Problem:
When you visit your WordPress website you are randomly redirected to unwanted websites.
Verification:
- Log in your website as an Administrator.
- Go to Appearance >> Theme Editor.
- Click on the Theme Functions link on the right side.
- Verify if malicious code was injected into the functions.php file.
Example of malicious code:
<?php @ini_set('display_errors', '0');
error_reporting(0);
global $zeeta;
- Download the wp-config.php file to your machine via FTP or SSH.
- Verify if malicious code was injected into the wp-config.php file.
Example of malicious code:
include_once(ABSPATH . WPINC . '/header.php');
Solution:
- Stop the website.
- Download the whole website to your local machine.
sudo zip -r huybien.zip /var/www/huybien.com/html
- Download the latest version of WordPress.
- Unzip and the latest version of WordPress to a new folder.
- Copy the wp-content/uploads folder, the wp-config.php, .htaccess, web.config, and ads.txt file from your original website to the new folder.
- Review and remove all the suspicious contents in the wp-content/uploads directory of the new folder.
- Go to the wp-content\themes folder of the new folder.
- Manually re-download and unzip all the necessary themes.
- Go to the wp-content\plugins folder of the new folder.
- Manually re-download and unzip all the necessary plugins. Pay attention to the plugins that were closed due to Guideline Violation.
- Delete all your website content in your root directory in your hosting server.
cd /var/www/huybien.com/html
sudo rm -rf *
ls -a
- Zip and upload the new folder to your hosting server.
- Unzip the new content to your root directory.
unzip huybien.zip -d /var/www/huybien.com/html
- Start the website.
Configuration:
- Log in your website as an Administrator.
- Change your Administrator’s password.
- Remove all the unused plug-ins or themes.
- Install, activate and configure a CAPTCHA plug-in to protect Login Form, Registration Form, Lost Password Form, Reset Password Form and Comment Form if there is no one.
- Disable insecure FTP access if there is one.
- Install and activate the Simple History plugin to review access to your website. After 1 or 2 days, review the access information, and possibly block the malicious IP addresses using the Windows Firewall.
- Install, activate and configureĀ Cerber Security plug-in to automatically detect and block the malicious IP addresses.