Title: Obfuscated Code Injected into includes/js Last modified: August 30, 2016 --- # Obfuscated Code Injected into includes/js * Resolved [Jackie](https://wordpress.org/support/users/wordpressmacuser/) * (@wordpressmacuser) * [10 years, 5 months ago](https://wordpress.org/support/topic/obfuscated-code-injected-into-includesjs/) * Not sure how this is happening.. but it happens and Wordfence didn’t do anything about it. My server ended up sending out spam due to this. * Not sure what is wrong because I’ve taken _every_ single precaution and fix I could * At the time I had the following set up (all latest versions) * 1. Wordfence with Firewall and throttling on and most settings checked. 60 Day lock out 2. WP Security – used as a tool only to check file permissions and other vulnerabilities. 3. iThemes – with the firewall turned off. I used iThemes to shut down the admin panel entirely at certain times of the day. When this injection happened the panel was indeed shut down 4. Clef for 2 factor 5. GM Block Bots * The domain in question was recently ripped apart and re-installed from scratch because it was hacked before. * [https://wordpress.org/plugins/wordfence/](https://wordpress.org/plugins/wordfence/) * The wordpress access log has repeated post requests with the paste file to the/ wp-includes/js/tinymce/plugins2 folder from various IPs around the world (Russia, The US, Germany etc). Agent/referrer was “Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.7.6)” so it wasn’t blank. Not sure what else I could have done. No one should be posting to the admin panel at all. Viewing 3 replies - 1 through 3 (of 3 total) * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 5 months ago](https://wordpress.org/support/topic/obfuscated-code-injected-into-includesjs/#post-6857790) * Sorry to hear about the hack. It may be a new type of infection that we have not seen yet. Unfortunately, attackers are always finding new ways of changing or hiding their code. * Since you said the site was recently reinstalled from scratch, that might mean there is a vulnerability in a plugin or theme you have, that the author has not fixed yet. * We have a guide for cleaning hacked sites here, which includes using other options for more thorough scans that may make the scan take longer, as well as other methods for cleaning: [How to clean a hacked site using Wordfence](https://www.wordfence.com/learn/how-to-clean-a-hacked-website/) * If you have multiple sites on the same hosting account, make sure the other sites are also updated, even if they are non-WordPress sites. Some infections will cross between sites once they are established. * If you still have a copy of the files from the /wp-includes/js/tinymce/plugins2 folder, you can send them to me, and our team will check them out so we can add them to future scans. My email address is mattr (at) wordfence.com * -Matt R * Thread Starter [Jackie](https://wordpress.org/support/users/wordpressmacuser/) * (@wordpressmacuser) * [10 years, 5 months ago](https://wordpress.org/support/topic/obfuscated-code-injected-into-includesjs/#post-6857793) * Hi Matt! * Thanks for your response and the guide to cleaning my site. * I will follow up with you shortly by email. * Thanks again! * Best regards Jackie * Plugin Author [WFMattR](https://wordpress.org/support/users/wfmattr/) * (@wfmattr) * [10 years, 5 months ago](https://wordpress.org/support/topic/obfuscated-code-injected-into-includesjs/#post-6857860) * Thanks for the email. Feel free to reply here if you have any trouble cleaning the site or have any other questions. * -Matt R Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Obfuscated Code Injected into includes/js’ is closed to new replies. * ![](https://ps.w.org/wordfence/assets/icon.svg?rev=2070865) * [Wordfence Security - Firewall, Malware Scan, and Login Security](https://wordpress.org/plugins/wordfence/) * [Frequently Asked Questions](https://wordpress.org/plugins/wordfence/#faq) * [Support Threads](https://wordpress.org/support/plugin/wordfence/) * [Active Topics](https://wordpress.org/support/plugin/wordfence/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wordfence/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wordfence/reviews/) * 3 replies * 2 participants * Last reply from: [WFMattR](https://wordpress.org/support/users/wfmattr/) * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/obfuscated-code-injected-into-includesjs/#post-6857860) * Status: resolved