ataliare

THANK YOU @konvergenzing!

changing the prefix in the mentioned tables fixed the whole issue for me.

In other words, the following procedure worked:

“I also had to manually update the database in two tables
1) wp_<customPrefix>_usermeta – look through the “meta_key” column and change all values to the correct prefix (it was about 10 values for me).
2) wp_<customPrefix>_options – in the “option_name” column find an entry that looks like “wp_<customPrefix>_user_roles” and change it to the correct prefix.”

I JUST MADE THE EXACT AME MISTAKE on my local MAMP server!

Is there a way to fix this? I cant access the site’s backend and do another find & replace (don’t even know if this would fix it), because nothing works.

Hi uschu60

Thanks for your advice! ??

It sounds like you have the hang of it. I’ve also considered restricting access, but my client needs to be able to log in once in a while because it contains a blog, and since they’re the ones paying for the hosting, denying them access to the hosting service is out of the question. I’ll look through the guide nonetheless. Thanks!

Hey uschu60,

I’m glad, you could use what I wrote.

I’m honestly not sure as to how someone gained access in my case, and I believe it can be for different reasons each time.

I think that in my case it had to do with the fact that my clients, who were responsible for the profile at UnoEuro up until the hack, hadn’t updated any of their login-info since the profile was made in 2013 -.- I updated the information right away and haven’t had issues since. The username was embarrassingly hackable and the password was quite short and simple.

There is another possibility. In 2013 when the profile at UnoEuro was made the at-the-time-developer made a simple website using concrete5 (a totally different cms if I’m right). I suspect some of the tables from said installation are still present in the MySQL-database. I don’t know if this is a potential backdoor, as I haven’t had the time to research it yet, but it’s on my to-do-list. Do you by any chance know whether this is in fact a vulnerability?

Now that I think of it, there was actually also a second WP-installation in the MySQL database with its own tables. These I deleted since they were easy to identify due to their timestamp and the fact that they were slight copies of everything from my own installation.

This may be a dumb question, but can I roll back to a previous version without FTP access? I only have admin access to the WP-dashboard until tonight.

Or, do I have to delete the current directory in the FTP database and replace them with a folder of a previous version of the plugin – and if so, will I lose all my content views?

I FIGURED IT OUT!

For anyone reading in the future:

After spending hours upon hours of digging through my files in my host’s FileAdministrator, I found in the plugins-directory a folder called WPCoreSys, in which was a file called WPCoresys.php. I don’t remember installing anything with this name, so I deleted it, and all the problems in the back-end of my site disappeared. Afterwards I found all the posts, this php-file had made and deleted them. They all had to do with illegal movie or software downloads. These posts weren’t visible from my posts-page (probably because of something the php-file did to hide them) but a quick google of my site revealed movie and software titles, by which I could view the posts in question, click edit at the bottom, and delete from there

TIP: Look for files in your database with generic software names (like WPcoresys), which you don’t remember having anything to do with and examine their code for keywords relating to your problem. If you don’t find any, there are a number of cheap or even free online services that sift through your files in order to identify hacks.

For the noobs like me: Google tings like “torrent site:yoursite.com” or “dvd site:yoursite.com” when looking for things that dont belong there. Or just google your own site and look through the results, and if anything odd pops up, delete it.

Happy WordPressing ??

No worries, I still appreciate your assistance.

Categories, which I add in the dashboard are shown in wp-terms after a short while. I haven’t been measuring traffic yet. The WordFence plugin, I’ve installed, says nothing is wrong. I only have backups of the site from after the error started occurring.

I’m going to look more into this hacking nonsense tomorrow, but I believe I have removed all the foreign terms in the database – they stopped reappearing after a while and nothing strange seems to be left in any of the files (i checked them all) – but let’s wait and see.

Anyone else with insight into this subject is WELCOME to chime in ??

UPDATE (this may be a stupid question but here goes):

So I was looking through the files with the PHPMyAdmin tool and found several wierd elements in the wp_terms folder, like “x86cool” for instance. I’ve googled some of them, and they seem to appear on a lot of different websites seemingly that have no relations to each other. A lot of these words seem to have to do with torrent sites. Does this mean it was hacked?

Hmm, using FileZilla I deleted everything but the wp-content folder and and wp-config.php and replaced it with a fresh wordpress install, but it has made no difference.

Does this mean the error is in one of these files?

Thank you for replying so quickly! I really appreciate the help.

When I create a new post, the list of categories is simply empty. New ones can be added, but I am reluctant to start recreating all the categories, since the original ones still work – besides, newly created ones disappear like the rest after a page-reload. This means, I can technically create new content but I can’t view it where it belongs on the website.

How would I go about reinstalling the WP core without losing all my work on the site? I’m rather new to the idea of messing around with the files outside of the wordpress dashboard.