Support » Fixing WordPress » Why are so many people getting hacked!? Has anyone found a good solution?

  • I have had
    <?php /**/ eval(base64_decode

    appear at the beginning of all my php files. Avast is detecting a trojan when I load my site which seems to be coming from an external site:

    Is anyone else having this combination of problems? Does anyone know an easy solution?

Viewing 15 replies - 1 through 15 (of 31 total)
  • iv had the same problem, i deleted that piece of script but there still seems to some hidden (view page source your site, youll probably find another script right at the bottom)

    That piece of script is in literally every php file. Is there a quick way of removing it from all files, rather than opening every single one?

    I’m thinking it might just be easier to do a fresh install of wordpress and of my theme. Whats the best way to retrieve all my posts? I’ve exported my database. Is that the best place to find them?

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    (Sips coffee, and thinks I’m sure going to regret this but here goes. Steps gingerly on top of the soap box.)

    Why? End user laziness, a healthy mix of stupidity, all wrapped together with a lack of personal responsibility.

    Wow, that was harsh. Still true though. If that’s too harsh then read it as “Why? Lack of self education.” and if any mod wishes to tone down the 2nd and 3rd paragraphs I wont object. 🙂

    Occasionally there is a legitimate bug in WordPress that gets exploited via a script. Once an exploit is out there, folks who have their own forums and their own groups write up how to take advantage of it.

    Sometimes the turn around is less than a few hours. Other times someone locates a bug in some old unsupported version like 2.0.x and exploit that. Finding exploitable versions in the wild is a simple as running a Google search. Or just run the script to walk through any Google list that replies back from /wp-login.php, it’s not hard.

    That’s part of why WordPress.ORG has that built in notification system to let you know you need to upgrade. If I could change anything I would eliminate the auto-upgrade; it’s not a bad idea and it works much more often than not. But it lets the end user off the hook for knowing how their blog works.

    The fact that WordPress is so easy to use and so popular is what makes it such a great target. The point of exploiting your site is not to bug you, it’s to get the links that make these guys money on your site. The more links on more sites and ka-ching for the bad guys.

    Nothing is fool proof, and with enough time almost any site can be broken into. But if you keep up your code, if you follow best practices on your filesystem and database, learn how the system you are using works, then odds are good that you’ll continue to be safe.

    If you can’t/won’t/unable to learn this stuff, then look for a managed WordPress solution like WordPress.COM. That way you can focus on blogging and leave the geeky technical work to someone else.

    What really p****s me off is that I opted to use WordPress to avoid all the complicated HTML web design geekery. I have so much respect for people that have the patience to learn all this stuff, but it’s just not for me. And now this has happened and I’m having to spend a whole day trawling through forums and articles in order to learn what exactly is going on. So what is exactly is the point in WordPress. I just can’t believe it’s so easy for hackers to get in and do this. The number of similar posts on here within the last few days is absolutely outrageous

    Moderator Jan Dembowski


    Brute Squad and Volunteer Moderator

    Oh and on a more helpful note, THIS continues to be good advice.

    That piece of script is in literally every php file. Is there a quick way of removing it from all files, rather than opening every single one?

    What I’ve seen over and over, is that if all your php files got infected…you have 1 or 2 php files hidden on your server that shouldn’t be there. Delete those files, clean everything, change all your passwords, and you should be fine. The way I found the hidden files was by viewing my server access logs. I checked the timestamp of a file that had been altered, then checked my access logs at that time to see what file was being pointed to.

    Then, here’s the standard reading:

    And when you’re done:

    There is no real easy way here…… In my opinion, the easiest thing to do is to keep a backup of everything on your server. Then if something goes really wrong, you can wipe the server and replace with the backup clean files.

    Same problem here… all files have been hacked.
    Do you also have a problem with your dashboard loading? mine appears but then goes blank after a second or two. Simply adding the correct extension alows me to access the rest of the admin area (…/wp-admin/themes.php etc.) but the dashboard is not showing.

    usually, reinstalling WP core files will at least get you back in


    yep, same thing. It seems to load on my my macbook but it loads as though the css isn’t working. On windows, it appears for a second then goes blank

    Ok, forgive me for being uneducated but I only just recently installed my theme. I haven’t made many changes to it so rather than go through every file and then going through the standard reading, would it not be easier to reinstall wordpress, reinstall the theme, and then can I not somehow use my old database to get my posts back? I ran a search in the database, and can’t find a trace of the code that’s appearing in my php files. No doubt there are a million reasons why I can’t or shouldn’t do this, but thought I’d ask.

    @bottleneck….yeah I’ve cycled through those plugins…..honestly, they had no effect for me.

    @dailyhubbub I found the easiest way to clean was to reinstall all WP files, then clean the offending code from wp-config.php, then delete and reinstall all plugins, and do the same for the theme.

    Cleaning your wp-config.php file rather than replacing it will keep WP connected to your old DB. If you have any other software on your server besides WP, it’ll all probably be infected too.

    Finally, look around for any rogue php files. Using the method I mentiojned above works best for me. Often, people find a php file hiudden away in their uploads folder or something.

    Ok, I will do that. Thanks everyone for your help.

    Can someone give me a little crash course in looking at my access log. Not really sure how to find the rogue files

    I had no idea what I was looking at either. What I did was, for example, my header.php file was altered at 05:22am on 12/22/09 so I looked at my access logs for that date, and looked at that exact time. I saw an entry on it that referred to header.php, and then had some other info on the same line. The rest of the info didn’t mean alot to me, other than it gave a location of a filed that had POST to my header.php at that exact time. So I could track down the file, examine it’s code, realize it looked suspicious, and delete it.

Viewing 15 replies - 1 through 15 (of 31 total)
  • The topic ‘Why are so many people getting hacked!? Has anyone found a good solution?’ is closed to new replies.