aintholly

Can you share what tool you used to execute the url search and replace in your database? I’ve run into the same problem, and my own thread has gone unanswered for a week. I read on a different site to *not* use phpMyAdmin to make the changes, but there was no reason given.

Thank you again for the replies. The site is hosted by Webintellects. During the repeated hacks, the cpanel password was one of many we changed. At the hosting provider’s suggestion, we even changed email passwords and deleted unused email accounts.

There’s no longer a site to send WF diagnostics from. We’ve decided to completely erase the public site and temporarily host the blog on a local LAMP installation. Perhaps in the future we’ll re-install on our hosting service, but for now we’re keeping it private. I’ll be sure to install WF from the get-go next time in the hopes we can avoid whatever caused it to be so easily and frequently compromised.

Thank you for the reply. After changing the credentials didn’t help, I completely deleted the FTP user since WordPress no longer requires FTP to update like it used to. I also changed the mysql password after every hack as part of changing all related passwords. While I’d like to know how this latest malicious file was uploaded without FTP access and with no records of the offending IP address showing up in the access logs, we’ve decided to take the drastic route. We’ve completely erased the public_html site, hopefully removing anything that was allowing malicious users to upload files and change the password. The plan is to eventually re-install the latest version of WP and see if that site stays secure. The hosting provider has been involved but hasn’t been able to detect any obvious reason how they continued to gain access.

As an aside, I fired up a Tor browser and tried to find information about hacking WP on onion sites. The continuous nature of the attacks (at least once every 5 minutes according to WF) led me to believe my specific site must have been listed somewhere as an easy-to-attack target. I wasn’t able to find anything in a few hours of searching, but I think there has to be a reason so many hackers from different countries continued to attack the site on a daily basis. Perhaps some remnant of an old theme or plugin was allowing access even though I removed it from WP.

In summary, it seems like we’ll never be certain how attackers were gaining access. We’ll just start from scratch and hope for the best.

Replying to my own post, I think I understand why it was displaying only once. Now I’m using
<?php locate_template( array( 'template-parts/loop-nav.php' ), true ); // Loads the template-parts/loop-nav.php template. ?>
the first place I want to see the next/previous post, and then
<?php get_template_part( 'template-parts/loop', 'nav' ); ?>
the next time I want to see it on the page. If there’s a better way, I’d still like to hear, but it appears to be working for now.