Sadly one of the hassles in managing your own WordPress blog is dealing with people that use your blog to serve spam content. These hacks can insert spam links into your pages and posts or create spam directories that are completely their own content on your domain.
There are many issues to deal with in re-establishing control of your server; but that isn’t the scope of this post.
This is just a tips if you are troubleshooting to try and determine what is going on. Often your server has been hacked to allow uploaded php pages to be added or for WordPress php files to be edited.
One way to track down if the files have been changed or new ones added is to compare the WordPress files on your server to the current files for a fresh WordPress install. This assumes your blog is using the current version, which hopefully it is because on the big improvement WordPress made is to make those updates automatic. That greatly reduces the chance to have WordPress be the vector to infecting your server. If you were using a older version then just compare to the field for that version from the WordPress server.
If you don’t have a current backup I would make a backup before I tried this. Obviously, don’t make any deletions or changes to your server unless you understand what you are doing. You can create big problems for yourself.
You can use the diff command to view the difference between WordPress on your sever and the fresh install from WordPress. I install the new WordPress in a new directory outside public_html. At the cli on a Ubuntu/Linux server:
sudo wget http://wordpress.org/wordpress-4.0.zip unzip wordpress-4.0.zip diff -rq wordpress ../public_html/
wordpress-4.0.zip – replace with whatever the version is you are using.
../public_html/blog/ – replace with the path to your blog
First I would focus on files outside of wp-content as those are going to have many differences on the server. You may well see files that WordPress has stopped using but they were never deleted. I believe WordPress updates online overwrite with new files so if files are now obsolete they remain. I would delete these at this time, but it is obviously up to you.
You can take a look at the differences between files that the initial diff command found were not the same. Or you could just overwrite the one on your server with the new one but you can’t learn what might be going on. Also it doesn’t seem like a smart way to mess with your server as they next update from WordPress could overwrite what they did.
But I am no expert, maybe they see using existing files as a smart way to do it. There shouldn’t really be any difference but I have had to do a minor change to deal with image problems. Probably I should do this in some better way – as the update to 4.0 overwrote my fix and I had to reapply it – but in the real world sometimes things are not as neat as the should be.
You can see if there are files on your server that are not on the current version of WordPress. And by looking at them you may be able to determine which files are likely causing you problems. And then you can delete them. And then research how to make your server safe which can be quite a hassle. I think quickly getting ride of the problem is wise as you may take some time to complete all the necessary steps to get your server secure.
Until it is, rechecking the diff (and other indications) is likely a wise course of action. For most sties that have these problems it isn’t like there are hackers full time focused on messing with your server. Likely they found some exploit via php or something that enabled them to get bad code onto your server. They are not monitoring every site to attack as soon as the bad code is removed. Obviously for very important sites this can’t be relied on but I doubt any of those sites are going to read this blog for advice.
Anyway after looking at the files to see if you can figure out what is likely happening then delete all the files not matching the current WordPress file (obviously except your wp-content directory which has all your extra stuff – files you uploaded including graphics and plugins etc.).
Make sure you: check all your other sites on this server and read elsewhere about how to re-secure your server (may well mean reinstalling everything from the ground up).
I would also suggest deleting all plugins and reinstalling them. But that can create issues with some plugins that are not so great, so you need to decide what to do (and why have such plugins anyway?). Certainly if the diff didn’t find the likely source of the problems dealing with your plugins in very important.
The other area that can be involved is .htaccess file. I would suggest looking at it and reading up on issues.
If you are lucky enough to have found the problem that is good luck as it can be dealt with. And likely you are just attacked via automated bots and no-one is targeting you. If you haven’t found it though, you need to keep looking. Also if your server is quickly re-corrupted then you have to act quickly to fix this at a deeper level.
There are obvious things to do quickly, like changing passwords, making sure all the software on the server is up to date, etc..
Related: Adding a Key to Your Server for SSH Login – Don’t Copy-Paste Directly from Website to Terminal – Keeping Your Hosted Ubuntu Web Server Software Up to Date – Overcoming Conflicts Due to having Multiple WordPress Blog Networks on One Server