My Wordpress site (on a shared server) was compromised. It's full of spam links when I do a google site: check.
I removed a re-direct through cpanel so at least now the spam pages do not re-direct anymore. The re-direct had a name that was similar to a line in my htaccess file:
RewriteRule ^neabsmoiea.md$ "https\:\/\/post.ristourne.co\/Paket_ch\/" [R=301,L] ~
I assume this means the htaccess file was compromised as well? My site's name is in no way related to the words "neabsmoiea" or "ristourne" if that is relevant.
Naturally I changed all passwords, but I have no idea how to fix this.
My Wordpress site (on a shared server) was compromised. It's full of spam links when I do a google site: check.
I removed a re-direct through cpanel so at least now the spam pages do not re-direct anymore. The re-direct had a name that was similar to a line in my htaccess file:
RewriteRule ^neabsmoiea.md$ "https\:\/\/post.ristourne.co\/Paket_ch\/" [R=301,L] ~
I assume this means the htaccess file was compromised as well? My site's name is in no way related to the words "neabsmoiea" or "ristourne" if that is relevant.
Naturally I changed all passwords, but I have no idea how to fix this.
Share Improve this question edited Nov 17, 2019 at 22:59 Rick Hellewell 7,1412 gold badges23 silver badges41 bronze badges asked Nov 17, 2019 at 15:57 Martin BMartin B 314 bronze badges1 Answer
Reset to default 3Looks similar to a search redirect. You'll see the results when all of your search results go to someplace else.
Lots of ways for it to get in there. But, fix the htaccess. Get a standard one from WP here: https://wordpress/support/article/htaccess/.
Then, you should change all credentials: hosting, ftp, database, MySQL, and WP admin credentials. Look for unknown WP admin accounts (and extra FTP accounts). Check you wp-settings.php and wp-config.php. Look at the index file to ensure no extra code. Look at all files (via your hosting File Manager) to ensure no extra code. Look for hidden ICO files that contain code. Look at the wp-posts and wp-options tables for extra records that contain just numbers/characters.
Cleanup is hard - my process is here https://www.securitydawg/recovering-from-a-hacked-wordpress-site/ . But even then that process is not perfect. I've got one client with a shared hosting and multiple WP and non-WP sites that keeps getting reinfected. And I've done all of the above stuff. Still haven't figured out where it's coming from.