Title: REMOVING MALWARE FROM HEADER.PHP
Last modified: August 20, 2016

---

# REMOVING MALWARE FROM HEADER.PHP

 *  Resolved [Sheryl](https://wordpress.org/support/users/sblasnik/)
 * (@sblasnik)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/removing-malware-from-headerphp/)
 * **I have been hacked** — There is an long paragraph of bogus code in my Header.
   PHP file.
 * How do I know where to begin the deletion of this code and where to end? Do I
   delete starting with <p> and finish by deleting the <p> at the end of the text?
   OR do I have to delete more than that?
 * I do not know code and am not a Developer but can see the text in my template
   file.
 * Thanks!!!!
 * Sheryl Blasnik
    Fashion Development Group
 * [http://wordpress.org/extend/plugins/sucuri-scanner/](http://wordpress.org/extend/plugins/sucuri-scanner/)

Viewing 3 replies - 1 through 3 (of 3 total)

 *  [ThorHammer](https://wordpress.org/support/users/thorhammer/)
 * (@thorhammer)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/removing-malware-from-headerphp/#post-3367274)
 * I guess the malicious code in the header starts with a php declaration
    `<?php`
   The you probably will see something like this: **#336698** followed by a javascript
   call and a lot of encoded characters. Delete everything. THEN you will probably
   find malicious code in the top of your htaccess, starting and ending with something
   like this: #336698. Delete everything. ** Further action: Change password to 
   your control panel, database user (make them STRONG) and of course your admin
   account. Generate a new salt code and change in wp-config. Then you will probably
   find a lot of php.ini files in almost every folder. Delete them. Your will also
   find php_errorlog(s) scatterede around. Delete them.
 * Then you must re-download wordpress and your theme and your plugins. Start with
   your theme. Delete every file and upload fresh files. Do the same with wordpress,
   but be sure that your don’t delete your wp-config. Then do the same with plugins.
   Deactivate and delete and re-upload and activate.
 * Open your wp-config and compare it with the sample wp-config. Any BIG differences?
   Be sure that no malicious code is left.
 * Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with
   detailed information about the versions of your wordpress and plugins, so they
   can use known vulnerabilities in order to destroy your site).
 * THEN you should add some serious htaccess-rules. Read more here:
    [http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess](http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess)
   OR you could install some security plugins like bulletproof security or wordfence.
   Go for the pro verisons, it will not cost you antyhing compared to the time and
   hassle spent on cleaning your site.
 * With all these tasks accomplished, everything might be fine. For the future: 
   Be SURE that you ALWAYS have the latest WP running and that you ALWAYS have the
   latest versions of plugins. When an update is ready, you should install it immediately.
 *  Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/)
 * (@jdembowski)
 * Forum Moderator and Brute Squad
 * [13 years, 4 months ago](https://wordpress.org/support/topic/removing-malware-from-headerphp/#post-3367275)
 * > Delete ALL .TXT and readme.html and liscence-files. (They provide hackers with
   > detailed information about the versions of your wordpress and plugins, so they
   > can use known vulnerabilities in order to destroy your site).
 * That can’t hurt but it won’t help. Weaknesses are probed regardless of the existence
   of those readme.txt or html files so if the exploitable code is there then performing
   those actions will be meaningless.
 * It’s like when people attempt to remove the version numbers on their WordPress
   installation. That’s the same as _covering your eyes_ and saying the bad guys
   can’t see you. 😉
 * If you want to harden your WordPress installation then give this a good read.
 * [http://codex.wordpress.org/Hardening_WordPress](http://codex.wordpress.org/Hardening_WordPress)
 * For delousing your installation when you’ve been hacked give the usual reading
   material a look.
 * [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
   
   [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779)
   [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/)
   [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/)
 * Additional Resources:
    [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/)
   [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html)
   [http://www.studiopress.com/tips/wordpress-site-security.htm](http://www.studiopress.com/tips/wordpress-site-security.htm)
 *  [ThorHammer](https://wordpress.org/support/users/thorhammer/)
 * (@thorhammer)
 * [13 years, 4 months ago](https://wordpress.org/support/topic/removing-malware-from-headerphp/#post-3367276)
 * Sure, I only told it an easier way. I did as I mentioned, and I got rid of the
   infections.
 * And I will never again hesitate to upgrade.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘REMOVING MALWARE FROM HEADER.PHP’ is closed to new replies.

 * ![](https://ps.w.org/sucuri-scanner/assets/icon-256x256.png?rev=2875755)
 * [Sucuri Security - Auditing, Malware Scanner and Security Hardening](https://wordpress.org/plugins/sucuri-scanner/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/sucuri-scanner/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/sucuri-scanner/)
 * [Active Topics](https://wordpress.org/support/plugin/sucuri-scanner/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/sucuri-scanner/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/sucuri-scanner/reviews/)

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)

 * 3 replies
 * 3 participants
 * Last reply from: [ThorHammer](https://wordpress.org/support/users/thorhammer/)
 * Last activity: [13 years, 4 months ago](https://wordpress.org/support/topic/removing-malware-from-headerphp/#post-3367276)
 * Status: resolved