One of the sites I help with was hacked and I am having a hard time cleaning it. FlourishSummit.com.
We were seeing mystery admins and scripts like:
To try to resolve it, We
- moved the site to a different virtual server.
- installed a fresh version of WordPress, the theme and fresh plugins.
- moved the images folder from the old site after visual inspection to
be sure all files are legit images or PDFs
- deleted all users from the db except a few necessary admins
- cleaned the db of extraneous tables
- clean htaccess
I’ve been using Wordfence the whole time and securicheck.net to scan. They say its clean but we are still seeing mystery admins appear and Avast showed HTML:Script-inf. I did a search and replace on the db today for the script online-sale24.com/1.js and deleted about 50 instances.
I’m at a loss of what to do next. Any ideas?