Trying to fix hacked site, bad code added to first line of each php

What you could do:
– Upload a clean WordPress install (core files).
– Go through your theme files, delete the bad code or just upload an backup (or just upload an backup of your core and theme altogether).
– Check whether your file and folder permissions are set correctly (safely).
– Make sure your plugins and installation is up-to-date.

Also check out this FAQ:
http://codex.wordpress.org/FAQ_My_site_was_hacked

No problem 😉

Are all of the core WordPress php files left unchanged except for the wp-config file?

Yes.

One of my issues is that I currently cannot access the login page because of the hack. It simply shows a few text symbols at the moment.

You can log in after you upload the “fresh”-core-files.

…will that also potentially cause issues when I replace with clean files?

I don’t think so. WordPress will notice the update and will make a change to your database (You’ll get a page for that on first visit). That’s all.

Hello all,

I’ve recently been called upon to fix a broken WP install for a client and I’ve found that many of the core WP files as well as plugin files have a huge string added to the first line, I won’t post all of the code, but the PHP variable looks like this:

<?php $htmifqciwz = '... myMalCodeGoesHere...'

I’ve never seen this before and this thread is the first one I fould that is spot on to the problem my client has.

I’ll be looking at the support link above, but I thought it good to share and if anyone has more info.

Thanks!

– D

@songdogtech

Seems that this is a “popular” problem, I found this post useful

Thanks for the links.

As far as a new post, I didn’t realize this was that old, for the sake of the community should I post a new thread with my findings?

Thanks – Don