This problem surfaced for me on some of my WordPress sites beginning in August. A Google search shows many compromised sites, but not a lot of people talking about it. I will talk about my solution to the problem and hope that someone figures out a permanent fix.
This hack displays itself by redirecting the users to some other sites. The sites have changed each time, and so has the path the redirects have taken. In one case, the redirect started with something to ‘teaserguide.com’ and then went through four or five different websites before finally landing on one. The intermediate sites appear to be for the purpose of padding traffic statistics. You can watch this progression by looking at the pages loading in the bottom left of your browser (for me, Firefox).
The teaserguide.com domain is registered in Russia.
Here is what I discovered when trying to resolve this issue.
First of all, there were two or more lines of script added to the header.php file in one or more of my themes. These lines had to be deleted. The way they appear displayed on the website is like this:
You can see from the element inspector that the nefarious script creates an iframe. You can see the row of black squares at the top left. You can stop the page from redirecting without removing these lines, and you can remove them and still have the page redirect, because this is only part of the problem.
Along with the change to the header.php file, a change was made to the .htaccess file.
Below the normal WordPress rewrite rules was this line:
RewriteRule ^oe/(.*)$ /openx-adm.php?$1 [L]
Deleting this line in the .htaccess file pretty much ended the redirects. But it also revealed the fact that they had inserted some other files on the server. I was able to find them using Clam virus scanner and manually, by inspecting the directories.
I didn’t bother to try to figure out what the connection was between all of of these modifications, because it seems to me that all they would need to do is make the change to the .htaccess file to get everything they needed. But there presumably is some relationships.
It was the change to the .htaccess file that has me most concerned. I had the most up to date WordPress and my plugins and themes were updated, too. The passwords were changed and were solid. Nonetheless, they still managed to get in and change the htaccess file and modify the headers.
Finally, I went through and played with the permissions of the files and directories. I found one or two that seemed to be borderline to lax, and that was enough for me to go through and reset them all. It took a while to find the right permission scheme for the files and directories to get the site to work the way it was supposed to, but now that I’ve done that, at least as of this writing, I have not been hacked again on that particular domain.
I am beginning to suspect that the way they are getting ‘in’ is not through a compromised password, but through a WordPress file with a default permission that is not secure enough. I just don’t know how they are getting ‘in.’
On one of my domains that was compromised, the whole install is password protected by Cpanel. You can’t even get to the domain without going through the directory privacy feature. Out of millions of WordPress users, I’m probably one of only a handful that has that level of protection on their installation, but they still got ‘in.’ So, while the above may be an effective way to restore your site, please don’t think that this is the solution for keeping them ‘out’ in the first place. I don’t know they are getting in.
If this has been helpful to you, buy one of my books!