Removing malicious code from a file only
functions.php, as practice shows, does not solve the issue. Therefore, this instruction can be helpful in troubleshooting the problem.
wp-includes/class.wp.phpno in principle. If there is, delete it. Pay special attention to the file name - in this directory there are many files with a similar name, but instead of a period - a hyphen, etc. This is exclusively about
wp-includes/wp-vcd.phpif it exists.
wp-includes/post.php... Namely, if the first line contains something like:
post.phpin standard WordPress form - https://github.com/WordPress/WordPress/blob/master/wp-includes/post.php (note line 1).
functions.phpafter deletion. It remains to check
functions.phpeach installed theme. The surest way is to try reinstalling the theme, if possible. Otherwise, we will give an example of an infected file: https://gist.github.com/alexandrpaliy/b3bb8a19433478fe32414895ad641709 - the appearance of line 3 from this example is a typical indication that
functions.phpinfected. In this case, you need to delete the entire block.
<?php … ?>where line 3 occurs:
?>... In this example, this is line 100. As a result, the cleaned file will look like this: https://gist.github.com/alexandrpaliy/95663f8dc1186cf6e4a6b725c397781b
users(most often -
wp_users), and if there are users unfamiliar to you, it is recommended to delete them by deleting the corresponding rows of the table.