We recently cleaned several sites affected by the recent convertplug plugin vulnerability. In most cases plugin is bundled with Avada theme. All Convert Plus versions up to 3.4.2 are vulnerable to attacks.
Users should update to version 3.4.3 ASAP, as this is a critical security issue.
When we clean WordPress sites, infected posts and pages occur most of times. This way hackers build links and articles to non-relevant sites: pills, replica products, essay writing, etc ( SEO spam ).
There are two types of injections:
- Repetitive strings which can be replaced easily using a search & replace script. Example:
- Strings which differ from one post to another by few characters – making more difficult to apply search and replace technique. Example:
Tools for search and replace:
Notepad++ ( good for database cleanup ): https://notepad-plus-plus.org/
Better search & replace: https://wordpress.org/plugins/better-search-replace/
Search Replace DB ( WordPress admin access not needed ): https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
Many sites were hacked and injected with forwardmytraffic malicious script, despite using Wordfence. In most cases, there’s no admin access – wp-admin will forward to forwardmytraffic[.]com. …
If your site is being redirected to various shady sites, you might be infected with a blueeyeswebsite SQL injection. Other common malicious scripts:
Sample code injected in wp_posts table ( wp_ prefix might differ from a site to another ):
We’ve been fixing lots of sites lately, which have siteurl value changed to either: