How can I find security hole in my wordpress site?

The Symptoms you mentioned in your question and comment indicates that you might have compromised / nulled plugin or theme that deployed some sort of shell bomb. Its possible that there might be multiple malicious files in your main domain, add-on domains and subdomains. Its also possible that your default core wordpress files might also have been infected by malicious code. This type of behavior is quite common.

Your best bet here is to:

  1. Check the modified timestamps of files and folders. Find most
    recently modified files. Start by collecting samples from files with .suspected extension. The line in your htaccess are basically telling apache to treat .suspected files as PHP file which means they are executable. So these are not quarantined files these are active malwares.
  2. Try to identify malware signature. This can be a difficult task but
    you should be looking for encrypted code first. Hackers usually use
    eval and base64_decode to decrypt encrypted code. Also check for file_get_contents
  3. When you identify one or two signatures start hunting them with the
    acquired pattern.
  4. Another way is to download entire wordpress installation, open it in
    text editor and use find in all files to find malicious code. In this case I will recommend Notepade++ but you can use any good text editor.
  5. Now after checking each directory, upload your website.
  6. Install some security plugin to scan your installation against
    malwares and compare core files against their respective
    repositories to find any possible modifications.

Its also possible that after all this there might be some left over pieces of malware that can make your site vulnerable to remote file uploads, remote file inclusion or hidden administrative users which can be very hard to detect.

Now here I would recommend using antivirus to scan for malicious files but these malicious codes can easily evade most of the antivirus. So I would recommend you to find an expert to do this for you.

You should also update your wordpress installation, plugins, themes to their latest versions and change passwords of control panel account, database and wordpress users.

Lastly at best hacker can only infect the server on which the website is present to possibly send mass mails, run crypto currency miners, stealing user information, hosting phishing pages but It can not affect your google search console account.

I hope this will help you. Best of luck.

Related Posts:

  1. Verifying that I have fully removed a WordPress hack?
  2. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  3. Tips for finding SPAM links injected into the_content
  4. What should I do about hacked server?
  5. How to prevent bot or someone to modify any file automatically?
  6. wp-config.php modified?
  7. Suspicious Files
  8. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  9. Malware script in database post table only? [closed]
  10. Verifying that I have fully removed a WordPress hack?
  11. How can I safely hide the fact that my website runs on WordPress? [closed]
  12. My WordPress Websites are always under attack
  13. How to find exploited wordpress plugin [closed]
  14. Any known bugs that could cause disappearance of the wp_users table?
  15. On new server, site got hacked, permissions a bit strange? Please help
  16. Replace domain in database
  17. Remove hacked code – out of ideas! [closed]
  18. WordPress Database Re-installed (Hacked)
  19. Verifying that I have fully removed a WordPress hack?
  20. Could a user account with a stolen password compromised entire WP site?
  21. how to find the way they hacked my WP site
  22. How to stop repeated hack on header.php of custom theme? [closed]
  23. Is my WP site being hacked?
  24. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  25. WordPress Hacks/Defacing [closed]
  26. what is a auth_user_file.txt?
  27. Is moving wp-config outside the web root really beneficial?
  28. Can I Prevent Enumeration of Usernames?
  29. Best way to eliminate xmlrpc.php?
  30. Should I remove install.php and install-helper.php?
  31. How do I technically prove that WordPress is secure?
  32. Which KSES should be used and when?
  33. How can I easily verify a core or plugin update has not broken anything?
  34. Disable comment windows for all existing posts (pages/blogposts)
  35. How Attackers write script into my php files?
  36. Generate WordPress salt
  37. Vanilla WordPress install, what can/should I put in disable_functions?
  38. Stop wordpress automatically escaping $_POST data
  39. Secure my “add_settings_field” translation?
  40. how can i embed wordpress backend in iframe
  41. Handling nonces for actions from guests to logged-in users
  42. WordPress Logout Only If User Click Logout or If User Delete Browser History
  43. Can I force a password change?
  44. How brute-forcer knows that the password is cracked for target username?
  45. wp_insert_post disable HTML filter
  46. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  47. Completely remove the author url
  48. Restricting access to content
  49. About WordPress site security
  50. Relative security of different releases of WordPress
  51. Is there any point setting the keys and salts in wp-config.php?
  52. Where to store OAuth 2.0 client id and secret?
  53. Using HTACCESS for Secret Access
  54. Definitive wordpress directory ownership and permissions on linux
  55. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  56. Changing Table Prefixes – once done, am I good to go going forward?
  57. wordpress website host price and security [closed]
  58. Are there security risks in working directly in the themes folder that builds into a theme folder?
  59. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  60. Hack-Proof OR Security in WordPress — is it real?
  61. Secure WordPress: Change admin
  62. Changing the default header name
  63. how much information can we hide when using wordpress cms?
  64. Is it safe to use a global wp nonce per user instead of a nonce per action?
  65. Wordfence detects change in wp-admin/includes/upgrade.php
  66. Basic password protection without using users and roles
  67. System setting changed by system user
  68. Does meta-data need to be sanitized?
  69. 404/500 error on content images if Referer header is from another domain [closed]
  70. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  71. Switching between security plugins is a risk?
  72. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  73. How to prevent to direct access of my custom plugin folder/files
  74. Checking for origin of a xmlrpc request
  75. RESTRICT EDIT of PHP files?
  76. wp-content – permissions for files/folders created by apache
  77. How can I restrict access to specific parts of a page, not just the page itself?
  78. User generated content and security
  79. Monitor wordpress all external calls
  80. Is it safe to use the basic administration with reduced rights for private member space
  81. Securing WordPress running on Azure platform
  82. Spam Registrations
  83. How can I have more confidence that WP plugins aren’t getting and storing user data?
  84. Standard Method for Securing a WordPress Site
  85. wordpress security (only one part of the site)
  86. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  87. Any way to disable /wp-login.php redirecting to the site folder?
  88. Folder Permissions + Security Concerns
  89. Malware/Permission bug removal?
  90. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  91. Secure a WordPress website in 2019: one plugin or a combinations of them?
  92. What are the different types of firewall protections available for a WordPress website?
  93. Run a security scan on WordPress site that has .htaccess password [closed]
  94. Is this a WordPress security bug?
  95. Competitor is somehow accessing MetaData on a hidden WordPress site
  96. checking the form submit in right order
  97. Our security auditor is an idiot. How do I give him the information he wants?
  98. I am under DDoS. What can I do?
  99. SSH keypair generation: RSA or DSA?
  100. WordPress – tracking options

Leave a Comment