New to the community? Start here

Help cleaning up all my sites

I need help with cleaning up all my sites. They are all infected. What do you need to check them all out. They are consistently getting internal 500 errors. Defender Pro file scan reports a number of issues.

Thu, 23 Jan 2020 10:52:59
More Defender Pro discussions
Defender Pro
  • Adam
    • Support Gorilla

    Hi Kyle

    I hope you’re well today and thank you for reaching out to us!

    I’ve checked the server and before I’ll go any further, I’d like to mention something very important: the current “structure” of how the sites are hosted makes it very vulnerable and I honestly thing that even a full clean-up might not be very efficient in a long run.

    All the infected sites (and many more) are all hosted within single “public_html” folder of the very same hosting account and that means that a single overlooked malicious code, a single vulnerability in any of these sites, pretty much any “weakness” at any point of any of the sites can result in a mass infection spread all over the server in no time.

    So while I understand it might be a problem to separate those sites from each other, it would be strongly recommended thing to do, preferably to start with. It wold be best if they were kept on separate accounts or “sub-accounts” (if Bluehost provides such thing).

    It’s also not the best idea to keep the same admin access credentials and FTP for all the sites – they should be different for each site (FTP usually can be set to limit “path” to specific site).

    Getting back to the main issue though, I can see that those sites are heavily infected and I can tell you upfront that a simple “manual cleanup” will most likely be insufficient and the infection will keep coming back.

    It would be best to actually restore all these sites from backups to the pre-infection state and then focus on separating them and possibly securing more (if technically doable). Do you have such backups? If yes, are they very old (I’m asking about that due to possible loss of content if they are too old)?

    If such backups are not available then the way to deal with it would be this:

    0) Put the site in some sort of maintenance mode or, if possible, temporarily protect it with HTTP AUTH (browser login)

    1) after running Defender scan look at the list of reported files and completely delete all those files of “fancy names” that are reported as “Unknown file in WordPress core”

    2) download fresh WordPress installation package, extract it to your local drive, access the site via FTP and

    – delete entire /wp-includes folder from server and upload the one from the WP install package
    – delete entire /wp-admin folder from server and upload the one from the WP install package
    – overwrite following files in site’s root with those from WP install package

    index.php
license.txt
readme.html
wp-activate.php
wp-blog-header.php
wp-comments-post.php
wp-cron.php
wp-links-opml.php
wp-load.php
wp-login.php
wp-mail.php
wp-settings.php
wp-signup.php
wp-trackback.php
xmlrpc.php

    Note, make sure not to overwrite wp-config.php file, .htaccess file and /wp-content folder. However, wp-config.php and .htaccess might need manual clean up depending on what Defender shows – it would show which code inside them is malicious so they should be edited and such code removed.

    4) delete all unused plugins and themes from site
    5) download fresh installation packages of all the used themes and plugins and, again using FTP, go to /wp-content/themes (and then /wp-content/plugins) folders and

    – delete given theme/plugin
    – upload it from unpacked fresh install package

    These 5 steps should be repeated for all infected site and, in fact, it would be best to do them actually for all the sites that are stored on the same hosting account.

    Kind regards,
    Adam