Recovering from a hacked site/Removing a mobile redirect hack

So I have a client that has a site that was apparently hacked, but we aren't sure when or how it happened. We have Wordfence premium on there but can't find the problem. Unfortunately she uses Wishlist Member which is encrypted so we can't see if those files are corrupted.

Anyway the hack makes it so only mobile visitors get redirected, but they are getting redirected to porn sites.

I was wondering if anyone had any advice on how to remove such a hack since we have already been scanning the site with Wordfence and the only questionable content that comes up are the encrypted files for her premium plugins, which we have actually gone ahead and overwrote with the latest version.

All themes and plugins and wordpress are up to date, but the redirect is still happening. I have also verified the .htaccess is clean too.

Thanks so much for your help.

  • aristath

    Hello there @successfulgeek, I hope you're well today!

    Try this:
    1. Download a fresh copy of WordPress, Extract it, and upload all files (via FTP) to your server, replacing all existing files.
    2. Download a fresh copy of all your plugins. Extract them on your PC, then delete all plugins from wp-content/plugins and upload the fresh copies of your plugins there.
    3. Repeat the same process for your themes.

    Please keep a backup of everything before doing that...

    I hope that helps!

    Cheers,
    Ari.

  • Imperative Ideas

    I think it's probably less scorched-earth than @aristath is going. It helps to understand the anatomy of a WordPress hack.

    1. They got in because you left a hole and made it easy. Maybe you left the "Admin" username active, maybe you didn't install a login limiter.

    2. The edit was mostly likely performed using Appearance -> Editor. A package like iThemes Security will allow you to disable that.

    3. It is unlikely that your plugins were affected. Plugins refresh and update so often that they make a poor target choice. No, what they got was your theme.

    Most of the time, the culprit is in functions.php but more sophisticated intrusions can put additional redundant code elsewhere. Replace your theme entirely. See if it has a "back up settings" option in the admin panel though because it's almost certain that's unaffected.

    In my professional opinion, the best defense against this kind of attack is to use Clef. I just penned a post about that here - https://premium.wpmudev.org/forums/topic/want-real-wordpress-login-security-use-clef

    In the meantime, replace your WP core for good measure (it's actually very hard to infect and not generally done by the kind of bots that jackhammer sites). Definitely replace your theme. You should be good.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.