Support » Fixing WordPress » Website repeatedly hacked

  • Resolved cwinkler78


    Hi all. I’m hoping maybe someone can help me out with this. I’ve been banging my head My website has been hacked several times in the past week. Last week, it was taken down by:

    +ADw-/title+AD4-Hacker By Hacker alajman +ACo-// +ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    This week it is:

    +ADw-/title+AD4APA-META http-equiv+AD0AIg-refresh+ACI content+AD0AIg-0+ADs-URL+AD0 style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-

    They keep inserting a script with document.documentElement.innerHTML = unescape into my WordPress menus. (I have the full code if you need to see it) I have removed the script and gotten the site working again, only to have the problem reappear a few hours later. I have reset all of my passwords, completely deleted and reinstalled WordPress, upgraded my WordPress version, and installed a security plugin (Better WP Security) to close any gaps. But no matter what I do, this latest hack just keeps happening.

    I’m wondering if perhaps its something on my host ( If you Google the title they’ve been inserting there seem to be a large number of sites effected.

    Anyone have any experience fixing this? Tips, tricks, advice.. anything would be appreciated.

Viewing 15 replies - 1 through 15 (of 37 total)
  • Have you contacted your hosting provider? They would have access to log files that can help track down the vulnerability leading to the hacking.

    Check for new users created.

    Read all of the information here:

    Another helpful resource is the Sucuri Site Scanner:

    @cwinkler78: is a crappy host. You have no control over other insecure accounts that will be hacking vectors into your account. You will probably be constantly hacked unless you change hosts. See Recommended WordPress Web Hosting

    @cwinkler78 : Where is the script located (document.documentElement.innerHTML = unescape)?

    Have you checked your own computer is a clean as when you login and if your computer is infected it will hack your website.

    Thank you all for the help.

    @rachelbaker – I contacted webhostingpad and they weren’t helpful at all and I quote “They are most likely using your plugin or theme to insert this code into your website. Please make sure all of your plugins and themes are updated.”

    Thanks for the FAQ link. I had followed those steps to get the site back up and running initially. And it worked, until it happened again.

    The Sucuri Site Scanner comes back clean.

    @songdogtech – Thanks. Wish I had known that before I locked myself into the contract. =(

    @houlejo – They insert it into the Sidebar of my theme. (Appearance -> Widgets-> Sidebar 1). They remove my existing widgets and replace it with a text one with the script in it. Screenshot of my WordPress install.

    @govpatel – Yes. I’ve run spybot and nothing comes back out of the ordinary.

    One new thing I have discovered is a PHP warning showing up in my error logs around the times the site gets hacked again:

    [26-Nov-2012 23:04:43 UTC] PHP Warning: Division by zero in …/themes/wp-creativix/tpl_page_nosidebar.php on line 32

    I discovered that it’s a SQL injection attack.

    It add a “widget_text” under the wp_options table.

    Also, the text

    [Code moderated. Please do not post hack code blocks in the forums. Please use the pastebin]

    is also in the wp_options table under “blogname”.

    I guess that until wordpress publish a security update, it will be hard to stop those attacks.

    What makes you think this is a WordPress core issue?.

    @esmi – is that question directed at me? If so, I’m not sure it is. I think it could be a possibility because when I completely started over yesterday and had a clean install with the default template and no plugins installed the issue appeared again.

    But that said, I’m not the most technical person in the world.

    If this was wordpress core issue then we all should infected and our wordpress is not so it has to be server does not have any security have you tried to change permissions wp-config.php to 444 so that is not writable and change the database user name and password in wp-config.php file.

    is that question directed at me?

    No. It was houlejo that implied that this was a core security issue. I’d like to know what the reasoning is behind that implication.

    @govpatel – Got it. I had changed the wp-config.php file to 0444 after it was hacked this morning and reset the passwords and secret keys. I also moved wp-config.php up one level on the advice of

    So far the problem has not come back.


    I can’t be sure it’s a core issue. It was a guess because it’s my second wordpress site hacked with this since yesterday.

    Websites have nothing in common except Google Analytics Plugin.

    Also, they are at the same hosting company, but on 2 different shared servers under 2 different accounts.

    I run all the recommended security setting of WSD Security plugin.

    I will do the config.php 444 and up a level.

    To all:
    I also say that the hack broke the “sidebars_widgets” entry in the database. Had to restore it from backup.

    Also, some chars are broken and I don’t know why… “ex: The company’s customers”.

    Thanks for the help.

    @houlego – The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

    @houlego – The hack changes your character encoding from UTF-8 to UTF-7. You can fix this through the WordPress Admin Dashboard/Panel by going to Settings -> Reading and setting it back to UTF-8.

    @cwinkler78 Wow thanks! I was looking deep in the DB for answers… and it was so simple 😉

Viewing 15 replies - 1 through 15 (of 37 total)
  • The topic ‘Website repeatedly hacked’ is closed to new replies.