ffwebdesigner

See above: we changed the ftp, mysql und wpadmin pws…twice before and after clean reinstall. and we’ve been using si captcha, which did a good job so far on 20 of my blogs for years. System is definitely clean.

Mostly spam comments. But the also changed footer.php and some admin settings (no admin review of comments eg).

Okay, whole upload dir deleted. Still: to bring a malicious hidden php code in e.g. .jpg extension would mean there has to be code added to wp core files, right? It’s a clean install with changed keys, mysql, wp admin and even ftp wps. Also checked mysql wp_users: just admin. Searched for suspicious code in mysql. No edoced. What happened? New spam 5 minutes ago…Grrrrrrr!

Thanks esmi, i knew link one, did all that. I’m over link 2 now…but should be fine…it’s a clean reinstall with changed pws. That’s what I’m worried about.

excellent solution, Zeniph. Thanks a lot!