It's been a few days, the discussion is still not finished. In my opinion, who have created hundreds of wordpress-based websites, this problem is actually quite simple to solve. Here are what I usually do:
Make sure before doing the steps below, to disable the website from being accessible (so that the malware doesn't create/infect files further), then replace / update the wordpress core, themes and plugins using a really clean resource. . Then...
1. the most basic way, if the website admin can still access the admin back-end, just install Wordfence (as mentioned above) then do a scan. The scan results will show files that are dangerous or suspicious (files that contain backdoor scripts will also be detected). Usually malware files use strange file names or auto generate names. Then delete the file (if the file is not the original file from the developer), OR, edit the core/original file if it has been infected or infiltrated by malicious code (remove the malicious code only). If the contents of the core file have been completely replaced with malicious code by malware, just delete the core file, then upload/update the deleted core file with the original file from the developer.
2. the manual way, check the file permissions of each folder/file, the standard wordpress file permissions for folders is 755 (or 775) and for files is 644, now if the file permissions of a folder (especially files) are 777, then you need to be careful , usually and generally malware has changed it. If the website is infected, I usually just need to see the file permissions of the folder that have changed to 777, then I investigate further into the files in it, then delete or edit it manually, according to the need/damage caused by malware. Change the folder permissions back to 755 and the file to 644.
3. Check your website database!
4. If you use cpanel (file manager), don't forget to activate Show Hidden Files (dotfiles) and check the .wellknown> acme-challenge and cgi-bin folders, usually malware also copies itself into these folders.
NOTE:
1. if you are a website developer who uses resources not from the original source, THEN, don't blame anyone, bear all the consequences and risks to yourself. Fix everything by yourself or find someone who understands.
2. Always check all resources before you install it (even if it comes from the original developer).
3. If you are a shared hosting user, you must be aware that malware is very easy and possible to spread between websites on the shared server. Don't ALWAYS blame the owner or builder of resource files that you have installed on your website. Consult the problem with the hosting company you are currently using.
4. Perform regular scans from the server side and admin back-end.
5. THE IMPORTANT THING IS: make sure you are accompanied by a few cups of coffee
when applying the steps above
.
