Thank you for the reply. This certainly helps.
A common place that hackers are hiding the hacker files for this particular htaccess mobile device redirect hack is in the /wp-includes/pomo/ folder.
I knew that folder was needed but I didn’t investigate each file in there and when I went to view one, MS Security Essentials prevented me from looking at it, so I deleted it from the server.
In case it helps anyone else, I found that the 5 files in this directory should be;
entry.php
mo.php
po.php
streams.php
translations.php
I am going to ride this out again and see if this closes the door. If it doesn’t, I may first replace those 5 files with fresh ones, and if that still doesn’t do it, then tear down the install and start over like you mentioned.
I’ll add too that other plugins such as WordFence did not see this malicious file, so it again reiterates your point that plugins can’t find all the malicious files.
- This reply was modified 22 hours, 25 minutes ago by AITpro Admin.