Problem:
When you visit your WordPress website you are randomly redirected to unwanted websites.
Verification:
- Log in your website as an Administrator.
- Go to Appearance >> Theme File Editor.
- Click on the Theme Functions link on the right side.
- Verify if malicious code was injected into the functions.php file. Example of malicious code:
<?php @ini_set('display_errors', '0'); error_reporting(0); global $zeeta; - Download the wp-config.php file to your machine via FTP or SSH.
- Verify if malicious code was injected into the wp-config.php file. Example of malicious code:
include_once(ABSPATH . WPINC . '/header.php');
Solution:
- Stop the website.
- Download the whole website to your local machine.
cd /var/hosting/huybien.com ls sudo zip -r huybien.zip /var/hosting/huybien.com/html
- Download the latest version of WordPress.
- Unzip and the latest version of WordPress to a new huybien folder.
- Copy the wp-content/uploads folder, the wp-config.php and ads.txt file from your original website to the new huybien folder.
- Review and remove all the suspicious contents in the wp-content/uploads directory in the new huybien folder.
- Review and remove all the suspicious contents in theĀ wp-config.php file in the new huybien folder. You may need to remove malicious code such as
include_once(ABSPATH . WPINC . '/header.php'); - Go to the wp-content\themes folder of the new huybien folder. Manually re-download and unzip all the necessary themes. Examples:
https://wordpress.org/themes/twentyfourteen/ - Remove all the unused themes.
- Go to the wp-content\plugins folder of the new huybien folder. Manually re-download and unzip all the necessary plugins. Examples:
https://wordpress.org/plugins/advanced-nocaptcha-recaptcha/
https://wordpress.org/plugins/classic-editor/
https://wordpress.org/plugins/contact-form-7/
https://wordpress.org/plugins/highlighting-code-block/
https://wordpress.org/plugins/insert-headers-and-footers/
https://wordpress.org/plugins/simple-history/
https://wordpress.org/plugins/top-10/
https://wordpress.org/plugins/updraftplus/
https://wordpress.org/plugins/wp-cerber/
https://wordpress.org/plugins/wp-mail-smtp/ - Pay attention to the plugins that were closed due to Guideline Violation. Remove all the unused plugins.
- Remove all your website content in the root directory in your hosting server.
cd /var/hosting/huybien.com/html sudo rm -rf * ls -a - Zip and upload the new folder (without the folder name) to your hosting server. The typical path is /home/ubuntu.
- Unzip the new content to your root website directory.
cd /home/ubuntu ls sudo unzip huybien.zip -d /var/hosting/huybien.com/html - Start the website.
Configuration:
- Log in your website as an Administrator.
- Change your Administrator’s password.
- Change file owner and group to www-data:
sudo chown -R www-data:www-data /var/hosting/huybien.com/html - IMPORTANT STEP – Set minimum permissions for folders and files:
cd /var/hosting/huybien.com/html sudo find . -type d -exec chmod 755 {} \; # directory permissions rwxr-xr-x sudo find . -type f -exec chmod 644 {} \; # file permissions rw-r--r-- - Remove all the unused plug-ins or themes.
- Install, activate and configure a CAPTCHA plug-in to protect Login Form, Registration Form, Lost Password Form, Reset Password Form and Comment Form if there is no one.
- Disable insecure FTP access if there is one.
- Install and activate the Simple History plugin to review access to your website. After 1 or 2 days, review the access information, and possibly block the malicious IP addresses using the Windows Firewall.
- Install, activate and configureĀ Cerber Security plug-in to automatically detect and block the malicious IP addresses.
- Back up database.
cd /home/ubuntu ls mysqldump -u root -p -h localhost huybiencomwp > huybiencomwp.sql
- Back up files.
cd /home/ubuntu ls sudo zip -r /home/ubuntu/huybien.zip /var/hosting/huybien.com/html - Download database and files backup.
- Remove the backups.
sudo rm -rf /home/ubuntu/huybiencomwp.sql sudo rm -rf /home/ubuntu/huybien.zip ls