ReneODeay

too bad….. pharma hackers use this to continue their assaults.

just makes me wonder why continue to use this susceptible code?

did you ever get rid of the pharma hacks?
I have the same problems on one of my WordPress blogs, and have spent months of futile efforts going thru every single one of those solutions posted above.
and it is still there, seems even worse now too.

Since I have the same infestation, but only on one of my WordPress blogs, I can totally relate to your frustrations.

I’ve done every search, thru database, and just about all files, etc. and have come to the conclusion that it is WordPress.
When you have thousands of files and included addons like SimplePie, etc., just in the plain install, it is just about impossible to find any little blinking thing.
and google is the worst for the pharma hacks, serving them up just for the most popular sites, then spamming your gmail and other mail thru your history. and any google scripts you add.

Yeah, you can PAY someone to clean it up, but then you got to wonder if they are the ones who injected the malicious code in the first place.

in the source code of your index file right under the body tag there is a div with class=”y_letup”
and right after that is the P with the spam injection.
so I would look in your style CSS files for this injection.

and have been having similar problems, so can relate on how hard it is to find this bloody code. 7 months now for one of my formerly popular blogs.

I thought your site looked okay, until I pulled up your page info and found the malicious links, then looked at the source code.

considering how many plugins, with style sheets, you got a lot of style sheets to look at.
good luck.
René

maybe it does work. but my once popular websites and blog are now just flooded with attempts on login or other administration links or inappropriate links, like for cheap drugs or other stuff.

one in 23 pages of visitor links came from a link from a friendly site I had referred to.

all my years of work for nothing but these awful spammers, and googlebot is just another one of them.

I don’t want to take this site down, but what’s the point?

sorry for the delay in reply, have been futilely trying to fix the dread pharma hack on one of my live blogs. (four months)
But cannot give you a link to my MAMP install, as it is on my computer, and not for sharing.
am sure I followed instructions.

this was great discussion, found a couple plugins I can use on my localhost installs. using MAMP. can’t tell you how many WP installs I have lost the passwords for, this will be so useful. one computer blew the harddrive, and tho I had a full backup the passwords did not work on the restores. just had to delete them and start over, but with the show the password plugins…. well, that’ll save a lot of future experiments and time.
So thanks.

Sammy, you can already change the name that is seen on your posts in your user profile. just use the nickname (It is ‘required’)

Instead of having the ‘by’ or ‘from’ feature display my username ‘bigbob’, I would like it to say ‘Ben B’.

You do not need a plugin to do that.

I agree with all of the above. it seems more pharma hacks than ever. and the support seems to have gone AWOL.

it looks like you may have some code injected. undoubtedly malicious.
it’s a lot of work to eliminate it. and it gets by all these sucuri and et al checkers.
check your header files. when you get into your cPanel file manager. pull up ‘view’ the file first, then ‘code edit’ next and compare. the malicious code block usually shows up right at the beginning in the code editor. but sometimes the injection is at the end of the file.
for more info search for ‘malicious code injection’, and ‘Magic Shell Include’ information.
from my experience I’ve come to believe that google scripts, ads and plugins are some of the sources.
good luck.

doesn’t show up on comment form either way. and get the ‘Captcha code incorrect’ too

Works perfect on the login.

First, that Permissions doc is more confusing than ever.
I’m the only user allowed. except for a couple ‘aliases’, that are also me.
but neither aliases are admin. just authors. (Is that clear?)
I use an old Dreamweaver on my MacBook Tiger. for editing and FTPing.
(I do have Leopard on my upgraded Powerbook G4)

I have access of course to my cPanel, and file manager, which I can use to change permissions, and view and edit files, etc. and to get to the MySQL, and the phpMyAdmin Manager.

I did contact my SiteGround host, and got one little hint that a malicious code had been added to a file. had to ask them what file, and what code. but they said to clean it up for me I would have to pay them $100 plus. gads, why did I end up there? already paying them over $230 a year for two domains. on shared servers. Linux.

I am not a wiz, but not a noobie either. tho sometime I feel like one.

I wanted to cleanup as much as I could before upgrading. was using an old version of WP cuz I have this old theme I use. and was afraid new upgrades would break it, as it has in the past.

but trying the 3.5 on a MAMP on my Mac with the old theme seemed to work okay, so was ready to upgrade finally.

used the auto upgrade included with WP version I was using. which does not remove all the old files. I just went thru and eliminated a lot of those a little while ago.

Yes, I was getting a lot of comment spam. using Akismet to monitor. now more plugin stuff. turned off comments.

but seems like after upgrading getting more and more bots hitting the login with ‘admin’ and incoming links like this:
https://blog.talesofkingtut.com/order-hoodia-online/
one of the nicer ones. but now using the NotFound plugin.
so
using the WordFence plugin, it looks like I may have cleaned it up. the last old plugin eliminated with malicious code in it. surprise! it was the Google Adsense Deluxe one.

So now, I need to protect my files. and what codes should I use to keep them out? Directory wp-admin 755? and all files in it 644?
and they all seem to try to hit my wp_content/upload directory too.
how do I protect that?
Tried an htaccess, but then my images did not appear in the blog.

so anymore direct advice welcome. please don’t refer me to another confusing doc. I’ve been thru dozens of them.

Thanks again, Clayton.

ClaytonJames, I have spent two solid weeks now going thru all that. have failed to find one real doc telling what exactly chmod each directory and file within it should have to enable me to access, the blog to access it, and to keep invaders out.
oh, there’s one, but doesn’t really tell you the numbers. like 755, or 644, and which files, etc.
have made myself almost blind going thru each file multi times. have deleted blocks and blocks of malicious code. and the malicious links to my site still keep coming, in fact have increased. and I would really like to block every darn bot and robot on the planet right now, including Google.
have upgraded, deleted unused and questionably useful but old plugins. themes. etc. etc. etc.
am using a great plugin for all those 404’s now: Not Found Children. at least until I can fix this, if it can be fixed.
But I will look at those links to see if there’s something I missed.
so, thanks.

BTW, the blog really works fine, it’s just those darn incoming malicious links.

right. so why am I getting slammed with bogus bots, accessing all my admin files ?
and getting bad links coming in.
have located all the bad malicious injection codes, I think. yet it seems to be increasing.

tried some htaccess blocks, but then my images don’t show up.

this is getting old.

You need to add widgets for that. check plugins for widgets, sidebar, social media.
there are numerous ways to do that.

You can see some of the ways I did it on my two blogs:
https://blog.talesofkingtut.com/tuts-blog/

or
https://word.reneodeay.com/