Support » Fixing WordPress » style.css getting hacked

  • I’ve replaced all core files and plugins. Site keeps getting hit with a code injection at the top of our style.css (it’s a custom theme based on the genesis framework).

    <script type=”text/javascript” src=””></script&gt;

    (this is a different domain than what was inserted last week)

    Sucuri isn’t catching it, malware scans via plugins aren’t catching it either.

    Exploit scanner finds too many possibilities to be useful (a lot of commercial plugins like backupbuddy and even the uploader from WP itself pops up as a risk).

    I’ve contacted the hosting company (BlueHost) for help since I could see the exact date/time the file was changed (access log doesn’t go back that far, just 2 days!?).

    I haven’t found many references to it so I figured I’d post here in case other folks are looking, then we can put our heads together and find out where the hole is (yes, I realize it’s probably a plugin, it’s a matter of replacing them)

Viewing 11 replies - 1 through 11 (of 11 total)
  • It can be a case of site defacement/ Hacktivism. They do not appear to be infected because they do not leave any malware/ adware/ viruses.

    Got the same!
    Question: How did that get in there?!

    It could be one of the following:

    1) You have a backdoor that was installed by an attacker on your site that will allow them to modify the file at anytime. Usually a PHP shell script. Sucuri does not locate these.

    2) Your FTP account(s) have been compromised. Change all passwords to all FTP accounts and your cpanel account. Sucuri can’t detect this.

    3) No file? Still problem after you change passwords? Talk to your hosting company – they have a server wide issue.

    This hack is easy to bypass any type of automated system because they typically look for encoded strings, and this isn’t.

    Back when the site was set up BlueHost required the manual installation of the php.ini file. I’m going to have a look at that (and whether or not it’s still necessary.

    Only the main account seems to be getting hacked, the secondary sites are not.

    I’ve replaced all of the WordPress files manually, as well as the plugins.

    I understand that Sucuri can’t find certain types of files, but it’s not even catching the script at the top of the CSS file, even though it’s in their library (in fact, the only references to it online, in English, anyway).

    BlueHost hasn’t responded to my support inquiry. That’s not a good sign.

    Have you contacted Sucuri about this?
    Have you tried

    Hi !
    I’ve the same problem.
    When I open the index.php files, there is a link to a remote file call “check.php”.
    The content of the file is:

    if(navigator.javaEnabled()) {
    				document.write(' <script src="[ redacted, don't share that here ]"></script>');

    It’s written that it is a remote file but I can’t find where this file is called on index.php.
    Here is the content of the Index.php

    <?php include(TEMPLATEPATH . "/includes/head.php"); ?>
    	<div id="container">
        	<div id="header">
            	<?php include(TEMPLATEPATH . "/includes/header.php"); ?>
    		<div class="clear"></div>
            <div id="content">
    		<?php $slider_option = get_option(THEMESHORTNAME."_show_image_slider", "slider");
    		if($slider_option == "slider") {
    			$slider_type = get_option(THEMESHORTNAME."_main_slider_type", "flash");
    			if($slider_type == "flash") {
            	<div id="slider-container" style="height: <?php echo get_option(THEMESHORTNAME."_main_slider_height", 400); ?>px;"></div>
    			<?php } else { ?>
    			<div id="jquery-slider-container" style="height: <?php echo get_option(THEMESHORTNAME."_main_slider_height", 400); ?>px;"></div>
    		else if($slider_option == "image") {
    			$img_url = fs_get_image_from_option(get_option(THEMESHORTNAME."_slider_image", ""), 'full');
    			if($img_url != "") { ?>
    			<img width="960" src="<?php echo $img_url; ?>" alt="" />
    		$image_index = 0;
    		<div id="flashShadow"></div>
                <?php if(get_option(THEMESHORTNAME."_show_slider1", "no") == "yes") { ?>
                <div id="slider">
    						$opt = get_option(THEMESHORTNAME."_slider1_type", "");
    						$slider_posts = array();
    						if($opt == "cat")
    							$slider_posts = get_posts('numberposts=-1&orderby=date&order=DESC&category='.get_option(THEMESHORTNAME."_slider1_cat", ""));
    						else if($opt == "editor")
    							$slider_posts_ids = explode(",", get_option(THEMESHORTNAME."_slider1_posts", ""));
    							foreach($slider_posts_ids as $post_id)
    									$slider_posts[] = get_post($post_id);
    						global $wp_query;
    						$wp_query->in_the_loop = true;
    						for($i = 0; $i*3 < count($slider_posts); $i++)
    							echo '<li>';
    							for($pi = 0; $pi < 3 && $i*3 + $pi < count($slider_posts); $pi++)
    								$post = get_post($slider_posts[$i*3 + $pi]->ID);
    								$img_url = fs_get_post_image($post->ID, 'medium');
    								echo '<div class="newsBox">'."\n";
    								if($img_url != "")
    									echo '<div class="newsBoxImage">';
    									if($i == 0)
    										echo '	<div id="image_holder_'.($image_index++).'" class="newsBoxImage">'."\n";
    										echo '		<a href="'.get_permalink($post->ID).'">'."\n";
    										echo '			<span class="image_holder_span">'."\n";
    										echo '				<img alt="" src="'.$img_url.'" />'."\n";
    										echo '			</span>'."\n";
    										echo '			'.get_loading_span(300, 170)."\n";
    										echo '		</a>'."\n";
    										echo '	</div>'."\n";
    										echo '<a href="'.get_permalink($post->ID).'"><img alt="" src="'.$img_url.'" /></a>';
    									echo '</div>';
    								echo '<div class="newsBoxTitle"><div class="newsH2"><a href="'.get_permalink().'">'.get_the_title().'</a></div></div><div class="newsBoxText">'.strip_shortcodes(get_the_content('')).'</div></div>';
    							echo '</li>';
               	<?php } ?>
                <div class="clear"></div>
                <div class="line"></div>
               	<?php if(get_option(THEMESHORTNAME."_show_imagelist", "no") == "yes") { ?>
                <ul id="imageList">
                    	$opt = get_option(THEMESHORTNAME."_imagelist_type", "");
    					$imagelist_posts_ids = array();
    					if($opt == "cat")
    						$imagelist_posts = get_posts('numberposts=-1&orderby=date&order=DESC&category='.get_option(THEMESHORTNAME."_imagelist_cat", ""));
    						foreach($imagelist_posts as $imagelist_post)
    							$imagelist_posts_ids[] = $imagelist_post->ID;
    					else if($opt == "editor")
    						$imagelist_posts_ids = explode(",", get_option(THEMESHORTNAME."_imagelist_posts", ""));
    					$c = 0;
    					foreach($imagelist_posts_ids as $post_id)
    						$img_url = fs_get_post_image($post_id, 'thumbnail');
    						if($img_url != "") {
    							$post = get_post($post_id);
    							echo '<li><div id="image_holder_'.($image_index++).'" class="thumbGalleryItem">'."\n";
    							echo '	<a href="'.get_permalink($post_id).'" title="'.$post->post_title.'">'."\n";
    							echo '		<span class="image_holder_span">'."\n";
    							echo '			<img title="'.$post->post_title.'" alt="'.$post->post_title.'" src="'.$img_url.'" />'."\n";
    							echo '		</span>'."\n";
    							echo '		' . get_loading_span(110, 110) . "\n";
    							echo '	</a>'."\n";
    							echo '</div></li>'."\n";
    							echo '<li><a href="'.get_permalink($post_id).'"></a></li>';
    						if(++$c >= 7)
               	<?php } ?>
            <div class="clear"></div>
            <div id="footer" style="margin-top: 20px;">
            	<?php include(TEMPLATEPATH . "/includes/footer.php"); ?>

    Does anyone has the same issue ?
    Good luck and thanks for your help !

    I’ve removed the hacked from:

    The problem is gone. I will change all the passwords to be sure that it doesn’t come back !

    Moderator Jan Dembowski


    Forum Moderator and Brute Squad

    The problem is gone.

    I’m sorry to say this, but it’s probably not gone. You’re dealing with the symptoms but not dealing with the cause.

    Please at a minimum give this a review.

    And consider hardening your installation.

    Good luck.

    I’ve searched yet again. The problem is becoming more wide-spread. Of the other sites I’ve found with the same code injection (it’s mostly going to robots.txt file on others), none are with the same hosting company.

    I’ve changed all passwords to secure ones that are quite complicated (both to cpanel/ftp and WP itself). I’ve only got plugins that I use on countless sites… with the exception of nexgen gallery.

    All of the WP files and plug files were installed with fresh downloads from the WordPress repository.

    I don’t use default table names, nor any account with ‘admin’ in the username.

    Theme style.css file is already set with 644 file permission.

    I’ve secured the wp-config and include files.

    If were more reports of it being on this specific host, or if any of the other installations on this host had been attacked I’d suspect the host, but I’m not sure. Could, of course, just be the particular server I’m on. Guess that’s the next place for me to look.

    I manage over 2 dozen sites. This is the only one getting hacked and it’s making me a bit nuts.

    Today I’ve had my 21st and 22nd site hacks with a similar situation. My blog was hosted on Bluehost at the time of the first hack, and I use the Genesis theme.

    I’ve scrubbed my code several times, reinstalled Genesis, reinstalled my child theme. reinstalled WP a few times, change my passwords every week, keep WP and my plugins updated, and I still get the malware script injected as a header right widget. After 15 hacks in 4 months, I thought it was a hosting issue so I switched to Hostdime for hosting. In the last 6 weeks, I’ve been hacked 6 times.

    Did you have any resolution to this, Valerama? I’m getting so frustrated.

    Andrew Nevins


    WCLDN 2018 Contributor | Volunteer support

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘style.css getting hacked’ is closed to new replies.