Support » Fixing WordPress » Trying to identify source file for hack

  • I’m working on a site for our local school and it’s been hacked with hidden spam code. It shows up in the page’s source code right above the wrapper and container divs. See It’s on every page or post.

    I’ve checked the Header and Index files of my theme and see nothing out of sorts. I’ve also tried switching to the native 2012 theme and it still exists. I’ve also switched off all plugins and it didn’t change anything.

    I updated to v3.6 and that didn’t change anything. I ran WordFence and it did not detect any file anomalies.

    I’ve run through several hack cleanup tutorials and it looks like I’ve run through the checklist of standard things to do. Any other suggestions on locating the source file of the hack before I do a fresh file install? What really confuses me is that if it IS malicious code inside a file, wouldn’t WordFence pick it up?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    I’m working on a site for our local school and it’s been hacked with hidden spam code.

    Not good.

    I’ve checked the Header and Index files of my theme and see nothing out of sorts.

    You really need to get fresh copies of everything were possible. All of your files are suspect now.

    This is often quoted but really is the right response to your problem.

    You need to start working your way through these resources:

    Anything less will probably result in the hacker walking straight back into your site again.

    Additional Resources:
    Hardening WordPress

    in the source code of your index file right under the body tag there is a div with class=”y_letup”
    and right after that is the P with the spam injection.
    so I would look in your style CSS files for this injection.

    and have been having similar problems, so can relate on how hard it is to find this bloody code. 7 months now for one of my formerly popular blogs.

    I thought your site looked okay, until I pulled up your page info and found the malicious links, then looked at the source code.

    considering how many plugins, with style sheets, you got a lot of style sheets to look at.
    good luck.

    I’ve done the less-nuclear path of deleting and clean installing the WP files in the root directory, wp-includes folder, and wp-admin folder. It’s still showing up (made sure I used a cache-less browser).

    In this case, I didn’t touch the wp-content folder. However, prior to this, I did deactivate all plugins and switch themes and it still showed up. Where else could this possibly be? Is it possible the MySQL database is corrupted? And if so, would an XML export of page/post content still contain this?

    This is a shared GoDaddy account with another non-WP user. Is it possible that the malicious script was put in that way?

    Thanks! Talk about frustrating!

    Since I have the same infestation, but only on one of my WordPress blogs, I can totally relate to your frustrations.

    I’ve done every search, thru database, and just about all files, etc. and have come to the conclusion that it is WordPress.
    When you have thousands of files and included addons like SimplePie, etc., just in the plain install, it is just about impossible to find any little blinking thing.
    and google is the worst for the pharma hacks, serving them up just for the most popular sites, then spamming your gmail and other mail thru your history. and any google scripts you add.

    Yeah, you can PAY someone to clean it up, but then you got to wonder if they are the ones who injected the malicious code in the first place.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Trying to identify source file for hack’ is closed to new replies.