Thanks for all of the great posts! Sorry to be late getting back to you, I caught quite a cold.
We did the following:
- delete the " " user
- use new SALT keys generated here
- Change passwords
I'm still working on changing the .htaccess file, when I added the changes from the page linked to I couldn't log in so I'll figure that out.
I'll see if the site owner wants to purchase the premium Wordfence, good idea.
How do I run a scan on the core files to see if they're modified? I used a few online scanners:
- http://www.isithacked.com/
- http://sitecheck.sucuri.net
Can you recommend a completely thorough way to scan the files? I looked through all of them myself and didn't see anything that i recognized as malicious, I've seen code at the top of the pages before, but nothing so obvious, of course I could have missed something.
Thanks Again,
Mike