Few days ago I received email from Google Search Console Team with title “Social engineering content detected”. On one of the sites that I was working some small fixes, was detected site phishing. Someone used site’s domain and added link to phishing page with plenty download’s links. URL looked like this:


As security was never my part of the job I was thinking that installing free version of Wordfance plugin would be good enough. Though I received notice that some files are being changed I ignored because site owner was working with some plugin developers so I though that must be it and beside that site was working fine.

Clean up infected site

So I consult experienced developer Ryan Paul and here is what we did to clean up site:

  • Change the salt keys in the wp-config.php (you can use iThemes Security plugin)
  • Change database user (cPanel)
  • Change database prefix (you can do it trough phpMyAdmin or you can use iThemes Security plugin which is much faster)
  • Erase all users except the main administrator and then change the admin username and password through phpMyAdmin
  • Delete everything except wp-content folder and wp-config.php file and then reupload WordPress files from scratch
  • Deactivate all plugins and replace it with fresh installations (you can upload in folder “newPlugins” into wp-content folder and then just to delete plugins folder and to rename current one or you can use Force Plugin Updates)
  • Lastly Ryan HIGHLY recommend¬† Bulletproof Pro plugin (it checks your site very often but still doesn’t slow it down)

Issue creating user trough phpMyAdmin after changing db prefix

While I was working on this I had problem creating new user trough phpMyAdmin after changing database prefix. I was going to copy existing user, to do some changes and to delete original one. But when I tried to login into WordPress dashboard it didn’t work. Me panic! Then I did some search and find perfect solution. Just be careful to replace all “wp” prefixes in the code with your new prefix.

INSERT INTO `wp_users` (`user_login`, `user_pass`, `user_nicename`, `user_email`, `user_status`)
VALUES ('newadmin', MD5('pass123'), 'firstname lastname', 'email@example.com', '0');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_capabilities', 'a:1:{s:13:"administrator";s:1:"1";}');

INSERT INTO `wp_usermeta` (`umeta_id`, `user_id`, `meta_key`, `meta_value`)
VALUES (NULL, (Select max(id) FROM wp_users), 'wp_user_level', '10');

Security plugin important notices

Ryan did plugin setup so I don’t have to worry about anything until I get notification. The only thing that I need to take care for is to turn off ARQ Cron when I change site files. So when you open BPS Pro/AutoRestore you should make everything looks like on this image and once you finish editing delete the wp-content backup files, back them up again and turn ARQ Cron back on.

BulletProof Security Pro plugin

Then I reported problematic URL to Google. As site was blacklisted on Google and all other important places, after all this done I checked site again. Google Safe Status Check reported that site is clean and on some other places where I checked everything was ok but Securi site checker still detected that site is on one blacklist. It was Norton black list which detected SWBPL threat. I couldn’t find what SWBPL threat is but solution for this Norton issue is to submit site for review on Norton’s security central.

So what we WordPress security beginners  learned?

  • Your site can work just fine and still to be infected!
  • Backup. Always backup. And do some more backup.
  • Use Pro version of security plugin.
  • Update. Update WordPress, plugins and theme. Always keep files update.
  • React fast and keep your passwords safe.

If you have some good advice, please share and if you want to know more about email phishing check Pixelprivacy and BroadbandSearch.

Share This Story, Choose Your Platform!