SiteURL hack mytemplatewebsite[.]com/0.js

Last updated: June 04 2019

We’ve been fixing lots of sites lately, which have siteurl value changed to either:
hxxps://mytemplatewebsite[.]com/0.js
hxxp://wtools[.]io/code/raw/so?
hxxp://erealitatea[.]net
hxxp://blueeyeswebsite[.]com/ad.js

This hack is a result of the WP GDPR Compliance vulnerability.

To prevent further data loss, you should first backup your database & site files.

Second, you should revert the changes made on wp_options table ( siteurl value ). In most cases, siteurl and home should be the same.

Here are some good tutorials for siteurl change:

Change WordPress Site URL Via phpMyAdmin: https://www.hostdime.com/kb/display/HR/Change+WordPress+Site+URL+Via+phpMyAdmin
Change and Update WordPress URLS in Database When Site is Moved to new Host: https://wpbeaches.com/updating-wordpress-mysql-database-after-moving-to-a-new-url/

Siteurl should be changed manually, editing site’s database table wp_options. Look for a record where option_name is equal to “siteurl“.
Note: Changing siteurl using wp-config.php values is not recommended in this case – database will remain infected.

Lastly, you need to make sure that other tables are not affected by the siteurl hack. To do that, you’ll need to use a search and replace tool.

Make sure .htaccess file is malware free – best way to do that is to replace its content with the default source code.

Useful links:
Sucuri labs, Side Effects of the Site_url Hack: https://labs.sucuri.net/?note=2018-11-20
Sucuri scanner: https://sitecheck.sucuri.net/
Cleanup plans: https://www.magefix.com/pricing

Let us clean your site