I just discovered today that a file from my WordPress website was deleted overnight which caused the site to no longer load. The file that was deleted was a functions.php file found in the current theme folder:
wp-content/themes/enfold/functions.php
In addition to this 4 new jpg files were also created in the wp-includes/images directory as follows:
/wp-includes/images/geo.jpg
/wp-includes/images/save.jpg
/wp-includes/images/magic.jpg
/wp-includes/images/links.jpg
These are not real jpg files as they don’t open, but looking at them with a text editor reveals text and additional PHP code.From looking at the PHP code it looks like it’s trying to inject some spam/advertising links into my WordPress POSTS.
I’ve recently reset the passwords for everything that I could find, including passwords for FTP, mysql , DB , Cpanel , all WordPress user logins.
I’ve used the Theme Authenticity Checker plugin to scan for any malware with the themes and it hasn’t detected anything.
I’m at a bit of a loss here – is there some log file or method I can use to determine how the “hacker” is gaining access to my WordPress site (I use a security plugin to lockout invalid logins etc) so I can close whatever loophole they’re exploiting?
