme is customized is all in the database, correct? You weren’t saying that files are not stored in the database (files like your blog entries, etc.), right?

    It’s that the customizing info is not stored in the files, but in the database. I still don’t understand that, though. And if that’s right, then something in the database must be infected.

    For example, I use Google AdSense. The ads are (when the site is up) all for that Canadian casino site. I have AdSense matched content, too. That’s really a mess. It should display an equal number of my articles and ads. The ads are all to the casino site while the pictures from articles on my site are accompanied by titles and links for the casino site. Not to by titles and links to my articles.

    All of this stuff would have to be in the database if it’s not in any of the theme files. That’s disturbing.

    Moderator James Huff

    (@macmanx)

    You were saying that the info for how the theme is customized is all in the database, correct?

    Correct.

    Thread Starter kaityf

    (@kaityf)

    I missed one of your responses. I didn’t mean to suggest that I did everything in the guide. I just meant to indicate that I was familiar with some of what’s listed there. I also used one of the other plugins listed there.

    You can think of the WordPress and theme files as just instructions to what is in the database and render it for the viewer.

    THANK YOU for that. Now it makes sense. Perfect sense.

    As soon as I get access to my admin area, I’m going to do more of what’s in that guide. I already did some of it, like updating everything. I never thought about DUO for security. I really like that. I have to use it for where I teach a couple classes. I probably won’t be able to get to do anything until tomorrow night since tomorrow is one of two days I go in to teach.

    I’ll come back to keep you posted on my progress so you know what’s working for me.

    Thank you again. I feel like I *might* be able to get this fixed myself.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Remove ALL Theme Codes and Files’ is closed to new replies.