Help: Hijacked wordpress site?

Something in your .htaccess could be redirecting anyone referred via Google to their own website. I would suggest checking the .htaccess and try disabling all plugins to see if that fixes it. If not, just shoot an email to your hosting company to see the last time any of your files were edited.

Yes. Its inside your .htaccess also if you're using wordpress check your theme files for suspicious php and js files.

Check your files time-stamp of so you can easily find which file was modified.

If you still unable to fix your site then I can do it for you in free ..
let me know

Also, if you posted a link to your website then it may help a bit more

Hey,

It might be because you downloaded cracked themes ? Just saying..
I've heard that on these so called Free Premium Themes there are scripts that give them access to all sorts of things.

Good luck

Take a look here: Htaccess Redirection to Sweepstakesandcontestsinfo dot com | Sucuri

As much as I'd love to share the sites... it's 11 out of 13 with this hosting company. I think only 11. I've logged a support ticket to see what they have to say. My suspicion is that it was through my FTP account.

I've changed my passwords (and now the rage, frustration and anger that I didn't tighten up on my security sooner has died a bit) I'm getting ready to 'start again'.

One of those mistakes you only make once!

Besides the suggested .htaccess check - look into the root index.php file, too!

It is a very short file and it should have only this:

If there is anything else in it...

it should be errors of .htaccess

do you have backup of your website, restore it or ask your web host to restore your website with old backup.

Check your themes for any occurance of the word base64_encode. It always rings alarm bells when I see this. Other times, the bad code will be in a php file, like in a theme functions. Its always good practice to review every theme you download for things of this kind.

Istvan... thanks. I think I need to buy your course (no joke).

The files my host identified as affected are (x 11):

Being non-technical I'm worried about trying to remove or update files but not getting rid of ALL the offending code. It's also the problem I have with restoring old sites because (I'm guessing) you have to make sure the ones your restore are ok. Which means I need to identify exactly when the incidence took place which I believe it was early November from looking at my site stats. My hosting company only offers to restore back-ups from the past 5 days which doesn't help much.

[There's a lot of which, if and but going on here ]

I've already started to tear down the very small sites and start again. Incidentally I might use this as an opportunity to try out a different hosting company who's perhaps more accustomed to dealing with these types of problems.

Your hosting company usually wouldnt help too much with this sort of issue.

Did you check your .htaccess file? Errors coming up with pages can be caused by redirections in htaccess files. Trust me I just fixed one of my sites up yesterday with an issue much like yours.

So far I've removed the offending code from these files:

But I've no idea where to find the .htaccess files

I've been Googling my butt off and don't know if I'm looking for a file titled .htaccess or (er..) what?

Big thanks to everyone so far!

Essentially I think it's this that I'm up against:

And this was a useful tool: Sucuri SiteCheck - Free Website Malware Scans so thanks Chase for recommending it.

For the record there was nothing hacked or ripped on these sites... all 100% legit templates, pluggins etc.

you are looking for a file titled .htacess. It is in your file management system of wherever your files are on the hosting services.

in WordPress it's in the WordPress folder

The code should look something like this:

SetEnv PHP_VERSION 5
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

My guess is that your file index.php has been reset to point to the malware sites target.

Unfortunately this has happened to me. Here are 7 steps I recommend you take:
1. Change your FTP password to a Stronger one. Those of you using an FTP program to upload files to your server make sure the password is strong. Mine was apparently so weak It was like I gave a personal invite to the hackers. If you don’t even know what FTP is then you’ll be fine!

2. Change your Hosting account passwords to a stronger one. (In my case GoDaddy). I cant even remember my customer numbers or passwords and being such a big company I doubt the hackers got to me this way.

3. Change your Google accounts to a stronger one. This includes your analytics accounts, adwords, gmail etc..

4. Back up your sites content & database. I personally am not sure on how to do this. I thought there was a plugin for this. If anyway can answer this question please do so in the comments below.

5. Upgrade WordPress to the latest version. Version 3.0 due around May so upgrade then.

6. Remove your unused Plugins. No point keeping them there if your not using them.

7. Update your used Plugins to the latest versions. It’ll usually tell you in the ‘Plugins’ section that a new version is available. Update it. Make sure its reputable. Don’t download crappy plugins with poor feedback.

Don't listen to any of the SPECIFIC recommendations about how it's "probably" your .htaccess, etc.

It could be ANYTHING.

The first thing to do is check your FTP logs for activity around the time that the hack took place. That might lead you to learn what file was changed. That is assuming it was an FTP-executed hack, which is very common.

If FTP logs don't reveal it, you need to manually go through your FTP connection to check the date of when files were modified in every single directory.

If files were modified that you did not modify, that's a big clue.

Here is a post talking about how to find how you were hacked:
http://blog.outsourcefactor.com/here...mission-thief/

Different hack, but same approach to find the problem.