Support » Fixing WordPress » Removing a infection

  • Resolved ambanmba


    I just spent the afternoon fixing a friend’s site. Turns out this little bugger is spreading around to others as well, but as yet I haven’t seen anything on Google or even here about it.

    I put together a tutorial to remove if you are hit by it.

    Sorry for the “blogspam” but this is so far the only tutorial that I know of to get rid of this.


Viewing 15 replies - 1 through 15 (of 20 total)
  • great tutorial!
    this info should help others with other infections

    great one. i am encountering the same problem but different type (install iframe – .ru domain site with port 8080)
    with my WordPress blogs.
    they are modifying my wordpress index.php, default-filters.php and theme’s/index.php, and a framer virus was detected by avg8,

    which resulted to a php error message.

    My Quick solution:
    index.php, wp-includes/default-filters.php and your theme template/index.php

    after reading your post I am wondering if my index.php page has something like that too:
    <iframe src=”″ width=125 height=125 style=”visibility:
    <iframe src=”” width=194 height=193 style=”visibility:
    <iframe src=”” width=189 height=160 style=”visibility
    <iframe src=”” width=135 height=159 style=”visibilit
    <iframe src=”” width=113 height=136 style=”visibili
    <iframe src=”” width=113 height=118 style=”visibil
    <iframe src=”” width=151 height=154 style=”visibility: hidden”></iframe>


    It’s definitely not right for you to have all those iframes in there.

    The way these scripts work; however, the problem is potentially not in the index.php file, but rather inserted by a script. I would go through the instructions on my site to use AdBlock Plus to see exactly what scripts are running on your site.

    Unfortunately the malicious scripts can easily be obfuscated so that doing a search (e.g. for “”) won’t reveal anything. Instead, what you should do is use AdBlock Plus to selectively disable the scripts until you find the one that is injecting the iframes.

    Once you’ve narrowed down the script, you can either remove the bad code (you kinda need to know what you’re looking for) or just copy a “good” version of the offending script back to your site.


    You rock for putting this together. I just followed your instructions and cleaned up a site that this happened to.

    Much appreciated!

    Good Job! Thanks. This is why i love WordPress…

    I’m facing the same problem as nazcar. Even though I’ve upgraded my wordpress version to 2.8.2 and had replaced all the infected index.php file for more than 5 times in past 2 weeks but the problem keeps repeating.

    It had been more than 2 weeks, and yesterday my site was once again attacked. I haven’t replace the infected php files yet. You can see that my site is currently getting the warning and parsing error from the injected php files.

    How did the injection took place in version 2.8.2? Any solution?

    My site is



    I would try changing all your passwords (WordPress, Hosting admin panel, myPHP, FTP, etc.) People could be getting in behind WordPress if they know the password to the back-end of your site.


    your computer is infected with malwares..its a malware that steals ftp passwords and inject codes on your files. i suggest you try to scan your system with

    then change your ftp password..

    system registry are also infected by malware, i suggest you also do a registry scan..

    For now, i am using my web host provider’s online FTP

    Hi. Can someone tell me what version this is affecting?


    @t3ch33, it doesn’t affect a specific version of WordPress. I’ve found that various plugins are vulnerable.

    @t3ch33 it affects all the files with index*, main* default* in your website.

    how do they infect the blog? by ftp or holes in worpress php’s?

    cause my passwords all are min of 12 chars with chars like ‘\*&*^% and so how do they modify your files?? By cracking your passwords or what?

    and if not by ftp -so all yu have to do is chmod your php files to 444 and it will fix it 😀 and disable chmod function in php.ini so they can’t execute it in php.

    These attacks are carried out by someone with your FTP credentials. Change all your passwords & reinstall Windows. The infections are *very* difficult to remove and it’s likely you’ll be unable to remove everything they’ve installed on your system.

    I don’t know if this is it, but I’ve been toying with various plugins to try to get avatars working for my students who will be users soon, and after installing the plugin *user photo* I started having this error message pop up – first on my user profile screen after attempting to upload a pic, and then all over my site, on various pages. Not all of them, but on user profiles and on one not all of my pages.

    Now I have deleted that plugin, and the error remains on my “policies” page.

    I’m at a lost of what to do, that permission thing is so tacky!

Viewing 15 replies - 1 through 15 (of 20 total)
  • The topic ‘Removing a infection’ is closed to new replies.