Hacked WordPress website, as notified by Google Search Console, what to do? [closed]

by

I just received a second email from Google Search Console, that one of my websites, Emma&Nala Jewelry was hacked. In the email, they have sent two URL’s that they found to be “suspicious”:

  1. http://emmaandnala.com/jlyesvgliktwgsg-b899-n26339-gslk/
  2. http://emmaandnala.com/n34104-kfkou-b890-xxptoayz/

The website config stats:

  • Linux Hosting at Avalon hosting, Business package
  • WordPress 4.8, updated before this posting
  • Plugins:
    • Akismet v3.3.3
    • Contact Form 7 v4.8.1
    • Envato WordPress Toolkit v1.7.3
    • Google Analytics by Yoast v6.2.0
    • Hello Dolly v1.6
    • Instagram feed v1.4.9
    • Instagrate to WordPress v1.2.7
    • Mailchimp for WordPress Lite v4.1.5
    • NextGEN Gallery by Photocrati v2.2.10
    • Post Duplicator v2.20
    • Regenerate thumbnails v2.2.6
    • RevolutionSLider v4.1.4
    • Simply Instagram v1.3.3
    • WooCommerce v3.1.1
      • Woocommerce Category Best Seller Widget v1.0
      • WooCommerce Google Analytics Integration v1.4.3
      • WooCommerce Header Category Image v1.0.0
    • WooDojo v1.5.4
    • WordPress Importer v0.6.3
    • WordPressSEO by Yoast v5.1
    • WP Retina2x v5.0.5
    • WPBakery Visual Composer v4.3.4

Events timeline:

  1. 12th July 2017 I receive email from Google Search Console team that someone else was added as admin of Search Console property for that website
  2. I log into search console, remove these individuals (silly gmail account)
  3. I removed the verification .html file from the site root dir. as well, and re-verified myself as an admin (re-added the property)
  4. this morning, 27th July 2017 I receive email from Google again, listing the two above URL’s as malicious

What I did:

  • checked web server file-system for any suspicious files/folders -> nothing there
  • updated WordPress to 4.8
  • updated plugins
  • removed all WP users except myself (admin)

Before I start messing up with wp.config and similar, is there anything else I can do? Skills level: self-taught newbie in unix, .js, python and a bit of sql flavors out there.

Many thanks for help!

EDIT 1:
Here are the results of the WordFence scan if anybody would like to take a closer look 🙂

Wordfence scan results in a GoogleDocs file

1 Answer
1

1st – Scan and identified malwares using this free tool https://sitecheck.sucuri.net if gives you files infected just delete them from your build.

2nd – Install sucuri plugin on your website and run again.

3rd – Change passwords on the admin users

4rd – Check for exploits on plugins on this site – https://www.exploit-db.com/

5th – Install Wordfence Security plugin

6th – Update urgently RevolutionSLider to the latest version

Leave a Comment