The whole point of using my plugin to fix your site is that it can remove the malicious code from your infected files without affecting the good code that is supposed to be there. My plugin would not be so successful and highly rated if it deleted your core files 
The main problem for you is that you cannot access your wp-admin, but your didn’t elaborate on that so I don’t see how I can help you there. Please explain: why are you unable to access your wp-admin?
Sorry for the confusion about the “key”, I shouldn’t have called it that, it’s more like a nonce token. The point is that caching the login page will interfere with my login protection and cause false positive redirects.
If you have a WordPress site installed in the parent directory (like /home) then you should be able to run my plugin in a browser by logging into the wp-admin of that site (the permission must allow that site’s user access to the subdirectories that contain the other sites). It may take a long time to scan all the other sites at once, depending on how many files there are and how fast your server is, so this method is usually discouraged. Also, my plugin adds some protection to the sites it is installed on but that does not protect the sub-sites. It is best to install the plugin on each site individually.
I am working on a CLI version of my plugin but it is not ready yet. I will let you know when I have something ready for testing.
The first message you posted is related to my plugin redirecting you because your login page did not have the right key on it, it may have been cached or you may have been on that page too long and the key had expired. I recommend refreshing your login page before attempting to login.
Your follow-up post here is not related to my plugin. You have some other kind of login protection enabled on that site that is redirecting you. That may also work better if you clear your cache and refresh thtat page but I cannot say for sure because it’s not my plugin.
Try a direct query in PhpMyAdmin looking in the wp_posts table for any records with that content. Use something like this:
SELECT * FROM wp_posts WHERE post_content LIKE ‘%cialis%’ OR post_title LIKE ‘%cialis%’
All you need to do is enable the automatic updates and that will install the core files definitions for you.
It looks like those are posts or pages that may have been created by a rogue admin user or a hacker who has access to your wp-admin. Check your useres, change your passwords and then look for pages and posts that you did not create.
If it’s not in your theme’s header.php then I would reaffirm that it’s in the database. Try looking in the wp_options table, hat is where special header output is usually stored.
That is because this threat is usually not in any of your files. Instead, this malicious HTML is injected directly into your database. You’ll need to look in your post/page content (using the text tab so that you can see the HTML tags that you don’t want there) and remove the unwanted text manually.
Your bigger problem is that the hacker(s) will likely still have remote access to your database and they can re-inject this unwanted content. There was a widespread outbreak of this particular threat on TSOHOST recently and a number of their customers reported repeated hacks without any recourse to stop them from injecting the same links into their database.
I would suggest changing your DB_PASS and updating your wp-config.php file. If that does not stop repeated infections then you may have to look for a more secure host.
It looks like your site is all clean now. Was it just that Sucuri cached their scan results or did you find and remove the remaining threats?
My plugin does not remove text content from the database. In plain text, that code is likely to look less malicious and could easily have been put there by the author on purpose. If you have a hole in your DB security there is nothing any plugin can do about that. You can also simply remove that unwanted HTML text once you have security the DB so that it won’t happen again.
Sucuri says: Unable to properly scan your site. (HTTP Errors Returned)
Probably because you have Maintenance mode turned on right now, so I can’t tell if you site is still infected or not.
If you want to give me more info or turn your site back on so I can see what you are talking about then I can help you more.
I use clamscan and maldet too, but I’ve never had it flag my plugin before. You host must be using customized YARA Definitions that include the patterns written by Florian Roth. There is no telling how long it might take for his updates to reach the distribution branch that your host is using, so I have modified the relevant code in the latest release of my plugin so that it no longer matches this pattern.
I got a reply from Florian Roth. He says that he has fixed his YARA definitions But I still see the old definitions published on other sites. Where do you get your YARA definition updates?
Yes, this is a False Positive, thanks for reporting this to me. I have notified Florian Roth (the developer who published that YARA Definition), but I am not confident that he can do much about it as it is open source and in distribution for over a year. Plus it may have been forked and redistributed by other developers, so I will be changing my code so that it will not match this definition any more.
