First of all – DON´T PANIC.
Installing antivirus or security plugins at this point will rarely help – the malisious code has already server access.
1 – Change ALL the passwords for FTP, mysql , DB , Cpanel , WHM , SSH ( disable if not need ) etc. anything with access.
3 – Check your server ( all folders like cgi, cgi-bin, ftp etc ..)
Delete all the wordpress folder ( except wp-content ) , and all other strange files . Delete all themes and all plugins anf Check the rest of wp-content manually and attentively . Backup the DB and manually check it .
3.1 – ( EDIT 1 ) – Disallow indexes in Cpanel / WHM . And read below for .htaccess protections .
2 – Upload new wordpress CORE files to OWN directory ( not root ) and rename it to something else ( not wp or wordpress ).
3 – Update Plugin and Themes – do not copy the ones you have , but install fresh, updated ones from the wp plugin repository, and a fresh clean theme .
Manually check if necessary .
In your theme , check for all forms, or input fields, and check for correct validation of input .
4 – Change all the DB passwords in the wp-config . All the hashes etc .
Create a new Database AND user AND new passwords. Manually check the DB backup BEFORE injecting it back .
4.1 – ( EDIT I ) I forgot to mention – Change also the DB prefix. Do not leave wp
5 – Change all wp user-passwords AND usernames .
If you have an open site with hundreds of users than make a script to force everyone to change passwords .If you have only a dozen change it manually .
When I said all – It is including the default admin user ( from past versions )
6 – After some time , check your server log , and see if the 404 messages for the fake image files are from a single ip address ( probably not ) – if they are – block it .
7 – There is not much more you can do , except being careful. It is a lot of work, but do not be lazy and follow all steps . Otherwise it is not just this one site, but the whole server could be compromised . Again and Again ,.
Guidelines for that not happening again :
-
Choose Strong passwords . – we all do not like passwords that looks like
aDf34HG§*#sFGT, but they ARE helpful – especially onDBor other automated tasks . For users – Force at least one symbol and one letter. -
Do not install themes and plugins that you do not know, do not fully understand , or that you have downloaded from questionable sources (
all-wp-premium-themes-for-free-and-direct-download-all-plugins-for-freeetc ). -
Keep the wordpress core files updated .
- Check the server every once in a while manually .
.htaccess
Some directives that can prevent ( or at least try to ) this from happening again .
.htaccess file in the root directory of WordPress.
#Disallow indexes
Options All -Indexes
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
robots.txt
Disallow: /wp-*
Another thing you can do is to force users (and yourself ) to use SSL ( HTTPS ) when login to admin:
define('FORCE_SSL_LOGIN', true);
After that – you will also need to peek at your DB to see if have strange columns / tables / entries / users. for example if your site is constantly being redirected – check for strings etc .. (eval(),exec() ..)
You could also use some of the numerous security plugins for core checksums and other the above mentioned php calls.
There are other things, more complicated, especially on the APACHE side.
If I will have more time, I will post a blog entry and link here. But the above written is a good start .