If your site got hacked on the last mass infection of WordPress sites out there, we have a simple solution to clean it up.
For Network Solutions users:
If your site is at Network Solutions, and you have that “virtual-ad.org” malware, the solution is simple.
Login via FTP and remove the file cgi-bin/php.ini. That’s all you need to do to protect your users.
You will still have some “.nts” files in there (which you can remove later), but they will not be executed without the php.ini.
If you have SSH access to your server, run the following commands on your web root:
$ find ./ -name "*.php" -type f | xargs sed -i 's#<?php /\*\*/ eval(base64_decode("aWY.*?>##g' 2>&1
$ find ./ -name "*.php" -type f | xargs sed -i '/./,$!d' 2>&1
If you don’t have SSH access, download this file to your desktop:
http://sucuri.net/malware/helpers/wordpress-fix_php.txt and rename it to wordpress-fix.php.
After that, upload it to your site via FTP, and run it (using your browser) as: http://yoursite.com/wordpress-fix.php
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
Once you are done, go back to your site and remove this file.
That’s it and you should be clean again.
UPDATE: If your site is not getting cleanup after you run it (or you are getting extra empty lines on the top of your files), it means that the script didn’t finish to run properly. Try running it again. It it doesn’t help, upload it to some sub directories (like wp-admin, wp-content and wp-includes) and run directly from there. For example:
http://yoursite.com/wp-admin/wordpress-fix.php , http://yoursite.com/wp-content/wordpress-fix.php , etc.
That should fix it!
As always, if you are having difficulties getting your site cleanup, send us an email at firstname.lastname@example.org or visit our site: http://sucuri.net. We can get your sites clean up right away.
Also, consider checking out our site security monitoring. We will monitor your sites 24×7 and alert you if it ever gets infected with malware, hacked or blacklisted.