Title: code added to functions file Last modified: April 12, 2017 --- # code added to functions file * [Ger](https://wordpress.org/support/users/lindt01/) * (@lindt01) * [9 years, 6 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/) * Hello, * I am running a local development installation with DesktopServer. By accident I found two strange things: * 1. Code added to all themes functions.php * It looks like the code changes the head section of the rendered HTML. * 2. Table wp_datalist added with columns url, title, keywords, description, content and full_content. * Has anyone seen this added code before and is there anyone who can advice me on how to handle this? * Kind regards, * Ger van de Lindt Viewing 13 replies - 1 through 13 (of 13 total) * [darkm20](https://wordpress.org/support/users/darkm20/) * (@darkm20) * [9 years, 6 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8291116) * Same here, also some files added in wp-includes (wp-cd.php, post.php) and in functions.php as you pointed out. * Tried to clean those files but after a while it pops up again. Checked the logs and there were no POSTS requests. It seems there is still some md5 encoded text which apparently inject this code. * Regards. * Thread Starter [Ger](https://wordpress.org/support/users/lindt01/) * (@lindt01) * [9 years, 6 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8299389) * Hi guys, * I found the problem. I downloaded a file from dlwordpress.com named wootabs.zip which should add extra producttabs to a woocommerce product. The file is the one injecting the code in the theme’s function file. It also creates two files in wp-includes: wp.class.php and wp-cd.php. At last it creates a table wp_datalist in the database. Steps taken to clean my development site: * 1. deletes all core files 2. uploaded new core files downloaded from wordpress. org 3. deleted the plugin folder created by wootabs.zip 4. reinstalled all plugins 5. ran a scan with sucuri security plugin * Pse be careful downloading what is called “nulled” plugins. The can ruin your site. Only udoenload and use plugins/themes from trusted sources. * Cheer, Ger * [Menn](https://wordpress.org/support/users/mennstudio/) * (@mennstudio) * [9 years, 5 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8339061) * I’ve just found this in my client site. No idea how it came. Just used Wordfence to restore origin WordPress files and delete wp.class.php and wp-cd.php files. And also delete injected code in functions.php. * If anyone has suggestion, please advice. * Thank you so much. * Thread Starter [Ger](https://wordpress.org/support/users/lindt01/) * (@lindt01) * [9 years, 5 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8339253) * Hi Menn, * Looks like there is a plugin that injects the code. I used wootabs.zip from wplocker. com. I think that site has a lot of so called nulled plugins. Never ever download those. * Cheers, Ger * [Menn](https://wordpress.org/support/users/mennstudio/) * (@mennstudio) * [9 years, 5 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8339368) * Hi Ger, * Thank you so much 🙂 * [nisoran123](https://wordpress.org/support/users/nisoran123/) * (@nisoran123) * [9 years, 5 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8402822) * Hi Ger, I got the exactly same problem and thankfully for your guild I deleted injected code in theme function, restore WordPress core, and delete wp.class. php and wp-cd.php in wp-includes, hope that is all what I have to do. * Do you have any idea why would it happen at the same time on all of my wordpress sites (~10 sites) on same server? (some of the sites are not installed any insecure plugin before?). * I remember have tried to install a nulled plugin before but not success, but it was a really long time ago and nothing happen for a month, could that be a problem? * Thank you. - This reply was modified 9 years, 5 months ago by [nisoran123](https://wordpress.org/support/users/nisoran123/). * Thread Starter [Ger](https://wordpress.org/support/users/lindt01/) * (@lindt01) * [9 years, 5 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8410212) * Hi Nisoran, Looks like your hosting company or your server got hacked? But my knowledge is insufficient to definitely say that. Cheers, Ger * [srinivasrjy](https://wordpress.org/support/users/srinivasrjy/) * (@srinivasrjy) * [9 years, 4 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8507645) * All my sites hosted in same server from globehost.com is having same problem. Even the code is injected into original themes downloaded from wordpress.org * [orangeworx](https://wordpress.org/support/users/orangeworx/) * (@orangeworx) * [9 years, 2 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8709236) * [@kleindberg](https://wordpress.org/support/users/kleindberg/) what’s interesting is that this just happened to me on a brand new install and the only plugins I have running are Wordfence (which blocked the issue), MainWP (and a couple of its extensions) and UpdraftPlus… 2017 for the theme and nothing else * in the wp-cd.php file, there was only this * ``` ``` * what do you think’s happening? * [orangeworx](https://wordpress.org/support/users/orangeworx/) * (@orangeworx) * [9 years, 2 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8709247) * Found this code in my twenty seventeen functions.php file * _[removed some dodgy code, please do not post that here]_ * What has this code done, I’m not sure really… and if it did anything, what are the next steps? – Reverting it – What’s causing it – How to stop it also, how robust is the WordFence platform in fending this kinda crap off? - This reply was modified 9 years, 2 months ago by [stephencottontail](https://wordpress.org/support/users/stephencottontail/). - This reply was modified 9 years, 2 months ago by [stephencottontail](https://wordpress.org/support/users/stephencottontail/). Reason: removed dodgy code * [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/) * (@kleindberg) * [9 years, 2 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8709527) * That’s no **need to touch system wp-cd.php file**. The virus located at plugin or theme folder. * For example, let’s download nulled All in One SEO Pack Pro from famous dlwordpress. com (creator of the virus). * This file included at _all-in-one-seo-pack-pro\admin\display\welcome.php_: ` require_once dirname(__FILE__).'/class-tgm.php';` * **You never find it manually**. You need something like Folder Find Text (not sure if there an English version) or any other tool for [recursive search](https://www.ultraedit.com/support/tutorials_power_tips/ultrafinder/search-and-find-text-in-files.html) in files and folders. * First of all we looking for `DEFINE('MAX_LEVEL', 2);` or just `DEFINE(` in all php files. * Next step – find where this virus file included (usually `require_once dirname( __FILE__).`). The name of virus file varies from plugin to plugin. * The same steps for themes. Clever hacker never put a virus to functions.php file. So use recursive search… - This reply was modified 9 years, 2 months ago by [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/). - This reply was modified 9 years, 2 months ago by [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/). * [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/) * (@kleindberg) * [9 years, 2 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8709544) * About **functions.php** (theme main settings file). I found this code on infected site: * I’m not sure if it virus or just All in One SEO Pack Pro plugin settings, but this code doesn’t present at clean default themes. I see it uses wp_cd_code ( distant publishing, if I not mistake) and starts from strange password request hashed at md5: * We can see, someone or something try access to our site and database… So I just delete this code on all themes (located at functions.php file) where I meet it. * The site still working good after such clean. If someone know this code, say why it needed. - This reply was modified 9 years, 2 months ago by [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/). - This reply was modified 9 years ago by [Jan Dembowski](https://wordpress.org/support/users/jdembowski/). * [Paquin](https://wordpress.org/support/users/paquin/) * (@paquin) * [9 years, 1 month ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8810962) * Hi all!!! Malicious code has one of its (well known) origins: * * //apiword.press/ * * //apiword.press/addadmin_1.txt * The originator has (also) a chance triggering demo data import. * Support fine developers and BUY your themes/plugins from secure and honest sources, that’s a good remedy. - This reply was modified 9 years, 1 month ago by [Paquin](https://wordpress.org/support/users/paquin/). Reason: Didn't check "notify of follow-up replies" - This reply was modified 9 years, 1 month ago by [Paquin](https://wordpress.org/support/users/paquin/). Viewing 13 replies - 1 through 13 (of 13 total) The topic ‘code added to functions file’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 16 replies * 9 participants * Last reply from: [Bogdan Gerasymenko](https://wordpress.org/support/users/kleindberg/) * Last activity: [9 years, 2 months ago](https://wordpress.org/support/topic/code-added-to-functions-file/#post-8709527) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics