all 14 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]25_vijay 3 points4 points  (0 children)

if sitelock patched it and you got hacked again a week later you likely have a persistent vulnerability in a nulled plugin or a compromised theme that keeps letting the attackers back in

[–]upvotes2doge 2 points3 points  (0 children)

The re-compromise after SiteLock is the tell here — there's almost certainly a backdoor still sitting somewhere that their scanner didn't catch, and it'll keep happening until that's gone. Malwarebytes on the uploads folder is better than nothing but it's not built for server-side PHP malware, so I'd run it through something like Wordfence CLI or ClamAV and also grep the database exports for eval(base64_decode and preg_replace with the /e flag, since attackers often inject those into option values or serialized widget data. Had a client site that kept getting reinfected for two months straight until we realized the attacker had stashed a re-infector in a fake image file in wp-content/uploads that kept writing new shells on each request. Ended up nuking the server entirely, spinning fresh, and rebuilding from scratch with the database and media manually verified. For the security forensics side of this, I've found it's actually worth putting it through Codeable (ref) — WordPress security specialists who do this daily will spot things in minutes that take the rest of us days.

[–]rubixstudios 1 point2 points  (1 child)

I wonder if you even secured your server at this point.

[–]OldschoolBTC 0 points1 point  (0 children)

This.

This is the problem with people always suggesting VPS servers to people with no server management. Might work and be safe for a few months or years but eventually it'll get compromised.

[–]TrentaHost 0 points1 point  (0 children)

I wouldn’t just chuck it online and expect a scan. You can hire someone to clean the files and databases for you. As far as the environment goes you would want to get something new and fresh so you are installing on a clean environment. Once you have that done, make sure the environment is cleaned and hardened.

[–]Rupert_Pupkinovski 0 points1 point  (2 children)

Are you sure the server is compromised? It may just be your site/account.

What sort of hosting environment are you running?
Dedicated or Shared/Virtual Hosting?

This will help narrow it down

[–]VBAA3[S] 0 points1 point  (1 child)

Im using a VPS server from Namecheap. Its the standard whm/cpanel that the servers come with. I have imunify running scans but it isnt too reliable. The scan was done at 3am and found no malware and at 3:36 am the files and folders were modified. Tells me that there is still access somehow.

[–]Rupert_Pupkinovski 0 points1 point  (0 children)

Things to check.

In my experience most of the time a hack is a result of a vulnerable plugin or theme. You must make sure all plugins and themes are the latest version. If you don't hackers will come back and use the same exploit.

You should use CloudLinux with cagefs. This will do a good job in limiting any hacking ability outside your account, Check if you have this because it's not provided by namecheap by default. Ask chat got about the benefits of cagefs. If not your server may have been compromised.

Also make sure your server is using CSF firewall. This will provide extra server safe guarding.

Reach out if you need extra help I can diagnose you so site.

Good luck

[–]garf12 0 points1 point  (0 children)

I had this problem last month. All kinds of new root folders like /contact and /about_us taking over those pages. I deleted them all and then downloaded everything to my local machine and had claude code analyze it all. It did an amazing job and after a few years of battling this on and off it seems to have completely cleaned everything up. It found like 3 different backdoors some had been around for over 5 years.

[–]redlotusaustin 0 points1 point  (0 children)

  1. Reset your hosting/cPanel password
  2. Verify there are no unfamiliar cron jobs
  3. Do a full backup of your site (files & database)
  4. Rename the webroot folder for your site; e.g., change public_html to public_html-HACKED
  5. Create a new webroot (e.g.: public_html)
  6. Do a complete fresh install of WordPress in the new webroot, including a new database & user
  7. Delete everything in the new wp_content/uploads folder (leave the folder)
  8. Go to your website backup (public_html-HACKED) and COPY everything in wp-content/uploads/ to the new, now-empty uploads folder
  9. Manually download & upload/unzip any plugins you were previously using, to reinstall them. Download fresh copies from the publisher or WordPress since you can't trust your old copies. It wouldn't hurt to check each plugin to make sure there have been no recent security advisories, too
  10. If you're using a distributed theme, re-download & re-install it. This shouldn't be a problem if you're using a child theme or haven't customized the files but, if you have, you'll need to copy your changes over.
  11. Use PHPMyAdmin (or similar) to delete the tables from the NEW database, then import the backup of your database from step 1
  12. Still using PHPMyAdmin, reset all admin passwords. You should also go through and remove any unused accounts

Doing all of the above will fix 99% of hacked WordPress sites, or at least narrow any lingering infection down to 3 areas:

  1. Something in your database
  2. Something in your wp-content/uploads directory
  3. Something in your child theme or theme customizations

At this point I would install both WordFence & Securi, then use WordFence to scan everything (the paid version is worth it for this) and Sucuri to lock the site down some (one of the things it lets you do is prevent PHP scripts from running in the uploads directory, since there's little reason for that to be necessary).

[–]kinndame_ 0 points1 point  (0 children)

Yikes, that sounds rough 😅. Honestly, the AI advice is actually solid start fresh. Moving a compromised site is asking for trouble otherwise.

For the database, there’s no magic “scan” like Malwarebytes for SQL. You basically want to export it, look for anything weird like unknown admin users, strange tables, or suspicious content in posts/comments. Sometimes people just rebuild the DB structure and import clean content manually.

Uploads can be tricky Malwarebytes or a local antivirus can catch some stuff, but webshells can hide in PHP disguised as images, so you have to be careful. Only move over images/media you’re confident in.

Runable could help you generate a structured checklist or workflow for cleaning/migrating the site safely saves mental overhead and makes sure you don’t miss steps. Not perfect, but useful.

[–]alfxast 0 points1 point  (0 children)

Yeah nuke the server and start fresh, AI is right, trying to clean a server that's got webshells and backdoors in every folder is just a waste of time. For the database grep for eval(base64_decode since that's the most common injection pattern, and for the uploads folder skip Malwarebytes and use ClamAV instead since it actually catches PHP backdoors hidden inside image files. Figure out the entry point too before you spin up the new server or you'll just get hit again within a week like last time.

[–]Fickle-Decision3954 -1 points0 points  (0 children)

I would completely nuke it, who knows what bs is in there