Remove hacked code – out of ideas! [closed]

You can move the wp-config file one level up.

You can also create a .htaccess file and upload it to your uploads folder with this code:

<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>

Or install a plugin for security which also scans your installation so you can more easily find the malicious code. http://wordpress.org/plugins/wordfence/

More security . http://codex.wordpress.org/Hardening_WordPress

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Verifying that I have fully removed a WordPress hack?
  3. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  4. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  5. Tips for finding SPAM links injected into the_content
  6. Generate WordPress salt
  7. Garbage in beginning of wp-config.php – was this WP installation compromised?
  8. What should I do about hacked server?
  9. How can I find security hole in my wordpress site?
  10. How to prevent bot or someone to modify any file automatically?
  11. wp-config.php modified?
  12. How does the “authentication unique keys and salts” feature work?
  13. Securing wp-config leads to sensitive information leak on wp-settings
  14. Is there any point setting the keys and salts in wp-config.php?
  15. Suspicious Files
  16. What’s the point of forbidding access to wp-config.php?
  17. Where to store OAuth 2.0 client id and secret?
  18. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  19. Malware script in database post table only? [closed]
  20. Verifying that I have fully removed a WordPress hack?
  21. How can I safely hide the fact that my website runs on WordPress? [closed]
  22. My WordPress Websites are always under attack
  23. Config file with no Keys..?
  24. How to find exploited wordpress plugin [closed]
  25. White screen of death on admin pages after moving wp-config up two levels for security
  26. Storing FTP details in wp-config.php
  27. Any known bugs that could cause disappearance of the wp_users table?
  28. On new server, site got hacked, permissions a bit strange? Please help
  29. My Site keeps crashing due to the wp-confg file being deleted
  30. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  31. Replace domain in database
  32. How to change location of wp-config.php to folder or 2 folders up?
  33. Adding Security Keys?
  34. Secret keys in SCM
  35. Should I prevent access to .htaccess and wp-config.php files?
  36. WordPress Database Re-installed (Hacked)
  37. Verifying that I have fully removed a WordPress hack?
  38. wp-config.php moved above root results in no plugin updates
  39. wp-config.php file and code injection
  40. Malware/Permission bug removal?
  41. Could a user account with a stolen password compromised entire WP site?
  42. how to find the way they hacked my WP site
  43. How to stop repeated hack on header.php of custom theme? [closed]
  44. Default installation permissions for wp-config.php
  45. Is my WP site being hacked?
  46. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  47. WordPress Hacks/Defacing [closed]
  48. Move data from wp-config to another file
  49. wp-salt.php and wp-cli.yml File present in public_html folder
  50. SSL Error: unable to get local issuer certificate
  51. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  52. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  53. How to redirect all HTTP requests to HTTPS
  54. What is the difference between a cer, pvk, and pfx file?
  55. How to solve “Kernel panic – not syncing – Attempted to kill init” — without erasing any user data
  56. What’s the best approach for generating a new API key?
  57. Is it possible to decrypt SHA1
  58. Simplest two-way encryption using PHP
  59. Why does the URL http://a/%%30%30 crash Google Chrome?
  60. what is a auth_user_file.txt?
  61. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  62. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  63. Error `sec_error_revoked_certificate` when viewed in Firefox only
  64. How to view PHP on live site
  65. Convert .pfx to .cer
  66. how fix “this certificate cannot be verified up to a trusted certification authority”
  67. Can an attacker use inspect element harmfully?
  68. Where does Internet Explorer store saved passwords?
  69. How can bcrypt have built-in salts?
  70. Hide the fact a site is using WordPress?
  71. Infected Files – what to do [closed]
  72. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  73. Getting a List of Currently Available Roles on a WordPress Site?
  74. WordPress 4.7.1 REST API still exposing users
  75. Can I Prevent Enumeration of Usernames?
  76. Best way to eliminate xmlrpc.php?
  77. What’s the easiest way to stop WP from ever logging me out
  78. Should I escape wordpress functions like the_title, the_excerpt, the_content
  79. Why should I use the esc_url?
  80. Should I remove install.php and install-helper.php?
  81. How safe / sanitized is wp_insert_posts()?
  82. Why does WordPress need my private ssh key to update?
  83. When to use esc_html and when to use sanitize_text_field?
  84. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  85. Where to securely store API keys and passwords in WordPress?
  86. Are Nonces Useless?
  87. What could a hacker do with my wp-config.php
  88. What is the difference between esc_html filter vs attribute_escape filter?
  89. Why escape if the_content isnt?
  90. Why does WordPress have more than one salt?
  91. Why are passwords exportable as plain text in WordPress?
  92. What is the ideal setup to address security concerns?
  93. Will there be security updates for 3.1 once 3.2 is released?
  94. What’s the difference between esc_* functions?
  95. Full path disclosure on rss-functions.php
  96. What to use instead of wp_kses() in user output
  97. How to set up fail2ban with WordFence?
  98. How do I technically prove that WordPress is secure?
  99. Are the default salts secure?
  100. is_email() VS sanitize_email()
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)