A long-time client contacted me with a question about their SSL certificate, and said they thought the site "might be hacked." Well, boy was it hacked. Shell scripts everywhere, and core Wordpress files as well as plugins heavily modified. I think it's all cleaned up now, so I thought put up a quick post about the process while it's still fresh in my mind. How to know it's hacked? In this case, it was easy. The site looked fine in the browser, but when I logged in and looked at the files on the server there were quite a few shell scripts which are little php files (in this case) that give the attacked a 'back door' to continue to upload files/etc even if their WordPress access was closed off. Additionally, there were many core files (wp-config.php for example) that had huge chunks of encoded text inserted at the top of the file. Additionally, looking at the transfer logs revealed traffic to weird looking URLs that were definitely not legitimate pages/post