The video will take you through the process I use to detect if there’s an issue and what steps I take to clean the server.

Once you’ve determined there’s an issue, let’s start by collecting IPs from the access logs.

nano /var/log/nginx/access.log

Some things to look for:

• POST actions
• /wp-login.php (easier to determine with sites with a few users)
• No browser set
• XMLRCP
• WP-JSON

Once you have your list of IPs, run this to block them.

iptables -A INPUT -j DROP -s <IP>

You’ll need iptables-persistent installed.  On Ubuntu, you can run this command to install it:

sudo apt-get install iptables-persistent -y

Then run this so when the server restarts, it doesn’t forget the rules:

iptables-save > /etc/iptables/rules.v4

Go through the list of suspicious files that were added or modified that might not look right to you.

Check out Wordfence and go through that list.

Run a new Wordfence scan.

Run a GOTMLS scan.  GOTMLS will remove sections of code without affecting the whole file when it detects an issue, which is nice.  Wordfence will only repair core files and some plugin files.  Others, you’ll have to manually go in to the file and delete the section or whole file if it’s not necessary.