Website hijacked on all hyperlinks

All things updated to their latest.
Whichever page is loaded on any browser and device, the first click of any link (on page or inside pull-down menu) would yield a new tab on browser to a random website. It is very annoying and making the business site spam-liked.

We installed a couple anti-hack plugins to scan all files in the domain but this hijacking is still happening.

Any suggestion?

  • Adam Czajczyk

    Hello @marcchow!

    I'm very sorry to hear that this happened to you.

    I'm afraid, however, that if the security plugins are not helping, the site's been seriously "damaged" already. There might be a malicious code in files and/or database and it's very hard to do any "automatic clean up" of such code, if possible at all.

    I think you should start with following steps:

    1. Review user accounts on site and delete all that you either don't recognize or you know they are "dead" or that you think are not really necessary (at least for now).

    2. For all other accounts - even if they are not yours - change passwords (you may inform users that they'll need to use "Lost password" option to regain access)

    3. Scan the site with Defender's "File Scan" and you should get a report in a form of list of files. There might be files reported as "non WP core" and some that might be reported as affected. You will actually need to compare those "non core" files against freshly downloaded WP install and freshly downloaded theme and your plugins' packages to make be sure whether these files a) should be deleted b) should be ignored c) should not be deleted but should be replaced with fresh ones

    3. If that still doesn't help, use freshly downloaded WP package, your theme and your plugin's install files to manually override files on server (via FTP) (make sure that you do not overwrite wp-config.php file and wp-content folder, except from files inside /wp-content/plugins and /wp-content/themes folder).

    If that doesn't help still, you might need to get in touch with your host to try to get them to check server logs in order to try to identify where that hijacking came through and from, in order to be able to specifically secure some aspects of your site and/or e.g. block certain IPs/user-agents etc. Then, you might need to hire a pro to do a full manual clean up of the site for you, I'm afraid.

    You might want to consider asking for that on our "Jobs & Pros" job board (please note: no WPMU DEV staff involved!) here:

    https://premium.wpmudev.org/wordpress-development/

    Kind regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.