replace hacked files

– The Exploit Scanner plugin can help detect damage so that it can be cleaned up. Here is an another online scanner to check for exploits and malware: https://sitecheck.sucuri.net/scanner/. Other things you should do:

• Change passwords for all users, especially Administrators and Editors.
• If you upload files to your site via FTP, change your FTP password.
• Re-install the latest version of WordPress.
• Make sure all of your plugins and themes are up-to-date.
• Update your security keys.
• See FAQ My Site Was Hacked.

– Just cleaning out files isn’t enough. When you’re done, you may want to implement some (if not all) of the recommended security measures.

Thanks, but I’ve read the standard document as you mention and indeed cite pretty much verbatim, and you may have misread the question. We have already scanned and pinned any issues down to two files.

I want to see if I can obtain clean copies of those two — or if I already have from the upgrades yesterday. (Note that I also updated all plugins and themes, including themes I would never use.) I want to avoid if I possibly can installing WordPress again from scratch, because it would be time consuming but also because I’m scared that I’d fail to replicate my site, which had assistance. I’ve backed up files, both by exporting my data with the export tool and by copying via ftp various folders to my computer. But then, of course, I’d be afraid to upload any files that might be themselves the problem.

To put it another way, what does that index/log file do, and can I easily replace it or even delete it hoping that WordPress will regenerate it? I’ve also since installed a security plug-in and activated its firewall.

Let me add a couple of things that might help and might require your expertise.

First I examined the two files to see if I can understand what they do. Frankly, I can’t, but I’ll say footer.php has two short sections. One is

if (!defined(‘_SAPE_USER’)){
define(‘_SAPE_USER’, ‘d6dc410efcb0fa5ffda3bc2e0cc99de1’);

and the other involves sape_links. While they look benign at first glance, to do with fonts and such, I Googled for SAPE and saw only old hits variously describing it as a Russian network or conversely something useful in SEO. The other file, index/log, has one long section beginning class SAPE_globals. Does this sound dangerous? I should say that the index subfolder contains over 200 files, all ending links.db and with my domain name in the file name.

Second, I downloaded the WordPress zip file to my computer. I see that the corresponding folder has neither a footer.php file nor an index subfolder. Given that, should I take a shot at deleting both and seeing if that solves the problem without crippling my site? Thank you. Of course, again, I’ve updated WordPress, plug-ins, and themes; changed passwords, and also added the All in One Security plug-in and activated its basic firewall.

• This reply was modified 7 years, 8 months ago by jhaber31.