Network Solutions has suspended my account (see letter below). I am using WordPress. In the letter it says I need to remove all PHP files . . . What steps do i need to take to get my site back online?
Letter from Network Solutions:
Subject: Network Solutions Policy Violation
We have discovered that your usage of the hosting service is not in compliance with our Acceptable Use Policy . . . we have taken necessary steps to suspend your service until you have reviewed the information below and made the required updates that will allow us to reactivate your service.
Issue: Your hosting account has hacked content. It appears you are running vulnerable PHP that has allowed your account to be controlled by an attacker.
How did this happen: This can be caused by code vulnerabilities in an existing content-management system (CMS) or other script that has been compromised. The most common cause is an outdated, hacked CMS such as WordPress.
Example hacked content found on your account (NOTE: This is just an example and all hacked files will need removal; we cannot provide a full listing of your hacked content): /htdocs/files.php
How can this be fixed: You will need to remove all PHP files from your hosting account and update your content to a more secure system. Failure to do so will result in your account remaining suspended. Here are some action steps you can take:
• Secure your CMS. If your site is a CMS, you will need to update the code/script(s) via FTP. We will not enable web access for you to secure your compromised form(s) or site(s). If you can't update the site via FTP you will need to disable the site before we can lift any suspension, including removing ALL of the PHP content.
o If you are using a CMS, we will not lift the suspension unless the CMS itself is updated to the current version listed on the CMS website at the time of processing your request.
• If you need assistance cleaning your site, contact our security partner, SiteLock at 1-888-392-5885. For an additional fee they will ensure your site is clear of malware so you can get your site back up and running.
After the above steps are taken, you can then request to have your account re-activated by sending us an email at [email protected] with the following criteria:
• Explanation of why the violation occurred.
• The steps taken to secure your services to prevent future violations.
• Refer to your account in your email.
o You can simply reply to this email with the above information filled out if you wish.
We apologize for the inconvenience this may cause but appreciate your help in getting this issue resolved and getting your website back online. If you have any questions, please contact us.
NOTE: Network Solutions may reject your request without a response to you. If your account is re-activated, any further complaints that violate our service agreement may result in the immediate and permanent termination of your service.
Hariprasad Vijayan answers:
They are asking about fixing your hacked WordPress website.
Check this, https://codex.wordpress.org/FAQ_My_site_was_hacked
Hope it helps to resolve it.
The article refers to 'scan your website' -- if my site has been suspended and my only access is via FTP -- what could i do to find the infected file(s)?
Hariprasad Vijayan comments:
You can do as Rempty suggested.
IMPORTANT : Keep a backup of your server and database.
Do you have a lot of plugins installed?
Wordpress 3.9 is too old, you need 4.4.1.
Download your template and uploads folder, note name of all plugins (you need to reinstall later).
Desinfect your template and uploads folder(find suspicious files and malicious code).
You can work in localhost to test your template + plugins in wp 4.4.1
Delete via ftp(if you can access via cpanel will be better) all your wordpress site, remove completly
Upload a wordpress 4.4.1 to your server
Upload your template
Upload your uploads folder.
Now you can send a email to your hosting provider and explain that all is fixed.
Now login to your wp-admin(wordpress maybe ask for update your db), reinstall all your plugins.
Change your admin password, find if there is other users(some bots add users).
You can install "iThemes Security" for better protection.
Are you able to access server files via FTP (have you created ftp account and have access details)?
-> Download all files in server.
-> Try to find some odd files. Such file might have some strange file names.
-> Sometime such files contains encoded code. try to search base64_encode in all files using software. Sometime such code is injected in normal wordpress/php files.
-> Try to see last file updated date and time. you will be able to see in ftp software. It will help you to find infected files.
-> You can try to update all wordpress related files with latest version. (download it from wordpress.rog)
-> same is true for plugins and theme. download latest version and update them.
If you can provide me ftp details in private message I can help you more.