Support » Fixing WordPress » someone has hacked the site and inserted a link

  • Resolved Stingraynut


    On the top right corner of the home page there is/was a link to an online casino. I have firewall, anti virus, wp config is moved etc but someone has managed to get in
    I can see the code in the header between the end of the SEO plugin and the body style declaration

    <!-- /all in one seo pack -->
    <center><small>Australian Online Casino - <a href="" title="Online Casino Australia"></a><small></center>
    <style type="text/css">
    body.custom-background { background-color: #8ac2a9; background-image: url(''); background-repeat: no-repeat; background-position: top center; background-attachment: fixed; }

    I checked the header.php home.php – couldn’t locate anything and now it’s disappeared.
    I didn’t remove anything so I am expecting it will be back
    Any suggestions on which file has the malicious code, and any suggestions on locking up the installation?
    Note I follow all the codex security info – wp security scan reports –

    Your table prefix is not wp_.
    Your WordPress version is successfully hidden.
    WordPress DB Errors turned off.
    WP ID META tag removed form WordPress core
    No user “admin”.
    .htaccess file found in wp-admin/

    I admit that WP was v 3.3.2 so first thing I’ll do is upgrade, but I would like to find where this code was inserted.

Viewing 13 replies - 1 through 13 (of 13 total)
  • esmi


    Forum Moderator

    Quite likely hacker has left behind a back door script to re-hack your site in future.

    If your web host is unable to recover your website from a good backup, then you’ll need to have someone review each and every file within your site for malware.

    Pretty much every hack is different so there is no single way to locate the files.

    Thanks for the links esmi and the back door warning Hack Repair Guy

    I have the same issues how do I fix this my site has the online casino link on the top left corner

    CharlestonSCbroker – there is no casino link on your site at the moment- I’m posting this 3 hours after you posted

    I haven’t found the code yet, please let me know if youn have.

    It seems that if I fiddle with the files, the casino link disappears for a while- perhaps that has happened for you?

    This is NOT resolved yet – the link comes and goes
    I have updated to latest wordpress version ANd updated the theme – as often happens the link disappears and comes back a few days later.
    I want to test some more, but i have to wait for it to return. I get the feeling that just opening cPanel makes it disappear, but i can’t test that until the link shows up again.
    Luckily Google doesn’t think it’s a bad link, so there are no penalties

    Hi I also have same this site shows a link on the top of site(left top most of header image).This is not done by me . When I want to remove it..I cant find it in my theme editor.Where from it comes and how it will remove.i’m using Mosaic theme currently.Help me.

    You need to see the links posted above by esmi. If it’s beyond what you can do, you may want to consider hiring someone:

    I wanted to share how I found and got rid of paddy power (casino) link with not so high-end coder folk. I took over a site someone else built, and it was daunting to me to take all the steps I was recommended to take in the suggestions on the post like this. I might have been just lucky.

    1. Checked the server to see which plugin seems most suspicious, correlating to the happenings of the hack by date and file modified date.
    2. Gone to plugin page and entered each one in the search.
    3. Found one that didn’t turn results (guessing never made to the list or dropped by = susupicious.) In our case, it was “SEO Cheese” plugin. The name sounds suspicious, doesn’t it?
    4. Read review of the plugin from search engine results.
    5. Not related to a particular link, but there was a suggestion of a problematic file. And the kind soul had a name of file itself. Plugin’s setup.php
    6. Found and deleted: <p align="left"><a href="">Paddy Power</a></p>

    I had the same with my site [ link moderated ] and reinstalled all WP files and removed all the not needed plugins and changed file settings on the server to 0644. It has been quiet ever since LOL.

    I had another site hacked and couldn’t find as I did above. My client didn’t know when the hack manifested didn’t help the matter. I was writing an email to recommend services like sucuri when I tried the last attempt at database via phpmyadmin. I read wp-options is a problematic table so decided to look again. By a pure luck, out of over 600 record sets, the first page of values showed a very strange looking text. It finally dawned on me it was a javascript code in backwards. No wonder searching for “viagra” didn’t return any result. It was “argaiv”!!

    I deleted the record and the horrible long paragraph over every page top disappeared. Yey! I know the site is not out of woods since we don’t know how it got embedded or where the decoding script lies. But I thought this may help some others.

    Search for “tpircs” (script) or “tpircSavaJ” (Javascript) or even “>vid/<” (/div, which was the first on the value.)

    Good luck! Hope bad guys go away, but probably they will get smarter only.



    Hi guys,

    I had the same issue. The plugin that contained this hack script in my case was Events Calendar PRO. Check if you have the same plugin. If you have this plugin, try to desactive it and check if you continue having the issue.


    It’s in the plugin. I had it for weeks and no one could figure it out. Everyone wanted me to erase dump my site etc: I remembered I knew a genius literally. He found it in 5 minutes. I forget which plugin but it was there.

    Here was my post from a long time ago 🙂 But that’s where you’ll find it so DO NOT Dump your site- Unless they’ve gotten more clever

    My brother found the issue in about 5 minutes and it took 2 seconds to handle. Thank God he was able to find the time to help me. I don’t know why you don’t have the below as a solution but you need to add it because that’s where they were plain as day.

    None of those resources worked and for anyone else who has a casino link on their site check this first or your other plugins on the installation sections.

    The hack was hiding INSIDE the SEOinterlinking Plugin within the installation php.

    This is why we need better information all of the above steps would have taken forever and were not necessary except the sucuri check. Which did not find it when I did a basic scan by the way.

    They are now removed.

    BTW I think you should investigate that plugin because if you google you’ll find it happens a lot. They need to fix that.

Viewing 13 replies - 1 through 13 (of 13 total)
  • The topic ‘someone has hacked the site and inserted a link’ is closed to new replies.