Many sites were hacked and injected with forwardmytraffic malicious script, despite using Wordfence. In most cases, there’s no admin access – wp-admin will forward to forwardmytraffic[.]com.
We’ve been fixing lots of sites lately, which have siteurl value changed to either:
hxxps://forwardmytraffic[.]com/0.js
hxxps://mytemplatewebsite[.]com/0.js
hxxp://wtools[.]io/code/raw/so?
hxxp://erealitatea[.]net
hxxp://blueeyeswebsite[.]com/ad.js
To prevent further data loss, you should immediate backup your database & site files. If you’re unsure how to perform this action, contact your developer or hosting provider.
Second, you should revert the changes made on wp_options ( siteurl value ) & wp_posts ( malicious injections ) tables. In most cases, siteurl and home should be the same.
Useful links:
Wordpress forums, redirected to forwardmytraffic.com in database and alot of scripts : https://wordpress.org/support/topic/site-hacked-despite-wordfence/
Sucuri labs, Side Effects of the Site_url Hack: <a href=”https://labs.sucuri.net/?note=2018-11-20″>https://labs.sucuri.net/?note=2018-11-20 </a>
Cleanup plans: <a href=”https://www.magefix.com/pricing”>https://www.magefix.com/pricing</a>