craftandclover

I went through Sucuri for $200 a year and was very pleased.

Hi there, we almost rebuilt the entire site. As a last ditch effort, we hired Sucuri to clean up the virus and it was well worth the money.

Sucuri did find the virus injections in the theme file. Here was the log from Sucuri:
CLEARED: Cleared malware from file: ./wp-pass.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-register.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/jr-related-products.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/backups/jr-functionsBAK.7.24.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/backups/jr-functions.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/backups/_page-classes-and-dates.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-activation.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-hooks.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-custom.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-actions.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-utils.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-scripts.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-config.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-widgets.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-cleanup.php Details: php.malware.anuna.001.02
CLEARED: Cleared malware from file: ./wp-content/themes/atgResponsive/inc/roots-htaccess.php Details: php.malware.anuna.001.02

Hope that helps!

Thanks for the input everyone! We elevated it to Sucuri who found 16 lines of malicious code that escaped manual and scanned investigation. Thanks for suggesting them, Steve!

No longer banging our heads and everything seems to be running well. Thanks to all who contributed!

We’ve done fresh installs of WP, plugins, etc. and the problem still exists.

By burn it down, do you mean just do a fresh site? Sorry, I want to be sure I am giving solid advice to the client and I want to be sure I understand you correctly. If the problem is in the database, wp-content or uploads, then the issue will still remain, correct?

That logic is pointing me toward a fresh rebuild, from scratch. Does that sound right?

If I directed them to Sucuri or other company, are they guaranteed to find and eradicate the virus?

Thanks again for you help. We’re banging our heads here.

Thanks, Steve!

We have had 2 developers manually investigating the files and have run several scans, including one by Sucuri and nothing is being picked up.

Is it possible the virus is very well hidden and escaping the scans?

Would it make sense to rebuild from scratch if the client is willing to do that?

I see you’re using a minification system for js, html and css – what are you using? I have had good experiences on all my sites with the W3 Total Cache plugin.

I also ran your site through webpagetest.org and it looks like your images, particularly the png file of bg_dark_man are taking a long time to load. I would compress the images either manually or by using a the Smush It plugin.

The waterfall graph shows your html and css files are taking a long time to load as well – did you run your code through the W3C validator (https://validator.w3.org/) to make sure there isn’t any code holding you up?