Sorry to hear your site is hacked, there’s probably tens of thousands of Display Widget v2.6.* users in the same boat!
I’ve not looked at a Display Widget Plugin v2.6.* hacked site, so not sure how much WordPress security damage it does. If it’s a simple case of the dynamic Post hacking code just adds a dynamic Post and does nothing else it will be easy to fix.
Remove v2.6.* of the Display Widgets Plugin and it’s fixed.
The problem is with the option to add a dynamic Post means the Display Widget Plugin developer (@displaywidget) could insert other malicious code via the dynamic Post. If the hackers done this there could be backdoors added to the site and that’s a much bigger WordPress security issue: you have to find them to secure the site.
First step is remove the Display Widgets Plugin v2.6.* and check if deleting the plugin fixes the spammy links when a user is logged out.
You can delete the plugin in two says, use an FTP program and manually delete the /display-widget/ plugin folder (under /wp-content/plugins/display-widgets/). Or under the Plugins menu click the Delete link associated with the plugin.
That should remove the dynamic Post with the spammy links (check when logged out). To be safe I’d at least update the WordPress password just in case.
If it was my site first using FTP I’d download a full copy of the sites files, I’d also use my server controlpanel to make a backup of the entire site (this gives me a backup of the files and the database).
I’d then look through every directory for anything out of place (looking at file dates can help) and even if I didn’t find anything reinstall WordPress manually via FTP deleting old files and replacing with new.
Basically I’d get the latest WordPress zip file, extract it on my PC, rename the folders within:
Rename: /wp-admin/ to /tempwp-admin/
Rename: /wp-includes/ to /tempwp-includes/
Upload the two folders via FTP, when uploaded rename the original folder:
Rename: /wp-admin/ to /oldwp-admin/
Rename: /wp-includes/ to /oldwp-includes/
Rename: /tempwp-admin/ to /wp-admin/
Rename: /tempwp-includes/ to /wp-includes/
The above gives you a clean version of the main WordPress directories.
Also upload the new files from the zip file wp-activate.php, wp-blog-header.php etc… (there’s around 16 files) over the old and manually check what files are unchanged (some old installs have out of date WordPress files, delete them) in the root of the WordPress install: (.htaccess, wp-config.php for example won’t be over wrote DO NOT delete them), you should download these files and manually check them for changes.
The above will give you a clean install of WordPress, if the site works delete the old folders /oldpwp-admin/ and /oldwp-includes/.
Next is check what’s in the /wp-content/ directory, this is usually where images, plugins, themes and caches are stored. Delete all plugins you don’t use (if it isn’t active, delete it), delete all themes you don’t use keeping one of the default WordPress themes like TwentySeventeen (should have no more than three themes in the themes folder: one default theme, one parent theme, one child theme). Exception to this is if you are on a multi-site version of WordPress and different sites use different themes: same concept, but keep all active themes.
Like what I did with the /wp-admin/ folder I’d do similar for the /plugins/ and /themes/ folders. On my PC I’d create two folders /tempplugins/ and /tempthemes/ and put in them fresh copies of the plugins and themes I use. I’d upload them to the /wp-content/ folder and then rename /plugins/ to /oldplugins/ and /themes/ to /oldthemes/ (when everything is working delete the /oldfolders/.
This way I get a clean version of most of WordPress, other folders under /wp-content/ I’d check manually, if a cache plugin was installed I’d clear the cache (should delete a lot of the cache files) and manually check what’s left.
By doing the above if a hacker has uploaded a backdoor script to any of the directories you’ve replaced they are gone for good. You just have to be careful manually checking what’s in the wp-config.php file the .htccess file and anything under /wp-content/ you didn’t delete/replace.
You also have to check below your root directory. On my server the root directory is under /public_html/, but below that folder is /awstats/, /cgi-bin/, /tmp/ etc… these all need checking manually. On my system /tmp/ for example should be empty, but sometimes old session files remain, I delete them all.
After that I’d check through the database for changes and look through the site when both logged in and logged out for anything untoward. I’d also change all passwords, that includes the passwords for FTP access to the server, the MySQL password (update the wp-config.php file) and the WordPress login password.
There is no right way to do this (I prefer the manual approach as I won’t miss anything: a security script could miss something), it’s a case of looking for things that shouldn’t be there and as every site is different…
All that being said, when I’ve been hacked (I’ve owned 100s of domains it’s impossible to be 100% secure for 15+ years) I’ve always reverted back to the last clean backup, change the passwords just to be safe and make sure whatever was vulnerable is fixed: regular backups are your best friend :-)
Update September 16th 2017 : I’ve released a Free Security Update/Upgrade of the Display Widgets Plugin.
More Comments on Display Widgets Plugin Review by SEO Gold Coast Services
Sorry to hear of the problems.
In principle yes the hack could have compromised your site in other ways.
I never installed the Display Widgets Plugin v2.6.* on a live site, only …
I’ve released a Free Security Update/Upgrade of the Display Widgets Plugin which is called v4.0.0 and is malicious code free and extends the widget logic features. I’ll be supporting the …
Thanks for your kind words :-)
A couple of small inaccuracies in your comment above.
The WordPress plugin team didn’t delete/close/moderate my WordPress forum support posts, it was “Jan Dembowsi” (@jdembowsi) a …
There’s some info on the Display Widgets support forum about the 2.7 update, but you can’t get to it easily because the main Display Widget Plugin page is still closed …
I said I wasn’t going to waste my time contacting the WordPress plugin team again, but I couldn’t help myself, the Display Widgets plugin developer is a hacker and is …
Originally posted to the WordPress support forum…
WordPress has deleted the Display Widgets plugin again, (twice in a week!) this time because of version 2.6.1.
The cause is the code in the …
Originally posted to the WordPress support forum…
I have a question regarding the visitor data you are tracking/storing and your terms at http://geoip2.io/terms.html: the site has been deleted.
More Comments by SEO Gold Coast Services
Most likely Google alone.
Google trusts what they are told via the defamation reports, there doesn’t appear to be any detailed checking on Google’s part!
So if someone makes a credible defamation …
SEO tools like SEOptimer are generally not very good, they are built by programmers who are human and they make mistakes, so I’d take the SEOptimer Usability Device Rendering F …
When you said “I apply most of the tricks talked about in this article” does that mean you are following at least 400 Twitter accounts everyday and unfollowing them all …
This is a Camping World Biloxi SEO test.
The Camping World Biloxi Google search phrase sees around 1,900 searches a month, a number 1 Google listing for Camping World Biloxi would …
Regarding GTmetrix speed testing you have to take into account hosting location when comparing 2 websites targeting different countries.
My SEO Gold site which mostly targets the UK market is hosted …
The Revolution Slider SEO Optimization article is a snippet of a larger article Optimized Images Load Faster and Consume Less Cellular Data which looks at a website created by a …
WoW! I critique the old out of date web design of a local Skegness business and James Smith (AKA: fake name) resorts to childish personal insults, why would you do …