Replies: 0
Hi All,
(TLDR: see steps below for guide to remove cutwin virus.)
I Just wanted to share my experience with a virus that took over my entire WordPress site. Three days ago, I got an email from one of my clients saying that the site was directing her to weird links. Long story short, all the links were hijacked and were pointing towards dodgy websites (mainly cutwin urls). The virus wouldn’t run when logged in as admin, but only when you visit the site.
When I removed the urls, they’d reappear after an hour or so. Luckily, I’ve managed to fix it and the website has been clean now for over 48 hours. I thought I’d share my fix with you in the hope that this would be helpful.
- my cutwin script was injected in the additional CSS box in the cutomisation panel (deleted this).
- checked the wp_post table and found that every row has an additional script attached
- download the “better search replace” plugin and search your entire database for the script and replace it with nothing (leave replace box blank).
- search entire database with “better search replace” for cutwin and replace with nothing (you should have no results for this, but just in case).
- disable and delete all themes and plugins you aren’t using, including WP default themes
- check the header and footer files for any suspicious looking scripts or weird unreadable code.
- after a few hours, repeat step 4 just to confirm that the virus hasn’t reappeared.
This may not fix the problem for everyone, but I hope it will be useful!
Best wishes,
- This topic was modified 8 minutes ago by Remco van Essen.
- This topic was modified 2 minutes ago by Remco van Essen. Reason: added TLDR