I just received a second email from Google Search Console, that one of my websites, Emma&Nala Jewelry was hacked. In the email, they have sent two URL’s that they found to be “suspicious”:
- http://emmaandnala.com/jlyesvgliktwgsg-b899-n26339-gslk/
- http://emmaandnala.com/n34104-kfkou-b890-xxptoayz/
The website config stats:
- Linux Hosting at Avalon hosting, Business package
- WordPress 4.8, updated before this posting
- Plugins:
- Akismet v3.3.3
- Contact Form 7 v4.8.1
- Envato WordPress Toolkit v1.7.3
- Google Analytics by Yoast v6.2.0
- Hello Dolly v1.6
- Instagram feed v1.4.9
- Instagrate to WordPress v1.2.7
- Mailchimp for WordPress Lite v4.1.5
- NextGEN Gallery by Photocrati v2.2.10
- Post Duplicator v2.20
- Regenerate thumbnails v2.2.6
- RevolutionSLider v4.1.4
- Simply Instagram v1.3.3
- WooCommerce v3.1.1
- Woocommerce Category Best Seller Widget v1.0
- WooCommerce Google Analytics Integration v1.4.3
- WooCommerce Header Category Image v1.0.0
- WooDojo v1.5.4
- WordPress Importer v0.6.3
- WordPressSEO by Yoast v5.1
- WP Retina2x v5.0.5
- WPBakery Visual Composer v4.3.4
Events timeline:
- 12th July 2017 I receive email from Google Search Console team that someone else was added as admin of Search Console property for that website
- I log into search console, remove these individuals (silly gmail account)
- I removed the verification .html file from the site root dir. as well, and re-verified myself as an admin (re-added the property)
- this morning, 27th July 2017 I receive email from Google again, listing the two above URL’s as malicious
What I did:
- checked web server file-system for any suspicious files/folders -> nothing there
- updated WordPress to 4.8
- updated plugins
- removed all WP users except myself (admin)
Before I start messing up with wp.config
and similar, is there anything else I can do? Skills level: self-taught newbie in unix, .js, python and a bit of sql flavors out there.
Many thanks for help!
EDIT 1:
Here are the results of the WordFence scan if anybody would like to take a closer look 🙂
Wordfence scan results in a GoogleDocs file
1 Answer
1st – Scan and identified malwares using this free tool https://sitecheck.sucuri.net if gives you files infected just delete them from your build.
2nd – Install sucuri plugin on your website and run again.
3rd – Change passwords on the admin users
4rd – Check for exploits on plugins on this site – https://www.exploit-db.com/
5th – Install Wordfence Security plugin
6th – Update urgently RevolutionSLider to the latest version