trying to clean up a WordPress hack

One of the sites I help with was hacked and I am having a hard time cleaning it.

We were seeing mystery admins and scripts like:

type='text/javascript' src=''

To try to resolve it, We

  • moved the site to a different virtual server.
  • installed a fresh version of WordPress, the theme and fresh plugins.
  • moved the images folder from the old site after visual inspection to
    be sure all files are legit images or PDFs
  • deleted all users from the db except a few necessary admins
  • cleaned the db of extraneous tables
  • clean htaccess

I’ve been using Wordfence the whole time and to scan. They say its clean but we are still seeing mystery admins appear and Avast showed HTML:Script-inf. I did a search and replace on the db today for the script and deleted about 50 instances.

I’m at a loss of what to do next. Any ideas?

Source: virus


  1. Daniel Salazar
  2. Edwin

    After troubleshooting this issue, learned it had to do with a vulnerability with the theme I was using. The functions.php file in each theme folder was bad (some strange long string had been added at the beginning) and there were unknown php files scattered throughout the folders. If you think this is your issue, contact your ISP support to identify the files and replace functions.php file with the original (clean) ones you first downloaded. Hope this helps


Leave a Reply