ekallu

Thank you for the information.

Those instructions advice search wp-content with grep -command via SSH, and investigate modified files with find -command. Are those actions necessary, or is it enough to run complete scan with Wordfence? Wordfence will scan file changes. Is there a difference between what WF scan does, and what these command line commands do?

Problem with grep output is, that I don’t understand it enough to tell what is relevant and what is not.

Cloacked Link Checker alarms on “Checking for cloaking”. Other tests doesn’t alarm. Cloack test gives: “There is a difference of 532 bytes between the version of the page you serve to Chrome and the version you serve to GoogleBot. This probably means some code is running on your site that’s trying to hide from browsers but make Google think there’s something else on the page.”

Output is: [ Completely deleted ]

• This reply was modified 6 years, 2 months ago by ekallu.
• This reply was modified 6 years, 2 months ago by Jan Dembowski. Reason: Removed malware code

I have WP Security Audit Log -plugin, but log didn’t show any suspicious changes.

Wordfence is showing warning on a plugin file: wp-content/plugins/wp-security-audit-log/readme.txt. Comparison shows that some lines are changed, but I don’t know if it’s relevant. I don’t see any code in that file. It seems to be plain textfile.

Sucuri Sitecheck (free scan) didn’t find anything.

Quttera.com scan results is clean.

Thank you all for the information.

“Hi, just to confirm, your WordPress username is *not* Administrator, correct?”

No, “administrator” is the faux one.

I don’t have Jetpack or Ultimate Member plugin. Also, all plugins have latest versions installed.