It appears to be within the theme files itself. Take a look at the header.php file of your theme, do you see an unclosed php statement just after the body tag?
PLEASE: always make a backup of your theme before making any changes.
Thread Starter
Jen M
(@jenm73)
I have this but I don’t know what it means
[Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]
Where did you download this theme from? I would strongly recommend that you read this article and consider changing to a theme from a reputable source asap.
Thread Starter
Jen M
(@jenm73)
Now the moderator has said not to post hack code blocks, I’m even more concerned! Here it is in pastebin (not sure if I’m doing this correctly):
http://pastebin.com/tnYCMkWy
Thread Starter
Jen M
(@jenm73)
I paid like $50 for it! Here it is, but this is a different distribution site for it: http://www.themesan.com/index.php?dispatch=products.view&product_id=29917 I originally purchased it from http://themeforest.net/
Whenever you see base64_decode, think “Bad – very bad”. You need to go back to the theme’s developer and ask him about this base64 code block.
Thread Starter
Jen M
(@jenm73)
OK. Thank you. I will contact him. In the mean time, can anyone recommend a quick fix for the next 2 weeks? We have a big event May 11, after which I have time to redesign the site.
Thread Starter
Jen M
(@jenm73)
I just deleted the code and now everything is working.
Interestingly, the only way I was alerted to this was that I couldn’t see the site unless my virus protection was turned off – it must have detected this malicious code. Is there any chance I was hacked? Now that I have deleted the code I can see my site again even when it’s on.
My gut instinct would be to switch to another theme asap. Preferably one from http://wordpress.org/extend/themes/ because they’re all (a) free and more importantly (b) quality reviewed and quite safe. The problem you have at the moment is that no one can really tell you exactly what is going on in that obfuscated code. It could be adding almost anything to your site. I’ve scanned the site or malware and, so far, it seems clean but there could be spam links added to your site. Or the theme could be sending data back to a 3rd party site. We really have no idea.
At best, you need to ask yourself why the theme’s author wanted to “hide” code in this fashion – if indeed he added it. What is the code doing that needs hiding?
Do you have an original copy of the theme on a local computer somewhere? If so, does it contain the same obfuscated code block?
What you posted is an encryption check. Remove the theme right away, use anything else, and contact your developer. At the very least, go through all theme files and search for similar chunks of code.
PS: it is a VERY bad thing that the theme was pulled from another source, now available at a different location and has encryption.
Thread Starter
Jen M
(@jenm73)
I have the original theme files and there is no code like this in header.php (which is where I found the offending code). I will check all the other files.
I just deleted some 300 comments held for moderation, is it possible that one of them contained the code? I turned off commenting altogether and deleted the (long outdated and not very germane) posts that had been commented upon.
there is no code like this in header.php
Then you have to consider the possibility that your site has been hackled. A clean malware scan does not always mean an unhacked site. π
I would strongly advise you to start working your way through these resources:
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/support/topic/268083#post-1065779
http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/
http://ottopress.com/2009/hacked-wordpress-backdoors/
Anything less will probably result in the hacker walking straight back into your site again.
