Ida,
Thanks for providing access to your site. I did some tweaking to my plugin on your site and got it to find and remove that last bit of malicious code in your theme. I think your site is all clean now. Can you try reposting any corrupted entries to Facebook and make sure the new postings do not contain these viagra ads.
You will also need to get Google to re-index your site. This may take some time but it will help to go to Webmaster Tools and submit a new sitemap and request a review in the Health section if there is any malware listed there.
If you sill have signs of a current or recurring infection please let me know and I can check your site again.
Aloha, Eli
Your site looks clean now from the outside. Check the Health section of Google Webmaster Tools to see if the search engine cache is clean and request a review if it is not.
This sounds like a conditional ad injection but these pharma hacks vary quite a bit. Can you provide me with WP Admin access to your site?
You can email your login credentials directly to me so I can look for the infection.
Aloha, Eli
Just wanted to say thanks for letting me into your site. It was helpful to see how the non-SSL resources performed on an SSL site. I have secured my own sites with PositiveSSL now. I have also released a plugin update with the modifications I made on your version so the links to the updates are all SSL compatible now.
Thanks again for bringing this to my attention and allowing me access to your site so I could fix it.
Aloha, Eli
So your site is running SSL and the definition updates are not loading?
I would like to figure out exactly what is going wrong and fix it for you. I expect It has to do with SSL and that my javascript that checks for updates is not SSL.
Can you email me with WP Admin login info for you site?
eli at gotmls dot net
Hi Josh,
I’m happy to help any way I can.
If my plugin fails to write to the files that need fixing it is probably because of the permissions on those files or some other restriction preventing apache from writing to your file system.
If you want me to look at it for you, you can send login credentials directly to my email address: eli at gotmls dot net
Aloha, Eli
That great. Changing the permissions may work but sometimes the hackers scripts can change them back and then write to the file anyway.
Better protection is always good and it is best to understand how the hacker is gaining access to know what protection you need to improve on. In most cases it is either a vulnerability of the host or the software you have put on the site. If there are no back-doors or vulnerabilities in the software you are running on your site (WordPress, Plugins, Themes, etc.) then it could be the host or another site on the host that is letting your site get reinfected. The only thing I can suggest is to switch to another (more secure) host.
I am currently working on a very secure hosting environment for just such a need. The server is up and I am hosting site on it now but I have not opened it up to the public yet. It will be about $12.75 per site per month, probably more than you are paying now but more secure too 
If you are interested in hosting on my new server just send me an email and I can help you make the switch.
Otherwise, best of luck to you and Aloha,
Eli
I just updated this one for you too. Don’t forget to download the definition updates (and make a donation
I just added one more level for you. You will need to download the definition update again for these changes to take effect.
Please let me know if that had the desired effect.
I would help me to know for sure that I got it if I had access to your WP Admin on this site, but you can try it now and let me know. Just download a definition update and then you should see one level higher in your directory tree. If this is the right directory then you will be able to scan all your sites from this one admin.
Please let me know if that did it for you.
Aloha Rob,
This can happen whenever WordPress fails to remove a plugin directory. You did the right thing by removing the folder manually.
Thanks for posting your solution.
Mahalo, Eli
Michele,
Thank you so much for opening your server to me. I have just released a plugin update that includes the code fixes I had made for you on my previous version. This new version 1.3.05.31 should be compatible with that Flexible Frontend Login plugin. Please give it a try and let me know if you find any other problems with it.
I can try. On what site are you wanting to make this change?
It would appear that the OptimizePress theme is using a method of code obfication that matches Known Malicious Threat patterns. I cannot see the code in those two files from the links you provided but if you were to send me those files I could check them out more thoroughly. I have temporarily white-listed this definition and I could create A permanent white-list entry for these files if I can confirm they are harmless.
Unfortunately I cannot do anything about your hosting provider calling them malicious so you would need to take it up with them too. I may also be worth it to let OptimizePress know that your host is flagging their files as malicious so that they can defend their product.
If you can email those files to me directly then I will check them out right away and white-list them if appropriate.
Ivica,
Thanks for sending me the login info. I was able to remove the remaining threats from the wp-config.php file. It turns out there were three different sets of malicious injections at the top of that file. I updated the definitions so that my plugin could remove each of them without breaking the syntax of the file.
Please let me know if there is anything else I can do.
Aloha, Eli
