Restoring Hacked Website
Restore from back up
Go to heteml.jp control panel and click バックアップ (backup) Id: bridgesystem
password:kuraki2417
https://gyazo.com/6b1a0fbb89a397608199a55c62163fe1
Click button バックアップ管理画面へ
https://gyazo.com/e493c30f08095f504bb34bfb404f8dd7
Choose 復元(Restore)button
https://gyazo.com/7a2c802d718080f84e2aff84893e3b87
Choose date and time and the directory to restore
https://gyazo.com/a1b464c3d2a9d10ee8445868afed3107
Click confirmation check box and red button to restore
https://gyazo.com/eff180ded3b71eef953b2c1bf0359c36
The restoration is completed. click 戻る (back) button to complete restoration
https://gyazo.com/9e6b7dba8a70627b80f219f9700cf2c9
Scan with Wordfence
Go to dashboard and choose Wordfence>Scan. Click START WORDFENCE SCAN to start
https://gyazo.com/3cfeecbc6303aba2b7b05ad70a219c73
If no problem, the result will be show as below
https://gyazo.com/eb9d3cd638cbeb942d5872fc00db60e7
If infected, the alert as below is displayed
https://gyazo.com/733c0b49a859c8c18a9a110526b48ea5
Replace WordPress Core files
Goto FTP and delete all files except
wp-content folder
.htaccess file
wp-config.php file
https://gyazo.com/e2a282f103c4fcfad720e1c095345d09
Download the latest WordPress and upload to FTP except these 3 above files.
The ftp address is
id: bridgesystem
pass: xwz53v79af
https://gyazo.com/930700dea6b77321e6bf6fe09b1f4522
Run Wordfence scanner if any more infected files
Replace Theme files
If theme is infected, delete theme directrory that is infected. The below case is knowhow theme directory is infected.
https://gyazo.com/a9cd213130dd8acea3d19ec4da14906b
Upload the brand new theme.
https://gyazo.com/6406807a0a7bcc55c586762e9d8a5552
Start scanning again.
Plugin Files
If plugin files are infected, delete the directory that is infected and upload the new plugins.
For example the blow case is the plugin table press is infected.
https://gyazo.com/ebb0f48ab3dc26f5ed642179bfed48e1
Go through the all list of infected plugin files. In this case below plugins are infected:
advanced-custom-fields
tablepress
subscribe2
custom-post-type-ui
wordfence
drawit
whats-new-genarator
custom-post-type-ui
restricted-site-access
simple-custom-post-order
wp-post-list-table
First, delete advanced-custom-fields folder by FTP and then go to plugin page and install brand new advanced-custom-fields
https://gyazo.com/0e7581a9acf5b70f59aa632f960ba284
Repeat for the all plugin to delete folder and install new plugin again.
After all plugins are refreshed, scan with Wordfence again
Delete infected code by hand
Go to the infected file by FTP
For example, the below files are infected by virus
wp-contentai1wm-backupsindex.php
wp-content/index.php
wp-config.php
The first line with strange text data is the infected section.
https://gyazo.com/765e0535842abb36522e464cd69b4a72
Select the infected section and delete.
https://gyazo.com/29e368f38089a036c1a7b601d2cb8894
Save the file
https://gyazo.com/6622cbda2af05b5d2eb20696415f7995
Finally go to Wordfence and scan agin. If all files are clear, restoring hacking website is done.