Remove hacked code – out of ideas! [closed]

You can move the wp-config file one level up.

You can also create a .htaccess file and upload it to your uploads folder with this code:

<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
<FilesMatch ".(jpg|jpeg|jpe|gif|png)$">
Order Deny,Allow
Allow from all
</FilesMatch>

Or install a plugin for security which also scans your installation so you can more easily find the malicious code. http://wordpress.org/plugins/wordfence/

More security . http://codex.wordpress.org/Hardening_WordPress

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Verifying that I have fully removed a WordPress hack?
  3. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  4. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  5. Tips for finding SPAM links injected into the_content
  6. Generate WordPress salt
  7. Garbage in beginning of wp-config.php – was this WP installation compromised?
  8. What should I do about hacked server?
  9. How can I find security hole in my wordpress site?
  10. How to prevent bot or someone to modify any file automatically?
  11. wp-config.php modified?
  12. How does the “authentication unique keys and salts” feature work?
  13. Securing wp-config leads to sensitive information leak on wp-settings
  14. Is there any point setting the keys and salts in wp-config.php?
  15. Suspicious Files
  16. What’s the point of forbidding access to wp-config.php?
  17. Where to store OAuth 2.0 client id and secret?
  18. How to prevent wp-login brute force attack from thousand of different IP? [duplicate]
  19. Malware script in database post table only? [closed]
  20. Verifying that I have fully removed a WordPress hack?
  21. How can I safely hide the fact that my website runs on WordPress? [closed]
  22. My WordPress Websites are always under attack
  23. Config file with no Keys..?
  24. How to find exploited wordpress plugin [closed]
  25. White screen of death on admin pages after moving wp-config up two levels for security
  26. Storing FTP details in wp-config.php
  27. Any known bugs that could cause disappearance of the wp_users table?
  28. On new server, site got hacked, permissions a bit strange? Please help
  29. My Site keeps crashing due to the wp-confg file being deleted
  30. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  31. Replace domain in database
  32. How to change location of wp-config.php to folder or 2 folders up?
  33. Adding Security Keys?
  34. Secret keys in SCM
  35. Should I prevent access to .htaccess and wp-config.php files?
  36. WordPress Database Re-installed (Hacked)
  37. Verifying that I have fully removed a WordPress hack?
  38. wp-config.php moved above root results in no plugin updates
  39. wp-config.php file and code injection
  40. Malware/Permission bug removal?
  41. Could a user account with a stolen password compromised entire WP site?
  42. how to find the way they hacked my WP site
  43. How to stop repeated hack on header.php of custom theme? [closed]
  44. Default installation permissions for wp-config.php
  45. Is my WP site being hacked?
  46. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  47. WordPress Hacks/Defacing [closed]
  48. Move data from wp-config to another file
  49. What’s the best approach for generating a new API key?
  50. Simplest two-way encryption using PHP
  51. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  52. how fix “this certificate cannot be verified up to a trusted certification authority”
  53. How can bcrypt have built-in salts?
  54. Getting a List of Currently Available Roles on a WordPress Site?
  55. How safe / sanitized is wp_insert_posts()?
  56. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  57. Why are passwords exportable as plain text in WordPress?
  58. Is there a way to force ssl on certain pages
  59. What is the purpose of having a token in cookies?
  60. How is password strength calculated?
  61. Regular security checks – what steps should be included?
  62. What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
  63. Do Cookies Need to be Sanatized Before Being Saved?
  64. Disable external access to REST API Endpoint
  65. What is the wp-includes/certificates/ca-bundle.crt used for?
  66. Do you need to escape hard coded plain text?
  67. Encrypt emails?
  68. WordPress salts set in config and database
  69. Disallow file edit not preventing plugin install
  70. How to secure WordPress XMLRPC?
  71. Websites defaced by uploading script using theme editor
  72. What is the relationship between cURL, WordPress and cacert.pem?
  73. Does WP show me if I’m logged in from multiple locations?
  74. Has anyone experience w/ WordPress (MultiSite) hidden users (possibly hacked)?
  75. WordPress Malware Problem help! [duplicate]
  76. Restrictive File Permissions
  77. Why are xmlrpc.php and wp-cron.php being called so often?
  78. Using esc_html with HTML purifier and CSSTidy: Overkill?
  79. wordfence scan warning on W3 Total Cache [closed]
  80. How to save iframe tag into a post?
  81. Is wp_kses the right approach in sanitizing this string?
  82. Renaming install.php for security?
  83. WordPress Front end Form – Enable to Submit PHP Codes
  84. Is WordPress MultiSite secure & how much can it scale? [closed]
  85. Which Versions of WordPress Ship with the Patched TimThumb?
  86. Use global variables or function that returns said variables for site-wide private-ish WP settings?
  87. What can I do when an outside party hacks into my weblog and changes my display name?
  88. How safe is current_user_can()?
  89. Use Google authentication for pages within a website [closed]
  90. should I escape a literal url added in functions.php
  91. Spam in WordPress root folder
  92. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  93. Why are the latest visits to my website originating from my own website?
  94. How do I hide WordPress users from security scanning?
  95. Background Updates Not Happening
  96. Able to go to WordPress admin even after deleting auth cookies from request headers
  97. FORCE_SSL_ADMIN affecting subdomains
  98. What is the best security $_POST method?
  99. My WP site and password was hacked, what to do? [closed]
  100. SSH keypair generation: RSA or DSA?
techhipbettruvabetnorabahisbahis forumuedueduseduseduedueduseduseduedusedu