Thanks for providing access to your wp-admin. We established that your database is not accepting any changes, so you cannot save anything in my Plugin or any other plugin either. I advise that you take this up with your hosting provider and move to another host if they cannot fix the database connection for you.
It looks like you broke the DNS for bytemeup.com at NAMECHEAP by pointing the Name Servers at NS1.BYTEMEUP.COM and NS2.BYTEMEUP.COM, so now there is now way to lookup the A Records for that domain. Try setting the Name Servers back to the NAMECHEAP Standard DNS. Then use the NAMECHEAP to set the IP address for your A records to your new host.
Sending me the zip file won’t either of us any good. You need the whole site (DB included) UNZIPPED and configure on a webserver in order to properly clean it and get it working again. The error_log files are the key to your success. Let me say that again, another way, you need to find your error_log files. The error_log files are essential to debugging any problem with any site, it’s worth you doing the research to find you error_log files. Please do that regardless, you’ll thank me later 
Moving on, you said you have another site that is able to run the scan but there are still infected files, can you please elaborate?
You can send me the files that are still infected, directly to my email.
I know you told me that the malicious code is in your core files, that is extremely common, but that hardly ever means that you cannot login. You see, it’s not usually in the best interests of the hacker to disable or cripple your site, they can only take advantage of your infected site if it is still functioning. It was probably an accident that they broke your site at all.
You can check the error_log files on your server to see why your site is not working and fix that problem so that you can use your wp-admin again and then use my plugin to remove the rest of the threats. You could also try replacing the wp-admin and wp-includes directories with a fresh copy and manually fixing some of the core files in the root directory, but it would be more efficient to fix the exact file that is referenced in your error_log file.
The whole point of using my plugin to fix your site is that it can remove the malicious code from your infected files without affecting the good code that is supposed to be there. My plugin would not be so successful and highly rated if it deleted your core files
The main problem for you is that you cannot access your wp-admin, but your didn’t elaborate on that so I don’t see how I can help you there. Please explain: why are you unable to access your wp-admin?
Sorry for the confusion about the “key”, I shouldn’t have called it that, it’s more like a nonce token. The point is that caching the login page will interfere with my login protection and cause false positive redirects.
If you have a WordPress site installed in the parent directory (like /home) then you should be able to run my plugin in a browser by logging into the wp-admin of that site (the permission must allow that site’s user access to the subdirectories that contain the other sites). It may take a long time to scan all the other sites at once, depending on how many files there are and how fast your server is, so this method is usually discouraged. Also, my plugin adds some protection to the sites it is installed on but that does not protect the sub-sites. It is best to install the plugin on each site individually.
I am working on a CLI version of my plugin but it is not ready yet. I will let you know when I have something ready for testing.
The first message you posted is related to my plugin redirecting you because your login page did not have the right key on it, it may have been cached or you may have been on that page too long and the key had expired. I recommend refreshing your login page before attempting to login.
Your follow-up post here is not related to my plugin. You have some other kind of login protection enabled on that site that is redirecting you. That may also work better if you clear your cache and refresh thtat page but I cannot say for sure because it’s not my plugin.
Try a direct query in PhpMyAdmin looking in the wp_posts table for any records with that content. Use something like this:
SELECT * FROM wp_posts WHERE post_content LIKE ‘%cialis%’ OR post_title LIKE ‘%cialis%’
All you need to do is enable the automatic updates and that will install the core files definitions for you.
It looks like those are posts or pages that may have been created by a rogue admin user or a hacker who has access to your wp-admin. Check your useres, change your passwords and then look for pages and posts that you did not create.
If it’s not in your theme’s header.php then I would reaffirm that it’s in the database. Try looking in the wp_options table, hat is where special header output is usually stored.
That is because this threat is usually not in any of your files. Instead, this malicious HTML is injected directly into your database. You’ll need to look in your post/page content (using the text tab so that you can see the HTML tags that you don’t want there) and remove the unwanted text manually.
Your bigger problem is that the hacker(s) will likely still have remote access to your database and they can re-inject this unwanted content. There was a widespread outbreak of this particular threat on TSOHOST recently and a number of their customers reported repeated hacks without any recourse to stop them from injecting the same links into their database.
I would suggest changing your DB_PASS and updating your wp-config.php file. If that does not stop repeated infections then you may have to look for a more secure host.
It looks like your site is all clean now. Was it just that Sucuri cached their scan results or did you find and remove the remaining threats?
My plugin does not remove text content from the database. In plain text, that code is likely to look less malicious and could easily have been put there by the author on purpose. If you have a hole in your DB security there is nothing any plugin can do about that. You can also simply remove that unwanted HTML text once you have security the DB so that it won’t happen again.
