So I am running two identical WordPress websites that only differ in language:

• http://www.website1.com (English)

• http://int.website1.com (non-English)

They are two separate installations of WordPress, but almost identical, since only change is language.

Some time ago I got a redirect virus on first English website (main site). It changes wp_posts to inject malware code that redirects website to advertising sites.

Code looks like this:

It inserts in all wp_posts database entries and also wp_options website url gets changed automatically to malware site.

I always clean these with a MySQL command that goes through all entries and removes it. It is always different, sometimes it is obfuscated eval code. Also, a new wordpress admit gets created each time. This attack happens once every few weeks or so.

I tried deleting pretty much all plugins and deleting any files I could find on server, htaccess, everything, but nothing helped.

Then finally, since int.website.com (second website) has no virus I just deleted main website and copied its file contents entirely and assigned it the first websites database.

I thought this would be the fix, since the files are “clean” as second site has no virus redirecting it.

But the virus appeared AGAIN!

So question is: what do I do now?

Can the virus be sitting in the mysql database?

If yess, where? I tried looking for it by searching whole database for http entries, but could not find anything. I even had a web dev look through files and he also could not find anything.

I have 3 more websites running on this server, also wordpress and they are all fine. It is sonly this one website that is affected.

I really could use help with this.

Thanks!